iPXE
tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  */
19 
20 FILE_LICENCE ( GPL2_OR_LATER );
21 
22 /**
23  * @file
24  *
25  * Transport Layer Security Protocol
26  */
27 
28 #include <stdint.h>
29 #include <stdlib.h>
30 #include <stdarg.h>
31 #include <string.h>
32 #include <time.h>
33 #include <errno.h>
34 #include <byteswap.h>
35 #include <ipxe/pending.h>
36 #include <ipxe/hmac.h>
37 #include <ipxe/md5.h>
38 #include <ipxe/sha1.h>
39 #include <ipxe/sha256.h>
40 #include <ipxe/aes.h>
41 #include <ipxe/rsa.h>
42 #include <ipxe/iobuf.h>
43 #include <ipxe/xfer.h>
44 #include <ipxe/open.h>
45 #include <ipxe/x509.h>
46 #include <ipxe/privkey.h>
47 #include <ipxe/certstore.h>
48 #include <ipxe/rootcert.h>
49 #include <ipxe/rbg.h>
50 #include <ipxe/validator.h>
51 #include <ipxe/job.h>
52 #include <ipxe/dhe.h>
53 #include <ipxe/ecdhe.h>
54 #include <ipxe/tls.h>
55 #include <config/crypto.h>
56 
57 /* Disambiguate the various error causes */
58 #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
59 #define EINFO_EINVAL_CHANGE_CIPHER \
60  __einfo_uniqify ( EINFO_EINVAL, 0x01, \
61  "Invalid Change Cipher record" )
62 #define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
63 #define EINFO_EINVAL_ALERT \
64  __einfo_uniqify ( EINFO_EINVAL, 0x02, \
65  "Invalid Alert record" )
66 #define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
67 #define EINFO_EINVAL_HELLO \
68  __einfo_uniqify ( EINFO_EINVAL, 0x03, \
69  "Invalid Server Hello record" )
70 #define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
71 #define EINFO_EINVAL_CERTIFICATE \
72  __einfo_uniqify ( EINFO_EINVAL, 0x04, \
73  "Invalid Certificate" )
74 #define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
75 #define EINFO_EINVAL_CERTIFICATES \
76  __einfo_uniqify ( EINFO_EINVAL, 0x05, \
77  "Invalid Server Certificate record" )
78 #define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
79 #define EINFO_EINVAL_HELLO_DONE \
80  __einfo_uniqify ( EINFO_EINVAL, 0x06, \
81  "Invalid Server Hello Done record" )
82 #define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
83 #define EINFO_EINVAL_FINISHED \
84  __einfo_uniqify ( EINFO_EINVAL, 0x07, \
85  "Invalid Server Finished record" )
86 #define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
87 #define EINFO_EINVAL_HANDSHAKE \
88  __einfo_uniqify ( EINFO_EINVAL, 0x08, \
89  "Invalid Handshake record" )
90 #define EINVAL_IV __einfo_error ( EINFO_EINVAL_IV )
91 #define EINFO_EINVAL_IV \
92  __einfo_uniqify ( EINFO_EINVAL, 0x0a, \
93  "Invalid initialisation vector" )
94 #define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
95 #define EINFO_EINVAL_PADDING \
96  __einfo_uniqify ( EINFO_EINVAL, 0x0b, \
97  "Invalid block padding" )
98 #define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
99 #define EINFO_EINVAL_RX_STATE \
100  __einfo_uniqify ( EINFO_EINVAL, 0x0c, \
101  "Invalid receive state" )
102 #define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
103 #define EINFO_EINVAL_MAC \
104  __einfo_uniqify ( EINFO_EINVAL, 0x0d, \
105  "Invalid MAC or authentication tag" )
106 #define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
107 #define EINFO_EINVAL_TICKET \
108  __einfo_uniqify ( EINFO_EINVAL, 0x0e, \
109  "Invalid New Session Ticket record")
110 #define EINVAL_KEY_EXCHANGE __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
111 #define EINFO_EINVAL_KEY_EXCHANGE \
112  __einfo_uniqify ( EINFO_EINVAL, 0x0f, \
113  "Invalid Server Key Exchange record" )
114 #define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
115 #define EINFO_EIO_ALERT \
116  __einfo_uniqify ( EINFO_EIO, 0x01, \
117  "Unknown alert level" )
118 #define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
119 #define EINFO_ENOMEM_CONTEXT \
120  __einfo_uniqify ( EINFO_ENOMEM, 0x01, \
121  "Not enough space for crypto context" )
122 #define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
123 #define EINFO_ENOMEM_CERTIFICATE \
124  __einfo_uniqify ( EINFO_ENOMEM, 0x02, \
125  "Not enough space for certificate" )
126 #define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
127 #define EINFO_ENOMEM_CHAIN \
128  __einfo_uniqify ( EINFO_ENOMEM, 0x03, \
129  "Not enough space for certificate chain" )
130 #define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
131 #define EINFO_ENOMEM_TX_PLAINTEXT \
132  __einfo_uniqify ( EINFO_ENOMEM, 0x04, \
133  "Not enough space for transmitted plaintext" )
134 #define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
135 #define EINFO_ENOMEM_TX_CIPHERTEXT \
136  __einfo_uniqify ( EINFO_ENOMEM, 0x05, \
137  "Not enough space for transmitted ciphertext" )
138 #define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
139 #define EINFO_ENOMEM_RX_DATA \
140  __einfo_uniqify ( EINFO_ENOMEM, 0x07, \
141  "Not enough space for received data" )
142 #define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
143 #define EINFO_ENOMEM_RX_CONCAT \
144  __einfo_uniqify ( EINFO_ENOMEM, 0x08, \
145  "Not enough space to concatenate received data" )
146 #define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
147 #define EINFO_ENOTSUP_CIPHER \
148  __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
149  "Unsupported cipher" )
150 #define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
151 #define EINFO_ENOTSUP_NULL \
152  __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
153  "Refusing to use null cipher" )
154 #define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
155 #define EINFO_ENOTSUP_SIG_HASH \
156  __einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
157  "Unsupported signature and hash algorithm" )
158 #define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
159 #define EINFO_ENOTSUP_VERSION \
160  __einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
161  "Unsupported protocol version" )
162 #define ENOTSUP_CURVE __einfo_error ( EINFO_ENOTSUP_CURVE )
163 #define EINFO_ENOTSUP_CURVE \
164  __einfo_uniqify ( EINFO_ENOTSUP, 0x05, \
165  "Unsupported elliptic curve" )
166 #define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
167 #define EINFO_EPERM_ALERT \
168  __einfo_uniqify ( EINFO_EPERM, 0x01, \
169  "Received fatal alert" )
170 #define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
171 #define EINFO_EPERM_VERIFY \
172  __einfo_uniqify ( EINFO_EPERM, 0x02, \
173  "Handshake verification failed" )
174 #define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
175 #define EINFO_EPERM_RENEG_INSECURE \
176  __einfo_uniqify ( EINFO_EPERM, 0x04, \
177  "Secure renegotiation not supported" )
178 #define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
179 #define EINFO_EPERM_RENEG_VERIFY \
180  __einfo_uniqify ( EINFO_EPERM, 0x05, \
181  "Secure renegotiation verification failed" )
182 #define EPERM_KEY_EXCHANGE __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
183 #define EINFO_EPERM_KEY_EXCHANGE \
184  __einfo_uniqify ( EINFO_EPERM, 0x06, \
185  "ServerKeyExchange verification failed" )
186 #define EPERM_EMS __einfo_error ( EINFO_EPERM_EMS )
187 #define EINFO_EPERM_EMS \
188  __einfo_uniqify ( EINFO_EPERM, 0x07, \
189  "Extended master secret extension mismatch" )
190 #define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
191 #define EINFO_EPROTO_VERSION \
192  __einfo_uniqify ( EINFO_EPROTO, 0x01, \
193  "Illegal protocol version upgrade" )
194 
195 /** List of TLS session */
196 static LIST_HEAD ( tls_sessions );
197 
198 static void tls_tx_resume_all ( struct tls_session *session );
199 static struct io_buffer * tls_alloc_iob ( struct tls_connection *tls,
200  size_t len );
201 static int tls_send_record ( struct tls_connection *tls, unsigned int type,
202  struct io_buffer *iobuf );
203 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
204  const void *data, size_t len );
205 static void tls_clear_cipher ( struct tls_connection *tls,
206  struct tls_cipherspec *cipherspec );
207 static void tls_verify_handshake ( struct tls_connection *tls, void *out );
208 
209 /******************************************************************************
210  *
211  * Utility functions
212  *
213  ******************************************************************************
214  */
215 
216 /** A TLS 24-bit integer
217  *
218  * TLS uses 24-bit integers in several places, which are awkward to
219  * parse in C.
220  */
221 typedef struct {
222  /** High byte */
223  uint8_t high;
224  /** Low word */
225  uint16_t low;
226 } __attribute__ (( packed )) tls24_t;
227 
228 /**
229  * Extract 24-bit field value
230  *
231  * @v field24 24-bit field
232  * @ret value Field value
233  *
234  */
235 static inline __attribute__ (( always_inline )) unsigned long
236 tls_uint24 ( const tls24_t *field24 ) {
237 
238  return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
239 }
240 
241 /**
242  * Set 24-bit field value
243  *
244  * @v field24 24-bit field
245  * @v value Field value
246  */
247 static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
248 
249  field24->high = ( value >> 16 );
250  field24->low = cpu_to_be16 ( value );
251 }
252 
253 /**
254  * Determine if TLS connection is ready for application data
255  *
256  * @v tls TLS connection
257  * @ret is_ready TLS connection is ready
258  */
259 static int tls_ready ( struct tls_connection *tls ) {
260  return ( ( ! is_pending ( &tls->client.negotiation ) ) &&
261  ( ! is_pending ( &tls->server.negotiation ) ) );
262 }
263 
264 /**
265  * Check for TLS version
266  *
267  * @v tls TLS connection
268  * @v version TLS version
269  * @ret at_least TLS connection is using at least the specified version
270  *
271  * Check that TLS connection uses at least the specified protocol
272  * version. Optimise down to a compile-time constant true result if
273  * this is already guaranteed by the minimum supported version check.
274  */
275 static inline __attribute__ (( always_inline )) int
276 tls_version ( struct tls_connection *tls, unsigned int version ) {
277  return ( ( TLS_VERSION_MIN >= version ) ||
278  ( tls->version >= version ) );
279 }
280 
281 /******************************************************************************
282  *
283  * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
284  *
285  ******************************************************************************
286  */
287 
288 /**
289  * Initialise MD5+SHA1 algorithm
290  *
291  * @v ctx MD5+SHA1 context
292  */
293 static void md5_sha1_init ( void *ctx ) {
294  struct md5_sha1_context *context = ctx;
295 
296  digest_init ( &md5_algorithm, context->md5 );
297  digest_init ( &sha1_algorithm, context->sha1 );
298 }
299 
300 /**
301  * Accumulate data with MD5+SHA1 algorithm
302  *
303  * @v ctx MD5+SHA1 context
304  * @v data Data
305  * @v len Length of data
306  */
307 static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
308  struct md5_sha1_context *context = ctx;
309 
310  digest_update ( &md5_algorithm, context->md5, data, len );
311  digest_update ( &sha1_algorithm, context->sha1, data, len );
312 }
313 
314 /**
315  * Generate MD5+SHA1 digest
316  *
317  * @v ctx MD5+SHA1 context
318  * @v out Output buffer
319  */
320 static void md5_sha1_final ( void *ctx, void *out ) {
321  struct md5_sha1_context *context = ctx;
322  struct md5_sha1_digest *digest = out;
323 
324  digest_final ( &md5_algorithm, context->md5, digest->md5 );
325  digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
326 }
327 
328 /** Hybrid MD5+SHA1 digest algorithm */
329 static struct digest_algorithm md5_sha1_algorithm = {
330  .name = "md5+sha1",
331  .ctxsize = sizeof ( struct md5_sha1_context ),
332  .blocksize = 0, /* Not applicable */
333  .digestsize = sizeof ( struct md5_sha1_digest ),
334  .init = md5_sha1_init,
335  .update = md5_sha1_update,
336  .final = md5_sha1_final,
337 };
338 
339 /** RSA digestInfo prefix for MD5+SHA1 algorithm */
340 struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
341  .digest = &md5_sha1_algorithm,
342  .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
343  .len = 0,
344 };
345 
346 /******************************************************************************
347  *
348  * Cleanup functions
349  *
350  ******************************************************************************
351  */
352 
353 /**
354  * Free TLS session
355  *
356  * @v refcnt Reference counter
357  */
358 static void free_tls_session ( struct refcnt *refcnt ) {
359  struct tls_session *session =
360  container_of ( refcnt, struct tls_session, refcnt );
361 
362  /* Sanity check */
363  assert ( list_empty ( &session->conn ) );
364 
365  /* Remove from list of sessions */
366  list_del ( &session->list );
367 
368  /* Free dynamically-allocated resources */
369  x509_root_put ( session->root );
370  privkey_put ( session->key );
371  free ( session->ticket );
372 
373  /* Free session */
374  free ( session );
375 }
376 
377 /**
378  * Free TLS connection
379  *
380  * @v refcnt Reference counter
381  */
382 static void free_tls ( struct refcnt *refcnt ) {
383  struct tls_connection *tls =
384  container_of ( refcnt, struct tls_connection, refcnt );
385  struct tls_session *session = tls->session;
386  struct io_buffer *iobuf;
387  struct io_buffer *tmp;
388 
389  /* Free dynamically-allocated resources */
390  free ( tls->new_session_ticket );
391  tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
392  tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
393  tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
394  tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
395  free ( tls->server.exchange );
396  free ( tls->handshake_ctx );
397  list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
398  list_del ( &iobuf->list );
399  free_iob ( iobuf );
400  }
401  free_iob ( tls->rx.handshake );
402  privkey_put ( tls->client.key );
403  x509_chain_put ( tls->client.chain );
404  x509_chain_put ( tls->server.chain );
405  x509_root_put ( tls->server.root );
406 
407  /* Drop reference to session */
408  assert ( list_empty ( &tls->list ) );
409  ref_put ( &session->refcnt );
410 
411  /* Free TLS structure itself */
412  free ( tls );
413 }
414 
415 /**
416  * Finish with TLS connection
417  *
418  * @v tls TLS connection
419  * @v rc Status code
420  */
421 static void tls_close ( struct tls_connection *tls, int rc ) {
422 
423  /* Remove pending operations, if applicable */
424  pending_put ( &tls->client.negotiation );
425  pending_put ( &tls->server.negotiation );
426  pending_put ( &tls->server.validation );
427 
428  /* Remove process */
429  process_del ( &tls->tx.process );
430 
431  /* Close all interfaces */
432  intf_shutdown ( &tls->cipherstream, rc );
433  intf_shutdown ( &tls->plainstream, rc );
434  intf_shutdown ( &tls->server.validator, rc );
435 
436  /* Remove from session */
437  list_del ( &tls->list );
438  INIT_LIST_HEAD ( &tls->list );
439 
440  /* Resume all other connections, in case we were the lead connection */
441  tls_tx_resume_all ( tls->session );
442 }
443 
444 /******************************************************************************
445  *
446  * Random number generation
447  *
448  ******************************************************************************
449  */
450 
451 /**
452  * Generate random data
453  *
454  * @v tls TLS connection
455  * @v data Buffer to fill
456  * @v len Length of buffer
457  * @ret rc Return status code
458  */
459 static int tls_generate_random ( struct tls_connection *tls,
460  void *data, size_t len ) {
461  int rc;
462 
463  /* Generate random bits with no additional input and without
464  * prediction resistance
465  */
466  if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
467  DBGC ( tls, "TLS %p could not generate random data: %s\n",
468  tls, strerror ( rc ) );
469  return rc;
470  }
471 
472  return 0;
473 }
474 
475 /**
476  * Update HMAC with a list of ( data, len ) pairs
477  *
478  * @v digest Hash function to use
479  * @v ctx HMAC context
480  * @v args ( data, len ) pairs of data, terminated by NULL
481  */
482 static void tls_hmac_update_va ( struct digest_algorithm *digest,
483  void *ctx, va_list args ) {
484  void *data;
485  size_t len;
486 
487  while ( ( data = va_arg ( args, void * ) ) ) {
488  len = va_arg ( args, size_t );
489  hmac_update ( digest, ctx, data, len );
490  }
491 }
492 
493 /**
494  * Generate secure pseudo-random data using a single hash function
495  *
496  * @v tls TLS connection
497  * @v digest Hash function to use
498  * @v secret Secret
499  * @v secret_len Length of secret
500  * @v out Output buffer
501  * @v out_len Length of output buffer
502  * @v seeds ( data, len ) pairs of seed data, terminated by NULL
503  */
504 static void tls_p_hash_va ( struct tls_connection *tls,
505  struct digest_algorithm *digest,
506  const void *secret, size_t secret_len,
507  void *out, size_t out_len,
508  va_list seeds ) {
509  uint8_t ctx[ hmac_ctxsize ( digest ) ];
510  uint8_t ctx_partial[ sizeof ( ctx ) ];
511  uint8_t a[digest->digestsize];
512  uint8_t out_tmp[digest->digestsize];
513  size_t frag_len = digest->digestsize;
514  va_list tmp;
515 
516  DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
517  DBGC2_HD ( tls, secret, secret_len );
518 
519  /* Calculate A(1) */
520  hmac_init ( digest, ctx, secret, secret_len );
521  va_copy ( tmp, seeds );
522  tls_hmac_update_va ( digest, ctx, tmp );
523  va_end ( tmp );
524  hmac_final ( digest, ctx, a );
525  DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
526  DBGC2_HD ( tls, &a, sizeof ( a ) );
527 
528  /* Generate as much data as required */
529  while ( out_len ) {
530  /* Calculate output portion */
531  hmac_init ( digest, ctx, secret, secret_len );
532  hmac_update ( digest, ctx, a, sizeof ( a ) );
533  memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
534  va_copy ( tmp, seeds );
535  tls_hmac_update_va ( digest, ctx, tmp );
536  va_end ( tmp );
537  hmac_final ( digest, ctx, out_tmp );
538 
539  /* Copy output */
540  if ( frag_len > out_len )
541  frag_len = out_len;
542  memcpy ( out, out_tmp, frag_len );
543  DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
544  DBGC2_HD ( tls, out, frag_len );
545 
546  /* Calculate A(i) */
547  hmac_final ( digest, ctx_partial, a );
548  DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
549  DBGC2_HD ( tls, &a, sizeof ( a ) );
550 
551  out += frag_len;
552  out_len -= frag_len;
553  }
554 }
555 
556 /**
557  * Generate secure pseudo-random data
558  *
559  * @v tls TLS connection
560  * @v secret Secret
561  * @v secret_len Length of secret
562  * @v out Output buffer
563  * @v out_len Length of output buffer
564  * @v ... ( data, len ) pairs of seed data, terminated by NULL
565  */
566 static void tls_prf ( struct tls_connection *tls, const void *secret,
567  size_t secret_len, void *out, size_t out_len, ... ) {
568  va_list seeds;
569  va_list tmp;
570  size_t subsecret_len;
571  const void *md5_secret;
572  const void *sha1_secret;
573  uint8_t buf[out_len];
574  unsigned int i;
575 
576  va_start ( seeds, out_len );
577 
578  if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
579  /* Use handshake digest PRF for TLSv1.2 and later */
580  tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
581  out, out_len, seeds );
582  } else {
583  /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
584  * and earlier
585  */
586 
587  /* Split secret into two, with an overlap of up to one byte */
588  subsecret_len = ( ( secret_len + 1 ) / 2 );
589  md5_secret = secret;
590  sha1_secret = ( secret + secret_len - subsecret_len );
591 
592  /* Calculate MD5 portion */
593  va_copy ( tmp, seeds );
594  tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
595  subsecret_len, out, out_len, seeds );
596  va_end ( tmp );
597 
598  /* Calculate SHA1 portion */
599  va_copy ( tmp, seeds );
600  tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
601  subsecret_len, buf, out_len, seeds );
602  va_end ( tmp );
603 
604  /* XOR the two portions together into the final output buffer */
605  for ( i = 0 ; i < out_len ; i++ )
606  *( ( uint8_t * ) out + i ) ^= buf[i];
607  }
608 
609  va_end ( seeds );
610 }
611 
612 /**
613  * Generate secure pseudo-random data
614  *
615  * @v secret Secret
616  * @v secret_len Length of secret
617  * @v out Output buffer
618  * @v out_len Length of output buffer
619  * @v label String literal label
620  * @v ... ( data, len ) pairs of seed data
621  */
622 #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
623  tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
624  label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
625 
626 /******************************************************************************
627  *
628  * Secret management
629  *
630  ******************************************************************************
631  */
632 
633 /**
634  * Generate master secret
635  *
636  * @v tls TLS connection
637  * @v pre_master_secret Pre-master secret
638  * @v pre_master_secret_len Length of pre-master secret
639  *
640  * The client and server random values must already be known.
641  */
642 static void tls_generate_master_secret ( struct tls_connection *tls,
643  const void *pre_master_secret,
644  size_t pre_master_secret_len ) {
645  struct digest_algorithm *digest = tls->handshake_digest;
646  uint8_t digest_out[ digest->digestsize ];
647 
648  /* Generate handshake digest */
649  tls_verify_handshake ( tls, digest_out );
650 
651  /* Show inputs */
652  DBGC ( tls, "TLS %p pre-master secret:\n", tls );
653  DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
654  DBGC ( tls, "TLS %p client random bytes:\n", tls );
655  DBGC_HD ( tls, &tls->client.random, sizeof ( tls->client.random ) );
656  DBGC ( tls, "TLS %p server random bytes:\n", tls );
657  DBGC_HD ( tls, &tls->server.random, sizeof ( tls->server.random ) );
658  DBGC ( tls, "TLS %p session hash:\n", tls );
659  DBGC_HD ( tls, digest_out, sizeof ( digest_out ) );
660 
661  /* Generate master secret */
662  if ( tls->extended_master_secret ) {
663  tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
664  &tls->master_secret,
665  sizeof ( tls->master_secret ),
666  "extended master secret",
667  digest_out, sizeof ( digest_out ) );
668  } else {
669  tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
670  &tls->master_secret,
671  sizeof ( tls->master_secret ),
672  "master secret",
673  &tls->client.random,
674  sizeof ( tls->client.random ),
675  &tls->server.random,
676  sizeof ( tls->server.random ) );
677  }
678 
679  /* Show output */
680  DBGC ( tls, "TLS %p generated %smaster secret:\n", tls,
681  ( tls->extended_master_secret ? "extended ": "" ) );
682  DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
683 }
684 
685 /**
686  * Generate key material
687  *
688  * @v tls TLS connection
689  *
690  * The master secret must already be known.
691  */
692 static int tls_generate_keys ( struct tls_connection *tls ) {
693  struct tls_cipherspec *tx_cipherspec = &tls->tx.cipherspec.pending;
694  struct tls_cipherspec *rx_cipherspec = &tls->rx.cipherspec.pending;
695  size_t hash_size = tx_cipherspec->suite->mac_len;
696  size_t key_size = tx_cipherspec->suite->key_len;
697  size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
698  size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
699  uint8_t key_block[total];
700  uint8_t *key;
701  int rc;
702 
703  /* Generate key block */
704  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
705  key_block, sizeof ( key_block ), "key expansion",
706  &tls->server.random, sizeof ( tls->server.random ),
707  &tls->client.random, sizeof ( tls->client.random ) );
708 
709  /* Split key block into portions */
710  key = key_block;
711 
712  /* TX MAC secret */
713  memcpy ( tx_cipherspec->mac_secret, key, hash_size );
714  DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
715  DBGC_HD ( tls, key, hash_size );
716  key += hash_size;
717 
718  /* RX MAC secret */
719  memcpy ( rx_cipherspec->mac_secret, key, hash_size );
720  DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
721  DBGC_HD ( tls, key, hash_size );
722  key += hash_size;
723 
724  /* TX key */
725  if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
726  tx_cipherspec->cipher_ctx,
727  key, key_size ) ) != 0 ) {
728  DBGC ( tls, "TLS %p could not set TX key: %s\n",
729  tls, strerror ( rc ) );
730  return rc;
731  }
732  DBGC ( tls, "TLS %p TX key:\n", tls );
733  DBGC_HD ( tls, key, key_size );
734  key += key_size;
735 
736  /* RX key */
737  if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
738  rx_cipherspec->cipher_ctx,
739  key, key_size ) ) != 0 ) {
740  DBGC ( tls, "TLS %p could not set TX key: %s\n",
741  tls, strerror ( rc ) );
742  return rc;
743  }
744  DBGC ( tls, "TLS %p RX key:\n", tls );
745  DBGC_HD ( tls, key, key_size );
746  key += key_size;
747 
748  /* TX initialisation vector */
749  memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
750  DBGC ( tls, "TLS %p TX IV:\n", tls );
751  DBGC_HD ( tls, key, iv_size );
752  key += iv_size;
753 
754  /* RX initialisation vector */
755  memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
756  DBGC ( tls, "TLS %p RX IV:\n", tls );
757  DBGC_HD ( tls, key, iv_size );
758  key += iv_size;
759 
760  assert ( ( key_block + total ) == key );
761 
762  return 0;
763 }
764 
765 /******************************************************************************
766  *
767  * Handshake verification
768  *
769  ******************************************************************************
770  */
771 
772 /**
773  * Clear handshake digest algorithm
774  *
775  * @v tls TLS connection
776  */
777 static void tls_clear_handshake ( struct tls_connection *tls ) {
778 
779  /* Select null digest algorithm */
780  tls->handshake_digest = &digest_null;
781 
782  /* Free any existing context */
783  free ( tls->handshake_ctx );
784  tls->handshake_ctx = NULL;
785 }
786 
787 /**
788  * Select handshake digest algorithm
789  *
790  * @v tls TLS connection
791  * @v digest Handshake digest algorithm
792  * @ret rc Return status code
793  */
794 static int tls_select_handshake ( struct tls_connection *tls,
795  struct digest_algorithm *digest ) {
796 
797  /* Clear existing handshake digest */
798  tls_clear_handshake ( tls );
799 
800  /* Allocate and initialise context */
801  tls->handshake_ctx = malloc ( digest->ctxsize );
802  if ( ! tls->handshake_ctx )
803  return -ENOMEM;
804  tls->handshake_digest = digest;
805  digest_init ( digest, tls->handshake_ctx );
806 
807  return 0;
808 }
809 
810 /**
811  * Add handshake record to verification hash
812  *
813  * @v tls TLS connection
814  * @v data Handshake record
815  * @v len Length of handshake record
816  * @ret rc Return status code
817  */
818 static int tls_add_handshake ( struct tls_connection *tls,
819  const void *data, size_t len ) {
820  struct digest_algorithm *digest = tls->handshake_digest;
821 
822  digest_update ( digest, tls->handshake_ctx, data, len );
823  return 0;
824 }
825 
826 /**
827  * Calculate handshake verification hash
828  *
829  * @v tls TLS connection
830  * @v out Output buffer
831  *
832  * Calculates the digest over all handshake messages seen so far.
833  */
834 static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
835  struct digest_algorithm *digest = tls->handshake_digest;
836  uint8_t ctx[ digest->ctxsize ];
837 
838  memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
839  digest_final ( digest, ctx, out );
840 }
841 
842 /******************************************************************************
843  *
844  * Cipher suite management
845  *
846  ******************************************************************************
847  */
848 
849 /** Null cipher suite */
850 struct tls_cipher_suite tls_cipher_suite_null = {
851  .exchange = &tls_pubkey_exchange_algorithm,
852  .pubkey = &pubkey_null,
853  .cipher = &cipher_null,
854  .digest = &digest_null,
855 };
856 
857 /** Number of supported cipher suites */
858 #define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
859 
860 /**
861  * Identify cipher suite
862  *
863  * @v cipher_suite Cipher suite specification
864  * @ret suite Cipher suite, or NULL
865  */
866 static struct tls_cipher_suite *
867 tls_find_cipher_suite ( unsigned int cipher_suite ) {
868  struct tls_cipher_suite *suite;
869 
870  /* Identify cipher suite */
871  for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
872  if ( suite->code == cipher_suite )
873  return suite;
874  }
875 
876  return NULL;
877 }
878 
879 /**
880  * Clear cipher suite
881  *
882  * @v cipherspec TLS cipher specification
883  */
884 static void tls_clear_cipher ( struct tls_connection *tls __unused,
885  struct tls_cipherspec *cipherspec ) {
886 
887  free ( cipherspec->dynamic );
888  memset ( cipherspec, 0, sizeof ( *cipherspec ) );
889  cipherspec->suite = &tls_cipher_suite_null;
890 }
891 
892 /**
893  * Set cipher suite
894  *
895  * @v tls TLS connection
896  * @v cipherspec TLS cipher specification
897  * @v suite Cipher suite
898  * @ret rc Return status code
899  */
900 static int tls_set_cipher ( struct tls_connection *tls,
901  struct tls_cipherspec *cipherspec,
902  struct tls_cipher_suite *suite ) {
903  struct cipher_algorithm *cipher = suite->cipher;
904  size_t total;
905  void *dynamic;
906 
907  /* Clear out old cipher contents, if any */
908  tls_clear_cipher ( tls, cipherspec );
909 
910  /* Allocate dynamic storage */
911  total = ( cipher->ctxsize + suite->mac_len + suite->fixed_iv_len );
912  dynamic = zalloc ( total );
913  if ( ! dynamic ) {
914  DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
915  "context\n", tls, total );
916  return -ENOMEM_CONTEXT;
917  }
918 
919  /* Assign storage */
920  cipherspec->dynamic = dynamic;
921  cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
922  cipherspec->mac_secret = dynamic; dynamic += suite->mac_len;
923  cipherspec->fixed_iv = dynamic; dynamic += suite->fixed_iv_len;
924  assert ( ( cipherspec->dynamic + total ) == dynamic );
925 
926  /* Store parameters */
927  cipherspec->suite = suite;
928 
929  return 0;
930 }
931 
932 /**
933  * Select next cipher suite
934  *
935  * @v tls TLS connection
936  * @v cipher_suite Cipher suite specification
937  * @ret rc Return status code
938  */
939 static int tls_select_cipher ( struct tls_connection *tls,
940  unsigned int cipher_suite ) {
941  struct tls_cipher_suite *suite;
942  struct digest_algorithm *digest;
943  int rc;
944 
945  /* Identify cipher suite */
946  suite = tls_find_cipher_suite ( cipher_suite );
947  if ( ! suite ) {
948  DBGC ( tls, "TLS %p does not support cipher %04x\n",
949  tls, ntohs ( cipher_suite ) );
950  return -ENOTSUP_CIPHER;
951  }
952 
953  /* Set handshake digest algorithm */
954  digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
955  suite->handshake : &md5_sha1_algorithm );
956  if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
957  return rc;
958 
959  /* Set ciphers */
960  if ( ( rc = tls_set_cipher ( tls, &tls->tx.cipherspec.pending,
961  suite ) ) != 0 )
962  return rc;
963  if ( ( rc = tls_set_cipher ( tls, &tls->rx.cipherspec.pending,
964  suite ) ) != 0 )
965  return rc;
966 
967  DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
968  suite->exchange->name, suite->pubkey->name,
969  suite->cipher->name, ( suite->key_len * 8 ),
970  suite->digest->name );
971 
972  return 0;
973 }
974 
975 /**
976  * Activate next cipher suite
977  *
978  * @v tls TLS connection
979  * @v pair Cipher specification pair
980  * @ret rc Return status code
981  */
982 static int tls_change_cipher ( struct tls_connection *tls,
983  struct tls_cipherspec_pair *pair ) {
984 
985  /* Sanity check */
986  if ( pair->pending.suite == &tls_cipher_suite_null ) {
987  DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
988  return -ENOTSUP_NULL;
989  }
990 
991  tls_clear_cipher ( tls, &pair->active );
992  memswap ( &pair->active, &pair->pending, sizeof ( pair->active ) );
993  return 0;
994 }
995 
996 /******************************************************************************
997  *
998  * Signature and hash algorithms
999  *
1000  ******************************************************************************
1001  */
1002 
1003 /** Number of supported signature and hash algorithms */
1004 #define TLS_NUM_SIG_HASH_ALGORITHMS \
1005  table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
1006 
1007 /**
1008  * Find TLS signature and hash algorithm
1009  *
1010  * @v pubkey Public-key algorithm
1011  * @v digest Digest algorithm
1012  * @ret sig_hash Signature and hash algorithm, or NULL
1013  */
1014 static struct tls_signature_hash_algorithm *
1015 tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
1016  struct digest_algorithm *digest ) {
1017  struct tls_signature_hash_algorithm *sig_hash;
1018 
1019  /* Identify signature and hash algorithm */
1020  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1021  if ( ( sig_hash->pubkey == pubkey ) &&
1022  ( sig_hash->digest == digest ) ) {
1023  return sig_hash;
1024  }
1025  }
1026 
1027  return NULL;
1028 }
1029 
1030 /**
1031  * Find TLS signature algorithm
1032  *
1033  * @v code Signature and hash algorithm identifier
1034  * @ret pubkey Public key algorithm, or NULL
1035  */
1036 static struct pubkey_algorithm *
1037 tls_signature_hash_pubkey ( struct tls_signature_hash_id code ) {
1038  struct tls_signature_hash_algorithm *sig_hash;
1039 
1040  /* Identify signature and hash algorithm */
1041  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1042  if ( sig_hash->code.signature == code.signature )
1043  return sig_hash->pubkey;
1044  }
1045 
1046  return NULL;
1047 }
1048 
1049 /**
1050  * Find TLS hash algorithm
1051  *
1052  * @v code Signature and hash algorithm identifier
1053  * @ret digest Digest algorithm, or NULL
1054  */
1055 static struct digest_algorithm *
1056 tls_signature_hash_digest ( struct tls_signature_hash_id code ) {
1057  struct tls_signature_hash_algorithm *sig_hash;
1058 
1059  /* Identify signature and hash algorithm */
1060  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1061  if ( sig_hash->code.hash == code.hash )
1062  return sig_hash->digest;
1063  }
1064 
1065  return NULL;
1066 }
1067 
1068 /******************************************************************************
1069  *
1070  * Ephemeral Elliptic Curve Diffie-Hellman key exchange
1071  *
1072  ******************************************************************************
1073  */
1074 
1075 /** Number of supported named curves */
1076 #define TLS_NUM_NAMED_CURVES table_num_entries ( TLS_NAMED_CURVES )
1077 
1078 /**
1079  * Identify named curve
1080  *
1081  * @v named_curve Named curve specification
1082  * @ret curve Named curve, or NULL
1083  */
1084 static struct tls_named_curve *
1085 tls_find_named_curve ( unsigned int named_curve ) {
1086  struct tls_named_curve *curve;
1087 
1088  /* Identify named curve */
1089  for_each_table_entry ( curve, TLS_NAMED_CURVES ) {
1090  if ( curve->code == named_curve )
1091  return curve;
1092  }
1093 
1094  return NULL;
1095 }
1096 
1097 /******************************************************************************
1098  *
1099  * Record handling
1100  *
1101  ******************************************************************************
1102  */
1103 
1104 /**
1105  * Resume TX state machine
1106  *
1107  * @v tls TLS connection
1108  */
1109 static void tls_tx_resume ( struct tls_connection *tls ) {
1110  process_add ( &tls->tx.process );
1111 }
1112 
1113 /**
1114  * Resume TX state machine for all connections within a session
1115  *
1116  * @v session TLS session
1117  */
1118 static void tls_tx_resume_all ( struct tls_session *session ) {
1119  struct tls_connection *tls;
1120 
1121  list_for_each_entry ( tls, &session->conn, list )
1122  tls_tx_resume ( tls );
1123 }
1124 
1125 /**
1126  * Restart negotiation
1127  *
1128  * @v tls TLS connection
1129  */
1130 static void tls_restart ( struct tls_connection *tls ) {
1131 
1132  /* Sanity check */
1133  assert ( ! tls->tx.pending );
1134  assert ( ! is_pending ( &tls->client.negotiation ) );
1135  assert ( ! is_pending ( &tls->server.negotiation ) );
1136  assert ( ! is_pending ( &tls->server.validation ) );
1137 
1138  /* (Re)start negotiation */
1139  tls->tx.pending = TLS_TX_CLIENT_HELLO;
1140  tls_tx_resume ( tls );
1141  pending_get ( &tls->client.negotiation );
1142  pending_get ( &tls->server.negotiation );
1143 }
1144 
1145 /**
1146  * Transmit Handshake record
1147  *
1148  * @v tls TLS connection
1149  * @v data Plaintext record
1150  * @v len Length of plaintext record
1151  * @ret rc Return status code
1152  */
1153 static int tls_send_handshake ( struct tls_connection *tls,
1154  const void *data, size_t len ) {
1155 
1156  /* Send record */
1157  return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
1158 }
1159 
1160 /**
1161  * Digest or transmit Client Hello record
1162  *
1163  * @v tls TLS connection
1164  * @v action Action to take on Client Hello record
1165  * @ret rc Return status code
1166  */
1167 static int tls_client_hello ( struct tls_connection *tls,
1168  int ( * action ) ( struct tls_connection *tls,
1169  const void *data,
1170  size_t len ) ) {
1171  struct tls_session *session = tls->session;
1172  size_t name_len = strlen ( session->name );
1173  struct {
1174  uint16_t type;
1175  uint16_t len;
1176  struct {
1177  uint16_t len;
1178  struct {
1179  uint8_t type;
1180  uint16_t len;
1181  uint8_t name[name_len];
1182  } __attribute__ (( packed )) list[1];
1183  } __attribute__ (( packed )) data;
1184  } __attribute__ (( packed )) *server_name_ext;
1185  struct {
1186  uint16_t type;
1187  uint16_t len;
1188  struct {
1189  uint8_t max;
1190  } __attribute__ (( packed )) data;
1191  } __attribute__ (( packed )) *max_fragment_length_ext;
1192  struct {
1193  uint16_t type;
1194  uint16_t len;
1195  struct {
1196  uint16_t len;
1197  struct tls_signature_hash_id
1198  code[TLS_NUM_SIG_HASH_ALGORITHMS];
1199  } __attribute__ (( packed )) data;
1200  } __attribute__ (( packed )) *signature_algorithms_ext;
1201  struct {
1202  uint16_t type;
1203  uint16_t len;
1204  struct {
1205  uint8_t len;
1206  uint8_t data[ tls->secure_renegotiation ?
1207  sizeof ( tls->verify.client ) :0 ];
1208  } __attribute__ (( packed )) data;
1209  } __attribute__ (( packed )) *renegotiation_info_ext;
1210  struct {
1211  uint16_t type;
1212  uint16_t len;
1213  struct {
1214  uint8_t data[session->ticket_len];
1215  } __attribute__ (( packed )) data;
1216  } __attribute__ (( packed )) *session_ticket_ext;
1217  struct {
1218  uint16_t type;
1219  uint16_t len;
1220  struct {
1221  uint16_t len;
1222  uint16_t code[TLS_NUM_NAMED_CURVES];
1223  } __attribute__ (( packed )) data;
1224  } __attribute__ (( packed )) *named_curve_ext;
1225  struct {
1226  uint16_t type;
1227  uint16_t len;
1228  } __attribute__ (( packed )) *extended_master_secret_ext;
1229  struct {
1230  typeof ( *server_name_ext ) server_name;
1231  typeof ( *max_fragment_length_ext ) max_fragment_length;
1232  typeof ( *signature_algorithms_ext ) signature_algorithms;
1233  typeof ( *renegotiation_info_ext ) renegotiation_info;
1234  typeof ( *session_ticket_ext ) session_ticket;
1235  typeof ( *extended_master_secret_ext ) extended_master_secret;
1236  typeof ( *named_curve_ext )
1237  named_curve[TLS_NUM_NAMED_CURVES ? 1 : 0];
1238  } __attribute__ (( packed )) *extensions;
1239  struct {
1240  uint32_t type_length;
1241  uint16_t version;
1242  uint8_t random[32];
1243  uint8_t session_id_len;
1244  uint8_t session_id[tls->session_id_len];
1245  uint16_t cipher_suite_len;
1246  uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
1247  uint8_t compression_methods_len;
1248  uint8_t compression_methods[1];
1249  uint16_t extensions_len;
1250  typeof ( *extensions ) extensions;
1251  } __attribute__ (( packed )) hello;
1252  struct tls_cipher_suite *suite;
1253  struct tls_signature_hash_algorithm *sighash;
1254  struct tls_named_curve *curve;
1255  unsigned int i;
1256 
1257  /* Construct record */
1258  memset ( &hello, 0, sizeof ( hello ) );
1259  hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
1260  htonl ( sizeof ( hello ) -
1261  sizeof ( hello.type_length ) ) );
1262  hello.version = htons ( TLS_VERSION_MAX );
1263  memcpy ( &hello.random, &tls->client.random, sizeof ( hello.random ) );
1264  hello.session_id_len = tls->session_id_len;
1265  memcpy ( hello.session_id, tls->session_id,
1266  sizeof ( hello.session_id ) );
1267  hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1268  i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
1269  hello.cipher_suites[i++] = suite->code;
1270  hello.compression_methods_len = sizeof ( hello.compression_methods );
1271  hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1272  extensions = &hello.extensions;
1273 
1274  /* Construct server name extension */
1275  server_name_ext = &extensions->server_name;
1276  server_name_ext->type = htons ( TLS_SERVER_NAME );
1277  server_name_ext->len = htons ( sizeof ( server_name_ext->data ) );
1278  server_name_ext->data.len
1279  = htons ( sizeof ( server_name_ext->data.list ) );
1280  server_name_ext->data.list[0].type = TLS_SERVER_NAME_HOST_NAME;
1281  server_name_ext->data.list[0].len
1282  = htons ( sizeof ( server_name_ext->data.list[0].name ) );
1283  memcpy ( server_name_ext->data.list[0].name, session->name,
1284  sizeof ( server_name_ext->data.list[0].name ) );
1285 
1286  /* Construct maximum fragment length extension */
1287  max_fragment_length_ext = &extensions->max_fragment_length;
1288  max_fragment_length_ext->type = htons ( TLS_MAX_FRAGMENT_LENGTH );
1289  max_fragment_length_ext->len
1290  = htons ( sizeof ( max_fragment_length_ext->data ) );
1291  max_fragment_length_ext->data.max = TLS_MAX_FRAGMENT_LENGTH_VALUE;
1292 
1293  /* Construct supported signature algorithms extension */
1294  signature_algorithms_ext = &extensions->signature_algorithms;
1295  signature_algorithms_ext->type = htons ( TLS_SIGNATURE_ALGORITHMS );
1296  signature_algorithms_ext->len
1297  = htons ( sizeof ( signature_algorithms_ext->data ) );
1298  signature_algorithms_ext->data.len
1299  = htons ( sizeof ( signature_algorithms_ext->data.code ) );
1300  i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
1301  signature_algorithms_ext->data.code[i++] = sighash->code;
1302 
1303  /* Construct renegotiation information extension */
1304  renegotiation_info_ext = &extensions->renegotiation_info;
1305  renegotiation_info_ext->type = htons ( TLS_RENEGOTIATION_INFO );
1306  renegotiation_info_ext->len
1307  = htons ( sizeof ( renegotiation_info_ext->data ) );
1308  renegotiation_info_ext->data.len
1309  = sizeof ( renegotiation_info_ext->data.data );
1310  memcpy ( renegotiation_info_ext->data.data, tls->verify.client,
1311  sizeof ( renegotiation_info_ext->data.data ) );
1312 
1313  /* Construct session ticket extension */
1314  session_ticket_ext = &extensions->session_ticket;
1315  session_ticket_ext->type = htons ( TLS_SESSION_TICKET );
1316  session_ticket_ext->len
1317  = htons ( sizeof ( session_ticket_ext->data ) );
1318  memcpy ( session_ticket_ext->data.data, session->ticket,
1319  sizeof ( session_ticket_ext->data.data ) );
1320 
1321  /* Construct extended master secret extension */
1322  extended_master_secret_ext = &extensions->extended_master_secret;
1323  extended_master_secret_ext->type
1324  = htons ( TLS_EXTENDED_MASTER_SECRET );
1325  extended_master_secret_ext->len = 0;
1326 
1327  /* Construct named curves extension, if applicable */
1328  if ( sizeof ( extensions->named_curve ) ) {
1329  named_curve_ext = &extensions->named_curve[0];
1330  named_curve_ext->type = htons ( TLS_NAMED_CURVE );
1331  named_curve_ext->len
1332  = htons ( sizeof ( named_curve_ext->data ) );
1333  named_curve_ext->data.len
1334  = htons ( sizeof ( named_curve_ext->data.code ) );
1335  i = 0 ; for_each_table_entry ( curve, TLS_NAMED_CURVES )
1336  named_curve_ext->data.code[i++] = curve->code;
1337  }
1338 
1339  return action ( tls, &hello, sizeof ( hello ) );
1340 }
1341 
1342 /**
1343  * Transmit Client Hello record
1344  *
1345  * @v tls TLS connection
1346  * @ret rc Return status code
1347  */
1348 static int tls_send_client_hello ( struct tls_connection *tls ) {
1349 
1350  return tls_client_hello ( tls, tls_send_handshake );
1351 }
1352 
1353 /**
1354  * Transmit Certificate record
1355  *
1356  * @v tls TLS connection
1357  * @ret rc Return status code
1358  */
1359 static int tls_send_certificate ( struct tls_connection *tls ) {
1360  struct {
1361  tls24_t length;
1362  uint8_t data[0];
1363  } __attribute__ (( packed )) *certificate;
1364  struct {
1365  uint32_t type_length;
1366  tls24_t length;
1367  typeof ( *certificate ) certificates[0];
1368  } __attribute__ (( packed )) *certificates;
1369  struct x509_link *link;
1370  struct x509_certificate *cert;
1371  struct io_buffer *iobuf;
1372  size_t len;
1373 
1374  /* Calculate length of client certificates */
1375  len = 0;
1376  list_for_each_entry ( link, &tls->client.chain->links, list ) {
1377  cert = link->cert;
1378  len += ( sizeof ( *certificate ) + cert->raw.len );
1379  DBGC ( tls, "TLS %p sending client certificate %s\n",
1380  tls, x509_name ( cert ) );
1381  }
1382 
1383  /* Allocate storage for Certificate record (which may be too
1384  * large for the stack).
1385  */
1386  iobuf = tls_alloc_iob ( tls, ( sizeof ( *certificates ) + len ) );
1387  if ( ! iobuf )
1388  return -ENOMEM_CERTIFICATE;
1389 
1390  /* Populate record */
1391  certificates = iob_put ( iobuf, sizeof ( *certificates ) );
1392  certificates->type_length =
1393  ( cpu_to_le32 ( TLS_CERTIFICATE ) |
1394  htonl ( sizeof ( *certificates ) + len -
1395  sizeof ( certificates->type_length ) ) );
1396  tls_set_uint24 ( &certificates->length, len );
1397  list_for_each_entry ( link, &tls->client.chain->links, list ) {
1398  cert = link->cert;
1399  certificate = iob_put ( iobuf, sizeof ( *certificate ) );
1400  tls_set_uint24 ( &certificate->length, cert->raw.len );
1401  memcpy ( iob_put ( iobuf, cert->raw.len ), cert->raw.data,
1402  cert->raw.len );
1403  }
1404 
1405  /* Transmit record */
1406  return tls_send_record ( tls, TLS_TYPE_HANDSHAKE,
1407  iob_disown ( iobuf ) );
1408 }
1409 
1410 /**
1411  * Transmit Client Key Exchange record using public key exchange
1412  *
1413  * @v tls TLS connection
1414  * @ret rc Return status code
1415  */
1416 static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
1417  struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1418  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
1419  struct {
1420  uint16_t version;
1421  uint8_t random[46];
1422  } __attribute__ (( packed )) pre_master_secret;
1423  struct asn1_cursor cursor = {
1424  .data = &pre_master_secret,
1425  .len = sizeof ( pre_master_secret ),
1426  };
1427  struct asn1_builder builder = { NULL, 0 };
1428  int rc;
1429 
1430  /* Generate pre-master secret */
1431  pre_master_secret.version = htons ( TLS_VERSION_MAX );
1432  if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
1433  ( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
1434  goto err_random;
1435  }
1436 
1437  /* Encrypt pre-master secret using server's public key */
1438  if ( ( rc = pubkey_encrypt ( pubkey, &tls->server.key, &cursor,
1439  &builder ) ) != 0 ) {
1440  DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
1441  tls, strerror ( rc ) );
1442  goto err_encrypt;
1443  }
1444 
1445  /* Construct Client Key Exchange record */
1446  {
1447  struct {
1448  uint32_t type_length;
1449  uint16_t encrypted_pre_master_secret_len;
1450  } __attribute__ (( packed )) header;
1451 
1452  header.type_length =
1453  ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1454  htonl ( builder.len + sizeof ( header ) -
1455  sizeof ( header.type_length ) ) );
1456  header.encrypted_pre_master_secret_len = htons ( builder.len );
1457 
1458  if ( ( rc = asn1_prepend_raw ( &builder, &header,
1459  sizeof ( header ) ) ) != 0 ) {
1460  DBGC ( tls, "TLS %p could not construct Client Key "
1461  "Exchange: %s\n", tls, strerror ( rc ) );
1462  goto err_prepend;
1463  }
1464  }
1465 
1466  /* Transmit Client Key Exchange record */
1467  if ( ( rc = tls_send_handshake ( tls, builder.data,
1468  builder.len ) ) != 0 ) {
1469  goto err_send;
1470  }
1471 
1472  /* Generate master secret */
1473  tls_generate_master_secret ( tls, &pre_master_secret,
1474  sizeof ( pre_master_secret ) );
1475 
1476  err_random:
1477  err_encrypt:
1478  err_prepend:
1479  err_send:
1480  free ( builder.data );
1481  return rc;
1482 }
1483 
1484 /** Public key exchange algorithm */
1485 struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm = {
1486  .name = "pubkey",
1487  .exchange = tls_send_client_key_exchange_pubkey,
1488 };
1489 
1490 /**
1491  * Verify Diffie-Hellman parameter signature
1492  *
1493  * @v tls TLS connection
1494  * @v param_len Diffie-Hellman parameter length
1495  * @ret rc Return status code
1496  */
1497 static int tls_verify_dh_params ( struct tls_connection *tls,
1498  size_t param_len ) {
1499  struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1500  struct pubkey_algorithm *pubkey;
1501  struct digest_algorithm *digest;
1502  int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
1503  const struct {
1504  struct tls_signature_hash_id sig_hash[use_sig_hash];
1505  uint16_t signature_len;
1506  uint8_t signature[0];
1507  } __attribute__ (( packed )) *sig;
1508  struct asn1_cursor signature;
1509  const void *data;
1510  size_t remaining;
1511  int rc;
1512 
1513  /* Signature follows parameters */
1514  assert ( param_len <= tls->server.exchange_len );
1515  data = ( tls->server.exchange + param_len );
1516  remaining = ( tls->server.exchange_len - param_len );
1517 
1518  /* Parse signature from ServerKeyExchange */
1519  sig = data;
1520  if ( ( sizeof ( *sig ) > remaining ) ||
1521  ( ntohs ( sig->signature_len ) > ( remaining -
1522  sizeof ( *sig ) ) ) ) {
1523  DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1524  tls );
1525  DBGC_HDA ( tls, 0, tls->server.exchange,
1526  tls->server.exchange_len );
1527  return -EINVAL_KEY_EXCHANGE;
1528  }
1529  signature.data = sig->signature;
1530  signature.len = ntohs ( sig->signature_len );
1531 
1532  /* Identify signature and hash algorithm */
1533  if ( use_sig_hash ) {
1534  pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
1535  digest = tls_signature_hash_digest ( sig->sig_hash[0] );
1536  if ( ( ! pubkey ) || ( ! digest ) ) {
1537  DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
1538  "signature and hash algorithm\n", tls );
1539  return -ENOTSUP_SIG_HASH;
1540  }
1541  if ( pubkey != cipherspec->suite->pubkey ) {
1542  DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
1543  "signature algorithm %s (expected %s)\n", tls,
1544  pubkey->name, cipherspec->suite->pubkey->name );
1545  return -EPERM_KEY_EXCHANGE;
1546  }
1547  } else {
1548  pubkey = cipherspec->suite->pubkey;
1549  digest = &md5_sha1_algorithm;
1550  }
1551 
1552  /* Verify signature */
1553  {
1554  uint8_t ctx[digest->ctxsize];
1555  uint8_t hash[digest->digestsize];
1556 
1557  /* Calculate digest */
1558  digest_init ( digest, ctx );
1559  digest_update ( digest, ctx, &tls->client.random,
1560  sizeof ( tls->client.random ) );
1561  digest_update ( digest, ctx, tls->server.random,
1562  sizeof ( tls->server.random ) );
1563  digest_update ( digest, ctx, tls->server.exchange, param_len );
1564  digest_final ( digest, ctx, hash );
1565 
1566  /* Verify signature */
1567  if ( ( rc = pubkey_verify ( pubkey, &tls->server.key, digest,
1568  hash, &signature ) ) != 0 ) {
1569  DBGC ( tls, "TLS %p ServerKeyExchange failed "
1570  "verification\n", tls );
1571  DBGC_HDA ( tls, 0, tls->server.exchange,
1572  tls->server.exchange_len );
1573  return -EPERM_KEY_EXCHANGE;
1574  }
1575  }
1576 
1577  return 0;
1578 }
1579 
1580 /**
1581  * Transmit Client Key Exchange record using DHE key exchange
1582  *
1583  * @v tls TLS connection
1584  * @ret rc Return status code
1585  */
1586 static int tls_send_client_key_exchange_dhe ( struct tls_connection *tls ) {
1587  uint8_t private[ sizeof ( tls->client.random.random ) ];
1588  const struct {
1589  uint16_t len;
1590  uint8_t data[0];
1591  } __attribute__ (( packed )) *dh_val[3];
1592  const void *data;
1593  size_t remaining;
1594  size_t frag_len;
1595  size_t param_len;
1596  unsigned int i;
1597  int rc;
1598 
1599  /* Parse ServerKeyExchange */
1600  data = tls->server.exchange;
1601  remaining = tls->server.exchange_len;
1602  for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
1603  dh_val[i] = data;
1604  if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
1605  ( ntohs ( dh_val[i]->len ) > ( remaining -
1606  sizeof ( *dh_val[i] ) ) )){
1607  DBGC ( tls, "TLS %p received underlength "
1608  "ServerKeyExchange\n", tls );
1609  DBGC_HDA ( tls, 0, tls->server.exchange,
1610  tls->server.exchange_len );
1611  rc = -EINVAL_KEY_EXCHANGE;
1612  goto err_header;
1613  }
1614  frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
1615  data += frag_len;
1616  remaining -= frag_len;
1617  }
1618  param_len = ( tls->server.exchange_len - remaining );
1619 
1620  /* Verify parameter signature */
1621  if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1622  goto err_verify;
1623 
1624  /* Generate Diffie-Hellman private key */
1625  if ( ( rc = tls_generate_random ( tls, private,
1626  sizeof ( private ) ) ) != 0 ) {
1627  goto err_random;
1628  }
1629 
1630  /* Construct pre-master secret and ClientKeyExchange record */
1631  {
1632  typeof ( dh_val[0] ) dh_p = dh_val[0];
1633  typeof ( dh_val[1] ) dh_g = dh_val[1];
1634  typeof ( dh_val[2] ) dh_ys = dh_val[2];
1635  size_t len = ntohs ( dh_p->len );
1636  struct {
1637  uint32_t type_length;
1638  uint16_t dh_xs_len;
1639  uint8_t dh_xs[len];
1640  } __attribute__ (( packed )) *key_xchg;
1641  struct {
1642  uint8_t pre_master_secret[len];
1643  typeof ( *key_xchg ) key_xchg;
1644  } *dynamic;
1645  uint8_t *pre_master_secret;
1646 
1647  /* Allocate space */
1648  dynamic = malloc ( sizeof ( *dynamic ) );
1649  if ( ! dynamic ) {
1650  rc = -ENOMEM;
1651  goto err_alloc;
1652  }
1653  pre_master_secret = dynamic->pre_master_secret;
1654  key_xchg = &dynamic->key_xchg;
1655  key_xchg->type_length =
1656  ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1657  htonl ( sizeof ( *key_xchg ) -
1658  sizeof ( key_xchg->type_length ) ) );
1659  key_xchg->dh_xs_len = htons ( len );
1660 
1661  /* Calculate pre-master secret and client public value */
1662  if ( ( rc = dhe_key ( dh_p->data, len,
1663  dh_g->data, ntohs ( dh_g->len ),
1664  dh_ys->data, ntohs ( dh_ys->len ),
1665  private, sizeof ( private ),
1666  key_xchg->dh_xs,
1667  pre_master_secret ) ) != 0 ) {
1668  DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
1669  tls, strerror ( rc ) );
1670  goto err_dhe_key;
1671  }
1672 
1673  /* Strip leading zeroes from pre-master secret */
1674  while ( len && ( ! *pre_master_secret ) ) {
1675  pre_master_secret++;
1676  len--;
1677  }
1678 
1679  /* Transmit Client Key Exchange record */
1680  if ( ( rc = tls_send_handshake ( tls, key_xchg,
1681  sizeof ( *key_xchg ) ) ) !=0){
1682  goto err_send_handshake;
1683  }
1684 
1685  /* Generate master secret */
1686  tls_generate_master_secret ( tls, pre_master_secret, len );
1687 
1688  err_send_handshake:
1689  err_dhe_key:
1690  free ( dynamic );
1691  }
1692  err_alloc:
1693  err_random:
1694  err_verify:
1695  err_header:
1696  return rc;
1697 }
1698 
1699 /** Ephemeral Diffie-Hellman key exchange algorithm */
1700 struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm = {
1701  .name = "dhe",
1702  .exchange = tls_send_client_key_exchange_dhe,
1703 };
1704 
1705 /**
1706  * Transmit Client Key Exchange record using ECDHE key exchange
1707  *
1708  * @v tls TLS connection
1709  * @ret rc Return status code
1710  */
1711 static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
1712  struct tls_named_curve *curve;
1713  const struct {
1714  uint8_t curve_type;
1715  uint16_t named_curve;
1716  uint8_t public_len;
1717  uint8_t public[0];
1718  } __attribute__ (( packed )) *ecdh;
1719  size_t param_len;
1720  size_t pointsize;
1721  size_t keysize;
1722  size_t offset;
1723  int rc;
1724 
1725  /* Parse ServerKeyExchange record */
1726  ecdh = tls->server.exchange;
1727  if ( ( sizeof ( *ecdh ) > tls->server.exchange_len ) ||
1728  ( ecdh->public_len > ( tls->server.exchange_len -
1729  sizeof ( *ecdh ) ) ) ) {
1730  DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1731  tls );
1732  DBGC_HDA ( tls, 0, tls->server.exchange,
1733  tls->server.exchange_len );
1734  return -EINVAL_KEY_EXCHANGE;
1735  }
1736  param_len = ( sizeof ( *ecdh ) + ecdh->public_len );
1737 
1738  /* Verify parameter signature */
1739  if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1740  return rc;
1741 
1742  /* Identify named curve */
1743  if ( ecdh->curve_type != TLS_NAMED_CURVE_TYPE ) {
1744  DBGC ( tls, "TLS %p unsupported curve type %d\n",
1745  tls, ecdh->curve_type );
1746  DBGC_HDA ( tls, 0, tls->server.exchange,
1747  tls->server.exchange_len );
1748  return -ENOTSUP_CURVE;
1749  }
1750  curve = tls_find_named_curve ( ecdh->named_curve );
1751  if ( ! curve ) {
1752  DBGC ( tls, "TLS %p unsupported named curve %d\n",
1753  tls, ntohs ( ecdh->named_curve ) );
1754  DBGC_HDA ( tls, 0, tls->server.exchange,
1755  tls->server.exchange_len );
1756  return -ENOTSUP_CURVE;
1757  }
1758  DBGC ( tls, "TLS %p using named curve %s\n", tls, curve->curve->name );
1759  pointsize = curve->curve->pointsize;
1760  keysize = curve->curve->keysize;
1761  offset = ( curve->format ? 1 : 0 );
1762 
1763  /* Check key length */
1764  if ( ecdh->public_len != ( offset + pointsize ) ) {
1765  DBGC ( tls, "TLS %p invalid %s key\n",
1766  tls, curve->curve->name );
1767  DBGC_HDA ( tls, 0, tls->server.exchange,
1768  tls->server.exchange_len );
1769  return -EINVAL_KEY_EXCHANGE;
1770  }
1771 
1772  /* Check curve point format byte (if present) */
1773  if ( curve->format && ( ecdh->public[0] != curve->format ) ) {
1774  DBGC ( tls, "TLS %p invalid %s curve point format\n",
1775  tls, curve->curve->name );
1776  DBGC_HDA ( tls, 0, tls->server.exchange,
1777  tls->server.exchange_len );
1778  return -EINVAL_KEY_EXCHANGE;
1779  }
1780 
1781  /* Construct pre-master secret and ClientKeyExchange record */
1782  {
1783  uint8_t private[keysize];
1784  uint8_t pre_master_secret[pointsize];
1785  struct {
1786  uint32_t type_length;
1787  uint8_t public_len;
1788  uint8_t public[ecdh->public_len];
1789  } __attribute__ (( packed )) key_xchg;
1790 
1791  /* Generate ephemeral private key */
1792  if ( ( rc = tls_generate_random ( tls, private,
1793  sizeof ( private ) ) ) != 0){
1794  return rc;
1795  }
1796 
1797  /* Exchange keys */
1798  if ( ( rc = ecdhe_key ( curve->curve, ( ecdh->public + offset ),
1799  private, ( key_xchg.public + offset ),
1800  pre_master_secret ) ) != 0 ) {
1801  DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
1802  tls, strerror ( rc ) );
1803  return rc;
1804  }
1805 
1806  /* Generate Client Key Exchange record */
1807  key_xchg.type_length =
1808  ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1809  htonl ( sizeof ( key_xchg ) -
1810  sizeof ( key_xchg.type_length ) ) );
1811  key_xchg.public_len = sizeof ( key_xchg.public );
1812  if ( curve->format )
1813  key_xchg.public[0] = curve->format;
1814 
1815  /* Transmit Client Key Exchange record */
1816  if ( ( rc = tls_send_handshake ( tls, &key_xchg,
1817  sizeof ( key_xchg ) ) ) !=0){
1818  return rc;
1819  }
1820 
1821  /* Generate master secret */
1822  tls_generate_master_secret ( tls, pre_master_secret,
1823  curve->pre_master_secret_len );
1824  }
1825 
1826  return 0;
1827 }
1828 
1829 /** Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm */
1830 struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm = {
1831  .name = "ecdhe",
1832  .exchange = tls_send_client_key_exchange_ecdhe,
1833 };
1834 
1835 /**
1836  * Transmit Client Key Exchange record
1837  *
1838  * @v tls TLS connection
1839  * @ret rc Return status code
1840  */
1841 static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
1842  struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1843  struct tls_cipher_suite *suite = cipherspec->suite;
1844  int rc;
1845 
1846  /* Transmit Client Key Exchange record via key exchange algorithm */
1847  if ( ( rc = suite->exchange->exchange ( tls ) ) != 0 ) {
1848  DBGC ( tls, "TLS %p could not exchange keys: %s\n",
1849  tls, strerror ( rc ) );
1850  return rc;
1851  }
1852 
1853  /* Generate keys from master secret */
1854  if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
1855  DBGC ( tls, "TLS %p could not generate keys: %s\n",
1856  tls, strerror ( rc ) );
1857  return rc;
1858  }
1859 
1860  return 0;
1861 }
1862 
1863 /**
1864  * Transmit Certificate Verify record
1865  *
1866  * @v tls TLS connection
1867  * @ret rc Return status code
1868  */
1869 static int tls_send_certificate_verify ( struct tls_connection *tls ) {
1870  struct digest_algorithm *digest = tls->handshake_digest;
1871  struct x509_certificate *cert = x509_first ( tls->client.chain );
1872  struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
1873  struct asn1_cursor *key = privkey_cursor ( tls->client.key );
1874  uint8_t digest_out[ digest->digestsize ];
1875  struct tls_signature_hash_algorithm *sig_hash = NULL;
1876  struct asn1_builder builder = { NULL, 0 };
1877  int rc;
1878 
1879  /* Generate digest to be signed */
1880  tls_verify_handshake ( tls, digest_out );
1881 
1882  /* TLSv1.2 and later use explicit algorithm identifiers */
1883  if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
1884  sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
1885  if ( ! sig_hash ) {
1886  DBGC ( tls, "TLS %p could not identify (%s,%s) "
1887  "signature and hash algorithm\n", tls,
1888  pubkey->name, digest->name );
1889  rc = -ENOTSUP_SIG_HASH;
1890  goto err_sig_hash;
1891  }
1892  }
1893 
1894  /* Sign digest */
1895  if ( ( rc = pubkey_sign ( pubkey, key, digest, digest_out,
1896  &builder ) ) != 0 ) {
1897  DBGC ( tls, "TLS %p could not sign %s digest using %s client "
1898  "private key: %s\n", tls, digest->name, pubkey->name,
1899  strerror ( rc ) );
1900  goto err_pubkey_sign;
1901  }
1902 
1903  /* Construct Certificate Verify record */
1904  {
1905  int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
1906  struct {
1907  uint32_t type_length;
1908  struct tls_signature_hash_id sig_hash[use_sig_hash];
1909  uint16_t signature_len;
1910  } __attribute__ (( packed )) header;
1911 
1912  header.type_length = ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
1913  htonl ( builder.len +
1914  sizeof ( header ) -
1915  sizeof ( header.type_length )));
1916  if ( use_sig_hash ) {
1917  memcpy ( &header.sig_hash[0], &sig_hash->code,
1918  sizeof ( header.sig_hash[0] ) );
1919  }
1920  header.signature_len = htons ( builder.len );
1921 
1922  if ( ( rc = asn1_prepend_raw ( &builder, &header,
1923  sizeof ( header ) ) ) != 0 ) {
1924  DBGC ( tls, "TLS %p could not construct Certificate "
1925  "Verify: %s\n", tls, strerror ( rc ) );
1926  goto err_prepend;
1927  }
1928  }
1929 
1930  /* Transmit record */
1931  if ( ( rc = tls_send_handshake ( tls, builder.data,
1932  builder.len ) ) != 0 ) {
1933  goto err_send;
1934  }
1935 
1936  err_send:
1937  err_prepend:
1938  err_pubkey_sign:
1939  err_sig_hash:
1940  free ( builder.data );
1941  return rc;
1942 }
1943 
1944 /**
1945  * Transmit Change Cipher record
1946  *
1947  * @v tls TLS connection
1948  * @ret rc Return status code
1949  */
1950 static int tls_send_change_cipher ( struct tls_connection *tls ) {
1951  static const struct {
1952  uint8_t spec;
1953  } __attribute__ (( packed )) change_cipher = {
1954  .spec = TLS_CHANGE_CIPHER_SPEC,
1955  };
1956 
1957  return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
1958  &change_cipher, sizeof ( change_cipher ) );
1959 }
1960 
1961 /**
1962  * Transmit Finished record
1963  *
1964  * @v tls TLS connection
1965  * @ret rc Return status code
1966  */
1967 static int tls_send_finished ( struct tls_connection *tls ) {
1968  struct digest_algorithm *digest = tls->handshake_digest;
1969  struct {
1970  uint32_t type_length;
1971  uint8_t verify_data[ sizeof ( tls->verify.client ) ];
1972  } __attribute__ (( packed )) finished;
1973  uint8_t digest_out[ digest->digestsize ];
1974  int rc;
1975 
1976  /* Construct client verification data */
1977  tls_verify_handshake ( tls, digest_out );
1978  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1979  tls->verify.client, sizeof ( tls->verify.client ),
1980  "client finished", digest_out, sizeof ( digest_out ) );
1981 
1982  /* Construct record */
1983  memset ( &finished, 0, sizeof ( finished ) );
1984  finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
1985  htonl ( sizeof ( finished ) -
1986  sizeof ( finished.type_length ) ) );
1987  memcpy ( finished.verify_data, tls->verify.client,
1988  sizeof ( finished.verify_data ) );
1989 
1990  /* Transmit record */
1991  if ( ( rc = tls_send_handshake ( tls, &finished,
1992  sizeof ( finished ) ) ) != 0 )
1993  return rc;
1994 
1995  /* Mark client as finished */
1996  pending_put ( &tls->client.negotiation );
1997 
1998  return 0;
1999 }
2000 
2001 /**
2002  * Receive new Change Cipher record
2003  *
2004  * @v tls TLS connection
2005  * @v iobuf I/O buffer
2006  * @ret rc Return status code
2007  */
2008 static int tls_new_change_cipher ( struct tls_connection *tls,
2009  struct io_buffer *iobuf ) {
2010  const struct {
2011  uint8_t spec;
2012  } __attribute__ (( packed )) *change_cipher = iobuf->data;
2013  size_t len = iob_len ( iobuf );
2014  int rc;
2015 
2016  /* Sanity check */
2017  if ( ( sizeof ( *change_cipher ) != len ) ||
2018  ( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
2019  DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
2020  DBGC_HD ( tls, change_cipher, len );
2021  return -EINVAL_CHANGE_CIPHER;
2022  }
2023  iob_pull ( iobuf, sizeof ( *change_cipher ) );
2024 
2025  /* Change receive cipher spec */
2026  if ( ( rc = tls_change_cipher ( tls, &tls->rx.cipherspec ) ) != 0 ) {
2027  DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
2028  tls, strerror ( rc ) );
2029  return rc;
2030  }
2031  tls->rx.seq = ~( ( uint64_t ) 0 );
2032 
2033  return 0;
2034 }
2035 
2036 /**
2037  * Receive new Alert record
2038  *
2039  * @v tls TLS connection
2040  * @v iobuf I/O buffer
2041  * @ret rc Return status code
2042  */
2043 static int tls_new_alert ( struct tls_connection *tls,
2044  struct io_buffer *iobuf ) {
2045  const struct {
2046  uint8_t level;
2047  uint8_t description;
2048  char next[0];
2049  } __attribute__ (( packed )) *alert = iobuf->data;
2050  size_t len = iob_len ( iobuf );
2051 
2052  /* Sanity check */
2053  if ( sizeof ( *alert ) != len ) {
2054  DBGC ( tls, "TLS %p received overlength Alert\n", tls );
2055  DBGC_HD ( tls, alert, len );
2056  return -EINVAL_ALERT;
2057  }
2058  iob_pull ( iobuf, sizeof ( *alert ) );
2059 
2060  /* Handle alert */
2061  switch ( alert->level ) {
2062  case TLS_ALERT_WARNING:
2063  DBGC ( tls, "TLS %p received warning alert %d\n",
2064  tls, alert->description );
2065  return 0;
2066  case TLS_ALERT_FATAL:
2067  DBGC ( tls, "TLS %p received fatal alert %d\n",
2068  tls, alert->description );
2069  return -EPERM_ALERT;
2070  default:
2071  DBGC ( tls, "TLS %p received unknown alert level %d"
2072  "(alert %d)\n", tls, alert->level, alert->description );
2073  return -EIO_ALERT;
2074  }
2075 }
2076 
2077 /**
2078  * Receive new Hello Request handshake record
2079  *
2080  * @v tls TLS connection
2081  * @v data Plaintext handshake record
2082  * @v len Length of plaintext handshake record
2083  * @ret rc Return status code
2084  */
2085 static int tls_new_hello_request ( struct tls_connection *tls,
2086  const void *data __unused,
2087  size_t len __unused ) {
2088 
2089  /* Ignore if a handshake is in progress */
2090  if ( ! tls_ready ( tls ) ) {
2091  DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
2092  return 0;
2093  }
2094 
2095  /* Fail unless server supports secure renegotiation */
2096  if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
2097  DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
2098  tls );
2099  return -EPERM_RENEG_INSECURE;
2100  }
2101 
2102  /* Restart negotiation */
2103  tls_restart ( tls );
2104 
2105  return 0;
2106 }
2107 
2108 /**
2109  * Receive new Server Hello handshake record
2110  *
2111  * @v tls TLS connection
2112  * @v data Plaintext handshake record
2113  * @v len Length of plaintext handshake record
2114  * @ret rc Return status code
2115  */
2116 static int tls_new_server_hello ( struct tls_connection *tls,
2117  const void *data, size_t len ) {
2118  const struct {
2119  uint16_t version;
2120  uint8_t random[32];
2121  uint8_t session_id_len;
2122  uint8_t session_id[0];
2123  } __attribute__ (( packed )) *hello_a = data;
2124  const uint8_t *session_id;
2125  const struct {
2126  uint16_t cipher_suite;
2127  uint8_t compression_method;
2128  char next[0];
2129  } __attribute__ (( packed )) *hello_b;
2130  const struct {
2131  uint16_t len;
2132  uint8_t data[0];
2133  } __attribute__ (( packed )) *exts;
2134  const struct {
2135  uint16_t type;
2136  uint16_t len;
2137  uint8_t data[0];
2138  } __attribute__ (( packed )) *ext;
2139  const struct {
2140  uint8_t len;
2141  uint8_t data[0];
2142  } __attribute__ (( packed )) *reneg = NULL;
2143  const struct {
2144  uint8_t data[0];
2145  } __attribute__ (( packed )) *ems = NULL;
2146  uint16_t version;
2147  size_t exts_len;
2148  size_t ext_len;
2149  size_t remaining;
2150  int rc;
2151 
2152  /* Parse header */
2153  if ( ( sizeof ( *hello_a ) > len ) ||
2154  ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
2155  ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
2156  hello_a->session_id_len ) ) ) {
2157  DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
2158  DBGC_HD ( tls, data, len );
2159  return -EINVAL_HELLO;
2160  }
2161  session_id = hello_a->session_id;
2162  hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
2163 
2164  /* Parse extensions, if present */
2165  remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
2166  sizeof ( *hello_b ) );
2167  if ( remaining ) {
2168 
2169  /* Parse extensions length */
2170  exts = ( ( void * ) hello_b->next );
2171  if ( ( sizeof ( *exts ) > remaining ) ||
2172  ( ( exts_len = ntohs ( exts->len ) ) >
2173  ( remaining - sizeof ( *exts ) ) ) ) {
2174  DBGC ( tls, "TLS %p received underlength extensions\n",
2175  tls );
2176  DBGC_HD ( tls, data, len );
2177  return -EINVAL_HELLO;
2178  }
2179 
2180  /* Parse extensions */
2181  for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
2182  remaining ;
2183  ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
2184  remaining -= ( sizeof ( *ext ) + ext_len ) ) {
2185 
2186  /* Parse extension length */
2187  if ( ( sizeof ( *ext ) > remaining ) ||
2188  ( ( ext_len = ntohs ( ext->len ) ) >
2189  ( remaining - sizeof ( *ext ) ) ) ) {
2190  DBGC ( tls, "TLS %p received underlength "
2191  "extension\n", tls );
2192  DBGC_HD ( tls, data, len );
2193  return -EINVAL_HELLO;
2194  }
2195 
2196  /* Record known extensions */
2197  switch ( ext->type ) {
2198  case htons ( TLS_RENEGOTIATION_INFO ) :
2199  reneg = ( ( void * ) ext->data );
2200  if ( ( sizeof ( *reneg ) > ext_len ) ||
2201  ( reneg->len >
2202  ( ext_len - sizeof ( *reneg ) ) ) ) {
2203  DBGC ( tls, "TLS %p received "
2204  "underlength renegotiation "
2205  "info\n", tls );
2206  DBGC_HD ( tls, data, len );
2207  return -EINVAL_HELLO;
2208  }
2209  break;
2210  case htons ( TLS_EXTENDED_MASTER_SECRET ) :
2211  ems = ( ( void * ) ext->data );
2212  break;
2213  }
2214  }
2215  }
2216 
2217  /* Check and store protocol version */
2218  version = ntohs ( hello_a->version );
2219  if ( version < TLS_VERSION_MIN ) {
2220  DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
2221  tls, ( version >> 8 ), ( version & 0xff ) );
2222  return -ENOTSUP_VERSION;
2223  }
2224  if ( version > tls->version ) {
2225  DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
2226  "protocol version %d.%d\n",
2227  tls, ( version >> 8 ), ( version & 0xff ) );
2228  return -EPROTO_VERSION;
2229  }
2230  tls->version = version;
2231  DBGC ( tls, "TLS %p using protocol version %d.%d\n",
2232  tls, ( version >> 8 ), ( version & 0xff ) );
2233 
2234  /* Select cipher suite */
2235  if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
2236  return rc;
2237 
2238  /* Add preceding Client Hello to handshake digest */
2239  if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
2240  return rc;
2241 
2242  /* Copy out server random bytes */
2243  memcpy ( &tls->server.random, &hello_a->random,
2244  sizeof ( tls->server.random ) );
2245 
2246  /* Handle extended master secret */
2247  tls->extended_master_secret = ( !! ems );
2248 
2249  /* Check session ID */
2250  if ( hello_a->session_id_len &&
2251  ( hello_a->session_id_len == tls->session_id_len ) &&
2252  ( memcmp ( session_id, tls->session_id,
2253  tls->session_id_len ) == 0 ) ) {
2254 
2255  /* Session ID match: reuse master secret */
2256  DBGC ( tls, "TLS %p resuming session ID:\n", tls );
2257  DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
2258  if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
2259  return rc;
2260 
2261  /* Ensure master secret generation method matches */
2262  if ( tls->extended_master_secret !=
2263  tls->session->extended_master_secret ) {
2264  DBGC ( tls, "TLS %p mismatched extended master secret "
2265  "extension\n", tls );
2266  return -EPERM_EMS;
2267  }
2268 
2269  } else {
2270 
2271  /* Record new session ID, if present */
2272  if ( hello_a->session_id_len &&
2273  ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
2274  tls->session_id_len = hello_a->session_id_len;
2275  memcpy ( tls->session_id, session_id,
2276  tls->session_id_len );
2277  DBGC ( tls, "TLS %p new session ID:\n", tls );
2278  DBGC_HDA ( tls, 0, tls->session_id,
2279  tls->session_id_len );
2280  }
2281  }
2282 
2283  /* Handle secure renegotiation */
2284  if ( tls->secure_renegotiation ) {
2285 
2286  /* Secure renegotiation is expected; verify data */
2287  if ( ( reneg == NULL ) ||
2288  ( reneg->len != sizeof ( tls->verify ) ) ||
2289  ( memcmp ( reneg->data, &tls->verify,
2290  sizeof ( tls->verify ) ) != 0 ) ) {
2291  DBGC ( tls, "TLS %p server failed secure "
2292  "renegotiation\n", tls );
2293  return -EPERM_RENEG_VERIFY;
2294  }
2295 
2296  } else if ( reneg != NULL ) {
2297 
2298  /* Secure renegotiation is being enabled */
2299  if ( reneg->len != 0 ) {
2300  DBGC ( tls, "TLS %p server provided non-empty initial "
2301  "renegotiation\n", tls );
2302  return -EPERM_RENEG_VERIFY;
2303  }
2304  tls->secure_renegotiation = 1;
2305  }
2306 
2307  return 0;
2308 }
2309 
2310 /**
2311  * Receive New Session Ticket handshake record
2312  *
2313  * @v tls TLS connection
2314  * @v data Plaintext handshake record
2315  * @v len Length of plaintext handshake record
2316  * @ret rc Return status code
2317  */
2318 static int tls_new_session_ticket ( struct tls_connection *tls,
2319  const void *data, size_t len ) {
2320  const struct {
2321  uint32_t lifetime;
2322  uint16_t len;
2323  uint8_t ticket[0];
2324  } __attribute__ (( packed )) *new_session_ticket = data;
2325  size_t ticket_len;
2326 
2327  /* Parse header */
2328  if ( sizeof ( *new_session_ticket ) > len ) {
2329  DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
2330  tls );
2331  DBGC_HD ( tls, data, len );
2332  return -EINVAL_TICKET;
2333  }
2334  ticket_len = ntohs ( new_session_ticket->len );
2335  if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
2336  DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
2337  tls );
2338  DBGC_HD ( tls, data, len );
2339  return -EINVAL_TICKET;
2340  }
2341 
2342  /* Free any unapplied new session ticket */
2343  free ( tls->new_session_ticket );
2344  tls->new_session_ticket = NULL;
2345  tls->new_session_ticket_len = 0;
2346 
2347  /* Record ticket */
2348  tls->new_session_ticket = malloc ( ticket_len );
2349  if ( ! tls->new_session_ticket )
2350  return -ENOMEM;
2351  memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
2352  ticket_len );
2353  tls->new_session_ticket_len = ticket_len;
2354  DBGC ( tls, "TLS %p new session ticket:\n", tls );
2355  DBGC_HDA ( tls, 0, tls->new_session_ticket,
2356  tls->new_session_ticket_len );
2357 
2358  return 0;
2359 }
2360 
2361 /**
2362  * Parse certificate chain
2363  *
2364  * @v tls TLS connection
2365  * @v data Certificate chain
2366  * @v len Length of certificate chain
2367  * @ret rc Return status code
2368  */
2369 static int tls_parse_chain ( struct tls_connection *tls,
2370  const void *data, size_t len ) {
2371  size_t remaining = len;
2372  int rc;
2373 
2374  /* Free any existing certificate chain */
2375  memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
2376  x509_chain_put ( tls->server.chain );
2377  tls->server.chain = NULL;
2378 
2379  /* Create certificate chain */
2380  tls->server.chain = x509_alloc_chain();
2381  if ( ! tls->server.chain ) {
2382  rc = -ENOMEM_CHAIN;
2383  goto err_alloc_chain;
2384  }
2385 
2386  /* Add certificates to chain */
2387  while ( remaining ) {
2388  const struct {
2389  tls24_t length;
2390  uint8_t data[0];
2391  } __attribute__ (( packed )) *certificate = data;
2392  size_t certificate_len;
2393  size_t record_len;
2394  struct x509_certificate *cert;
2395 
2396  /* Parse header */
2397  if ( sizeof ( *certificate ) > remaining ) {
2398  DBGC ( tls, "TLS %p underlength certificate:\n", tls );
2399  DBGC_HDA ( tls, 0, data, remaining );
2400  rc = -EINVAL_CERTIFICATE;
2401  goto err_underlength;
2402  }
2403  certificate_len = tls_uint24 ( &certificate->length );
2404  if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
2405  DBGC ( tls, "TLS %p overlength certificate:\n", tls );
2406  DBGC_HDA ( tls, 0, data, remaining );
2407  rc = -EINVAL_CERTIFICATE;
2408  goto err_overlength;
2409  }
2410  record_len = ( sizeof ( *certificate ) + certificate_len );
2411 
2412  /* Add certificate to chain */
2413  if ( ( rc = x509_append_raw ( tls->server.chain,
2414  certificate->data,
2415  certificate_len ) ) != 0 ) {
2416  DBGC ( tls, "TLS %p could not append certificate: %s\n",
2417  tls, strerror ( rc ) );
2418  DBGC_HDA ( tls, 0, data, remaining );
2419  goto err_parse;
2420  }
2421  cert = x509_last ( tls->server.chain );
2422  DBGC ( tls, "TLS %p found certificate %s\n",
2423  tls, x509_name ( cert ) );
2424 
2425  /* Move to next certificate in list */
2426  data += record_len;
2427  remaining -= record_len;
2428  }
2429 
2430  return 0;
2431 
2432  err_parse:
2433  err_overlength:
2434  err_underlength:
2435  memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
2436  x509_chain_put ( tls->server.chain );
2437  tls->server.chain = NULL;
2438  err_alloc_chain:
2439  return rc;
2440 }
2441 
2442 /**
2443  * Receive new Certificate handshake record
2444  *
2445  * @v tls TLS connection
2446  * @v data Plaintext handshake record
2447  * @v len Length of plaintext handshake record
2448  * @ret rc Return status code
2449  */
2450 static int tls_new_certificate ( struct tls_connection *tls,
2451  const void *data, size_t len ) {
2452  const struct {
2453  tls24_t length;
2454  uint8_t certificates[0];
2455  } __attribute__ (( packed )) *certificate = data;
2456  size_t certificates_len;
2457  int rc;
2458 
2459  /* Parse header */
2460  if ( sizeof ( *certificate ) > len ) {
2461  DBGC ( tls, "TLS %p received underlength Server Certificate\n",
2462  tls );
2463  DBGC_HD ( tls, data, len );
2464  return -EINVAL_CERTIFICATES;
2465  }
2466  certificates_len = tls_uint24 ( &certificate->length );
2467  if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
2468  DBGC ( tls, "TLS %p received overlength Server Certificate\n",
2469  tls );
2470  DBGC_HD ( tls, data, len );
2471  return -EINVAL_CERTIFICATES;
2472  }
2473 
2474  /* Parse certificate chain */
2475  if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
2476  certificates_len ) ) != 0 )
2477  return rc;
2478 
2479  return 0;
2480 }
2481 
2482 /**
2483  * Receive new Server Key Exchange handshake record
2484  *
2485  * @v tls TLS connection
2486  * @v data Plaintext handshake record
2487  * @v len Length of plaintext handshake record
2488  * @ret rc Return status code
2489  */
2490 static int tls_new_server_key_exchange ( struct tls_connection *tls,
2491  const void *data, size_t len ) {
2492 
2493  /* Free any existing server key exchange record */
2494  free ( tls->server.exchange );
2495  tls->server.exchange_len = 0;
2496 
2497  /* Allocate copy of server key exchange record */
2498  tls->server.exchange = malloc ( len );
2499  if ( ! tls->server.exchange )
2500  return -ENOMEM;
2501 
2502  /* Store copy of server key exchange record for later
2503  * processing. We cannot verify the signature at this point
2504  * since the certificate validation will not yet have
2505  * completed.
2506  */
2507  memcpy ( tls->server.exchange, data, len );
2508  tls->server.exchange_len = len;
2509 
2510  return 0;
2511 }
2512 
2513 /**
2514  * Receive new Certificate Request handshake record
2515  *
2516  * @v tls TLS connection
2517  * @v data Plaintext handshake record
2518  * @v len Length of plaintext handshake record
2519  * @ret rc Return status code
2520  */
2521 static int tls_new_certificate_request ( struct tls_connection *tls,
2522  const void *data __unused,
2523  size_t len __unused ) {
2524  struct x509_certificate *cert;
2525  int rc;
2526 
2527  /* We can only send a single certificate, so there is no point
2528  * in parsing the Certificate Request.
2529  */
2530 
2531  /* Free any existing client certificate chain */
2532  x509_chain_put ( tls->client.chain );
2533  tls->client.chain = NULL;
2534 
2535  /* Create client certificate chain */
2536  tls->client.chain = x509_alloc_chain();
2537  if ( ! tls->client.chain ) {
2538  rc = -ENOMEM;
2539  goto err_alloc;
2540  }
2541 
2542  /* Determine client certificate to be sent, if any */
2543  cert = x509_find_key ( NULL, tls->client.key );
2544  if ( cert ) {
2545  DBGC ( tls, "TLS %p selected client certificate %s\n",
2546  tls, x509_name ( cert ) );
2547 
2548  /* Append client certificate to chain */
2549  if ( ( rc = x509_append ( tls->client.chain, cert ) ) != 0 )
2550  goto err_append;
2551 
2552  /* Append any relevant issuer certificates */
2553  if ( ( rc = x509_auto_append ( tls->client.chain,
2554  &certstore ) ) != 0 )
2555  goto err_auto_append;
2556  } else {
2557 
2558  /* Send an empty certificate chain */
2559  DBGC ( tls, "TLS %p could not find certificate corresponding "
2560  "to private key\n", tls );
2561  }
2562 
2563  return 0;
2564 
2565  err_auto_append:
2566  err_append:
2567  x509_chain_put ( tls->client.chain );
2568  tls->client.chain = NULL;
2569  err_alloc:
2570  return rc;
2571 }
2572 
2573 /**
2574  * Receive new Server Hello Done handshake record
2575  *
2576  * @v tls TLS connection
2577  * @v data Plaintext handshake record
2578  * @v len Length of plaintext handshake record
2579  * @ret rc Return status code
2580  */
2581 static int tls_new_server_hello_done ( struct tls_connection *tls,
2582  const void *data, size_t len ) {
2583  const struct {
2584  char next[0];
2585  } __attribute__ (( packed )) *hello_done = data;
2586  int rc;
2587 
2588  /* Sanity check */
2589  if ( sizeof ( *hello_done ) != len ) {
2590  DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
2591  tls );
2592  DBGC_HD ( tls, data, len );
2593  return -EINVAL_HELLO_DONE;
2594  }
2595 
2596  /* Begin certificate validation */
2597  if ( ( rc = create_validator ( &tls->server.validator,
2598  tls->server.chain,
2599  tls->server.root ) ) != 0 ) {
2600  DBGC ( tls, "TLS %p could not start certificate validation: "
2601  "%s\n", tls, strerror ( rc ) );
2602  return rc;
2603  }
2604  pending_get ( &tls->server.validation );
2605 
2606  return 0;
2607 }
2608 
2609 /**
2610  * Receive new Finished handshake record
2611  *
2612  * @v tls TLS connection
2613  * @v data Plaintext handshake record
2614  * @v len Length of plaintext handshake record
2615  * @ret rc Return status code
2616  */
2617 static int tls_new_finished ( struct tls_connection *tls,
2618  const void *data, size_t len ) {
2619  struct tls_session *session = tls->session;
2620  struct digest_algorithm *digest = tls->handshake_digest;
2621  const struct {
2622  uint8_t verify_data[ sizeof ( tls->verify.server ) ];
2623  char next[0];
2624  } __attribute__ (( packed )) *finished = data;
2625  uint8_t digest_out[ digest->digestsize ];
2626 
2627  /* Sanity check */
2628  if ( sizeof ( *finished ) != len ) {
2629  DBGC ( tls, "TLS %p received overlength Finished\n", tls );
2630  DBGC_HD ( tls, data, len );
2631  return -EINVAL_FINISHED;
2632  }
2633 
2634  /* Verify data */
2635  tls_verify_handshake ( tls, digest_out );
2636  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
2637  tls->verify.server, sizeof ( tls->verify.server ),
2638  "server finished", digest_out, sizeof ( digest_out ) );
2639  if ( memcmp ( tls->verify.server, finished->verify_data,
2640  sizeof ( tls->verify.server ) ) != 0 ) {
2641  DBGC ( tls, "TLS %p verification failed\n", tls );
2642  return -EPERM_VERIFY;
2643  }
2644 
2645  /* Mark server as finished */
2646  pending_put ( &tls->server.negotiation );
2647 
2648  /* If we are resuming a session (i.e. if the server Finished
2649  * arrives before the client Finished is sent), then schedule
2650  * transmission of Change Cipher and Finished.
2651  */
2652  if ( is_pending ( &tls->client.negotiation ) ) {
2653  tls->tx.pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
2654  tls_tx_resume ( tls );
2655  }
2656 
2657  /* Record session ID, ticket, and master secret, if applicable */
2658  if ( tls->session_id_len || tls->new_session_ticket_len ) {
2659  memcpy ( session->master_secret, tls->master_secret,
2660  sizeof ( session->master_secret ) );
2661  session->extended_master_secret = tls->extended_master_secret;
2662  }
2663  if ( tls->session_id_len ) {
2664  session->id_len = tls->session_id_len;
2665  memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
2666  }
2667  if ( tls->new_session_ticket_len ) {
2668  free ( session->ticket );
2669  session->ticket = tls->new_session_ticket;
2670  session->ticket_len = tls->new_session_ticket_len;
2671  tls->new_session_ticket = NULL;
2672  tls->new_session_ticket_len = 0;
2673  }
2674 
2675  /* Move to end of session's connection list and allow other
2676  * connections to start making progress.
2677  */
2678  list_del ( &tls->list );
2679  list_add_tail ( &tls->list, &session->conn );
2680  tls_tx_resume_all ( session );
2681 
2682  /* Send notification of a window change */
2683  xfer_window_changed ( &tls->plainstream );
2684 
2685  return 0;
2686 }
2687 
2688 /**
2689  * Receive new Handshake record
2690  *
2691  * @v tls TLS connection
2692  * @v iobuf I/O buffer
2693  * @ret rc Return status code
2694  */
2695 static int tls_new_handshake ( struct tls_connection *tls,
2696  struct io_buffer *iobuf ) {
2697  size_t remaining;
2698  int rc;
2699 
2700  while ( ( remaining = iob_len ( iobuf ) ) ) {
2701  const struct {
2702  uint8_t type;
2703  tls24_t length;
2704  uint8_t payload[0];
2705  } __attribute__ (( packed )) *handshake = iobuf->data;
2706  const void *payload;
2707  size_t payload_len;
2708  size_t record_len;
2709 
2710  /* Parse header */
2711  if ( sizeof ( *handshake ) > remaining ) {
2712  /* Leave remaining fragment unconsumed */
2713  break;
2714  }
2715  payload_len = tls_uint24 ( &handshake->length );
2716  if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
2717  /* Leave remaining fragment unconsumed */
2718  break;
2719  }
2720  payload = &handshake->payload;
2721  record_len = ( sizeof ( *handshake ) + payload_len );
2722 
2723  /* Handle payload */
2724  switch ( handshake->type ) {
2725  case TLS_HELLO_REQUEST:
2726  rc = tls_new_hello_request ( tls, payload,
2727  payload_len );
2728  break;
2729  case TLS_SERVER_HELLO:
2730  rc = tls_new_server_hello ( tls, payload, payload_len );
2731  break;
2732  case TLS_NEW_SESSION_TICKET:
2733  rc = tls_new_session_ticket ( tls, payload,
2734  payload_len );
2735  break;
2736  case TLS_CERTIFICATE:
2737  rc = tls_new_certificate ( tls, payload, payload_len );
2738  break;
2739  case TLS_SERVER_KEY_EXCHANGE:
2740  rc = tls_new_server_key_exchange ( tls, payload,
2741  payload_len );
2742  break;
2743  case TLS_CERTIFICATE_REQUEST:
2744  rc = tls_new_certificate_request ( tls, payload,
2745  payload_len );
2746  break;
2747  case TLS_SERVER_HELLO_DONE:
2748  rc = tls_new_server_hello_done ( tls, payload,
2749  payload_len );
2750  break;
2751  case TLS_FINISHED:
2752  rc = tls_new_finished ( tls, payload, payload_len );
2753  break;
2754  default:
2755  DBGC ( tls, "TLS %p ignoring handshake type %d\n",
2756  tls, handshake->type );
2757  rc = 0;
2758  break;
2759  }
2760 
2761  /* Add to handshake digest (except for Hello Requests,
2762  * which are explicitly excluded).
2763  */
2764  if ( handshake->type != TLS_HELLO_REQUEST )
2765  tls_add_handshake ( tls, handshake, record_len );
2766 
2767  /* Abort on failure */
2768  if ( rc != 0 )
2769  return rc;
2770 
2771  /* Move to next handshake record */
2772  iob_pull ( iobuf, record_len );
2773  }
2774 
2775  return 0;
2776 }
2777 
2778 /**
2779  * Receive new unknown record
2780  *
2781  * @v tls TLS connection
2782  * @v iobuf I/O buffer
2783  * @ret rc Return status code
2784  */
2785 static int tls_new_unknown ( struct tls_connection *tls __unused,
2786  struct io_buffer *iobuf ) {
2787 
2788  /* RFC4346 says that we should just ignore unknown record types */
2789  iob_pull ( iobuf, iob_len ( iobuf ) );
2790  return 0;
2791 }
2792 
2793 /**
2794  * Receive new data record
2795  *
2796  * @v tls TLS connection
2797  * @v rx_data List of received data buffers
2798  * @ret rc Return status code
2799  */
2800 static int tls_new_data ( struct tls_connection *tls,
2801  struct list_head *rx_data ) {
2802  struct io_buffer *iobuf;
2803  int rc;
2804 
2805  /* Fail unless we are ready to receive data */
2806  if ( ! tls_ready ( tls ) )
2807  return -ENOTCONN;
2808 
2809  /* Deliver each I/O buffer in turn */
2810  while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
2811  list ) ) ) {
2812  list_del ( &iobuf->list );
2813  if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
2814  iobuf ) ) != 0 ) {
2815  DBGC ( tls, "TLS %p could not deliver data: "
2816  "%s\n", tls, strerror ( rc ) );
2817  return rc;
2818  }
2819  }
2820 
2821  return 0;
2822 }
2823 
2824 /**
2825  * Receive new record
2826  *
2827  * @v tls TLS connection
2828  * @v type Record type
2829  * @v rx_data List of received data buffers
2830  * @ret rc Return status code
2831  */
2832 static int tls_new_record ( struct tls_connection *tls, unsigned int type,
2833  struct list_head *rx_data ) {
2834  int ( * handler ) ( struct tls_connection *tls,
2835  struct io_buffer *iobuf );
2836  struct io_buffer *tmp = NULL;
2837  struct io_buffer **iobuf;
2838  int rc;
2839 
2840  /* Deliver data records as-is to the plainstream interface */
2841  if ( type == TLS_TYPE_DATA )
2842  return tls_new_data ( tls, rx_data );
2843 
2844  /* Determine handler and fragment buffer */
2845  iobuf = &tmp;
2846  switch ( type ) {
2847  case TLS_TYPE_CHANGE_CIPHER:
2848  handler = tls_new_change_cipher;
2849  break;
2850  case TLS_TYPE_ALERT:
2851  handler = tls_new_alert;
2852  break;
2853  case TLS_TYPE_HANDSHAKE:
2854  handler = tls_new_handshake;
2855  iobuf = &tls->rx.handshake;
2856  break;
2857  default:
2858  DBGC ( tls, "TLS %p unknown record type %d\n", tls, type );
2859  handler = tls_new_unknown;
2860  break;
2861  }
2862 
2863  /* Merge into a single I/O buffer */
2864  if ( *iobuf )
2865  list_add ( &(*iobuf)->list, rx_data );
2866  *iobuf = iob_concatenate ( rx_data );
2867  if ( ! *iobuf ) {
2868  DBGC ( tls, "TLS %p could not concatenate non-data record "
2869  "type %d\n", tls, type );
2870  rc = -ENOMEM_RX_CONCAT;
2871  goto err_concatenate;
2872  }
2873 
2874  /* Handle record */
2875  if ( ( rc = handler ( tls, *iobuf ) ) != 0 )
2876  goto err_handle;
2877 
2878  /* Discard I/O buffer if empty */
2879  if ( ! iob_len ( *iobuf ) ) {
2880  free_iob ( *iobuf );
2881  *iobuf = NULL;
2882  }
2883 
2884  /* Sanity check */
2885  assert ( tmp == NULL );
2886 
2887  return 0;
2888 
2889  err_handle:
2890  free_iob ( *iobuf );
2891  *iobuf = NULL;
2892  err_concatenate:
2893  return rc;
2894 }
2895 
2896 /******************************************************************************
2897  *
2898  * Record encryption/decryption
2899  *
2900  ******************************************************************************
2901  */
2902 
2903 /**
2904  * Initialise HMAC
2905  *
2906  * @v cipherspec Cipher specification
2907  * @v ctx Context
2908  * @v authhdr Authentication header
2909  */
2910 static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
2911  struct tls_auth_header *authhdr ) {
2912  struct tls_cipher_suite *suite = cipherspec->suite;
2913  struct digest_algorithm *digest = suite->digest;
2914 
2915  hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
2916  hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
2917 }
2918 
2919 /**
2920  * Update HMAC
2921  *
2922  * @v cipherspec Cipher specification
2923  * @v ctx Context
2924  * @v data Data
2925  * @v len Length of data
2926  */
2927 static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
2928  const void *data, size_t len ) {
2929  struct digest_algorithm *digest = cipherspec->suite->digest;
2930 
2931  hmac_update ( digest, ctx, data, len );
2932 }
2933 
2934 /**
2935  * Finalise HMAC
2936  *
2937  * @v cipherspec Cipher specification
2938  * @v ctx Context
2939  * @v mac HMAC to fill in
2940  */
2941 static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
2942  void *hmac ) {
2943  struct digest_algorithm *digest = cipherspec->suite->digest;
2944 
2945  hmac_final ( digest, ctx, hmac );
2946 }
2947 
2948 /**
2949  * Calculate HMAC
2950  *
2951  * @v cipherspec Cipher specification
2952  * @v authhdr Authentication header
2953  * @v data Data
2954  * @v len Length of data
2955  * @v mac HMAC to fill in
2956  */
2957 static void tls_hmac ( struct tls_cipherspec *cipherspec,
2958  struct tls_auth_header *authhdr,
2959  const void *data, size_t len, void *hmac ) {
2960  struct digest_algorithm *digest = cipherspec->suite->digest;
2961  uint8_t ctx[ hmac_ctxsize ( digest ) ];
2962 
2963  tls_hmac_init ( cipherspec, ctx, authhdr );
2964  tls_hmac_update ( cipherspec, ctx, data, len );
2965  tls_hmac_final ( cipherspec, ctx, hmac );
2966 }
2967 
2968 /**
2969  * Calculate HMAC over list of I/O buffers
2970  *
2971  * @v cipherspec Cipher specification
2972  * @v authhdr Authentication header
2973  * @v list List of I/O buffers
2974  * @v mac HMAC to fill in
2975  */
2976 static void tls_hmac_list ( struct tls_cipherspec *cipherspec,
2977  struct tls_auth_header *authhdr,
2978  struct list_head *list, void *hmac ) {
2979  struct digest_algorithm *digest = cipherspec->suite->digest;
2980  uint8_t ctx[ hmac_ctxsize ( digest ) ];
2981  struct io_buffer *iobuf;
2982 
2983  tls_hmac_init ( cipherspec, ctx, authhdr );
2984  list_for_each_entry ( iobuf, list, list ) {
2985  tls_hmac_update ( cipherspec, ctx, iobuf->data,
2986  iob_len ( iobuf ) );
2987  }
2988  tls_hmac_final ( cipherspec, ctx, hmac );
2989 }
2990 
2991 /**
2992  * Calculate maximum additional length required for transmitted record(s)
2993  *
2994  * @v tls TLS connection
2995  * @v len I/O buffer payload length
2996  * @ret reserve Maximum additional length to reserve
2997  */
2998 static size_t tls_iob_reserved ( struct tls_connection *tls, size_t len ) {
2999  struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
3000  struct tls_cipher_suite *suite = cipherspec->suite;
3001  struct cipher_algorithm *cipher = suite->cipher;
3002  struct tls_header *tlshdr;
3003  unsigned int count;
3004  size_t each;
3005 
3006  /* Calculate number of records (allowing for zero-length records) */
3007  count = ( len ? ( ( len + TLS_TX_BUFSIZE - 1 ) / TLS_TX_BUFSIZE ) : 1 );
3008 
3009  /* Calculate maximum additional length per record */
3010  each = ( sizeof ( *tlshdr ) + suite->record_iv_len + suite->mac_len +
3011  ( is_block_cipher ( cipher ) ? cipher->blocksize : 0 ) +
3012  cipher->authsize );
3013 
3014  /* Calculate maximum total additional length */
3015  return ( count * each );
3016 }
3017 
3018 /**
3019  * Allocate I/O buffer for transmitted record(s)
3020  *
3021  * @v tls TLS connection
3022  * @v len I/O buffer payload length
3023  * @ret iobuf I/O buffer
3024  */
3025 static struct io_buffer * tls_alloc_iob ( struct tls_connection *tls,
3026  size_t len ) {
3027  struct io_buffer *iobuf;
3028  size_t reserve;
3029 
3030  /* Calculate maximum additional length to reserve */
3031  reserve = tls_iob_reserved ( tls, len );
3032 
3033  /* Allocate I/O buffer */
3034  iobuf = xfer_alloc_iob ( &tls->cipherstream, ( reserve + len ) );
3035  if ( ! iobuf )
3036  return NULL;
3037 
3038  /* Reserve space */
3039  iob_reserve ( iobuf, reserve );
3040 
3041  return iobuf;
3042 }
3043 
3044 /**
3045  * Send plaintext record(s)
3046  *
3047  * @v tls TLS connection
3048  * @v type Record type
3049  * @v iobuf I/O buffer
3050  * @ret rc Return status code
3051  */
3052 static int tls_send_record ( struct tls_connection *tls, unsigned int type,
3053  struct io_buffer *iobuf ) {
3054  struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
3055  struct tls_cipher_suite *suite = cipherspec->suite;
3056  struct cipher_algorithm *cipher = suite->cipher;
3057  struct digest_algorithm *digest = suite->digest;
3058  struct {
3059  uint8_t fixed[suite->fixed_iv_len];
3060  uint8_t rec[suite->record_iv_len];
3061  } __attribute__ (( packed )) iv;
3062  struct tls_auth_header authhdr;
3063  struct tls_header *tlshdr;
3064  uint8_t mac[digest->digestsize];
3065  const void *plaintext;
3066  const void *encrypt;
3067  void *ciphertext;
3068  size_t record_len;
3069  size_t encrypt_len;
3070  size_t pad_len;
3071  size_t len;
3072  int rc;
3073 
3074  /* Record plaintext pointer and length */
3075  plaintext = iobuf->data;
3076  len = iob_len ( iobuf );
3077 
3078  /* Add to handshake digest if applicable */
3079  if ( type == TLS_TYPE_HANDSHAKE )
3080  tls_add_handshake ( tls, plaintext, len );
3081 
3082  /* Start constructing ciphertext at start of reserved space */
3083  iob_push ( iobuf, tls_iob_reserved ( tls, len ) );
3084  iob_unput ( iobuf, iob_len ( iobuf ) );
3085 
3086  /* Construct records */
3087  do {
3088  /* Limit length of this record (may be zero) */
3089  record_len = len;
3090  if ( record_len > TLS_TX_BUFSIZE )
3091  record_len = TLS_TX_BUFSIZE;
3092 
3093  /* Construct and set initialisation vector */
3094  memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3095  if ( ( rc = tls_generate_random ( tls, iv.rec,
3096  sizeof ( iv.rec ) ) ) != 0 ) {
3097  goto err_random;
3098  }
3099  cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv,
3100  sizeof ( iv ) );
3101 
3102  /* Construct and process authentication data */
3103  authhdr.seq = cpu_to_be64 ( tls->tx.seq );
3104  authhdr.header.type = type;
3105  authhdr.header.version = htons ( tls->version );
3106  authhdr.header.length = htons ( record_len );
3107  if ( suite->mac_len ) {
3108  tls_hmac ( cipherspec, &authhdr, plaintext, record_len,
3109  mac );
3110  }
3111  if ( is_auth_cipher ( cipher ) ) {
3112  cipher_encrypt ( cipher, cipherspec->cipher_ctx,
3113  &authhdr, NULL, sizeof ( authhdr ) );
3114  }
3115 
3116  /* Calculate encryption length */
3117  encrypt_len = ( record_len + suite->mac_len );
3118  if ( is_block_cipher ( cipher ) ) {
3119  pad_len = ( ( ( cipher->blocksize - 1 ) &
3120  -( encrypt_len + 1 ) ) + 1 );
3121  } else {
3122  pad_len = 0;
3123  }
3124  encrypt_len += pad_len;
3125 
3126  /* Add record header */
3127  tlshdr = iob_put ( iobuf, sizeof ( *tlshdr ) );
3128  tlshdr->type = type;
3129  tlshdr->version = htons ( tls->version );
3130  tlshdr->length = htons ( sizeof ( iv.rec ) + encrypt_len +
3131  cipher->authsize );
3132 
3133  /* Add record initialisation vector, if applicable */
3134  memcpy ( iob_put ( iobuf, sizeof ( iv.rec ) ), iv.rec,
3135  sizeof ( iv.rec ) );
3136 
3137  /* Copy plaintext data if necessary */
3138  ciphertext = iob_put ( iobuf, record_len );
3139  assert ( ciphertext <= plaintext );
3140  if ( encrypt_len > record_len ) {
3141  memmove ( ciphertext, plaintext, record_len );
3142  encrypt = ciphertext;
3143  } else {
3144  encrypt = plaintext;
3145  }
3146 
3147  /* Add MAC, if applicable */
3148  memcpy ( iob_put ( iobuf, suite->mac_len ), mac,
3149  suite->mac_len );
3150 
3151  /* Add padding, if applicable */
3152  memset ( iob_put ( iobuf, pad_len ), ( pad_len - 1 ), pad_len );
3153 
3154  /* Encrypt data and append authentication tag */
3155  DBGC2 ( tls, "Sending plaintext data:\n" );
3156  DBGC2_HDA ( tls, 0, encrypt, encrypt_len );
3157  cipher_encrypt ( cipher, cipherspec->cipher_ctx, encrypt,
3158  ciphertext, encrypt_len );
3159  cipher_auth ( cipher, cipherspec->cipher_ctx,
3160  iob_put ( iobuf, cipher->authsize ) );
3161 
3162  /* Move to next record */
3163  tls->tx.seq += 1;
3164  plaintext += record_len;
3165  len -= record_len;
3166 
3167  } while ( len );
3168 
3169  /* Send ciphertext */
3170  if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
3171  iob_disown ( iobuf ) ) ) != 0 ) {
3172  DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
3173  tls, strerror ( rc ) );
3174  goto err_deliver;
3175  }
3176 
3177  assert ( iobuf == NULL );
3178  return 0;
3179 
3180  err_deliver:
3181  err_random:
3182  free_iob ( iobuf );
3183  return rc;
3184 }
3185 
3186 /**
3187  * Send plaintext record
3188  *
3189  * @v tls TLS connection
3190  * @v type Record type
3191  * @v data Plaintext record
3192  * @v len Length of plaintext record
3193  * @ret rc Return status code
3194  */
3195 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
3196  const void *data, size_t len ) {
3197  struct io_buffer *iobuf;
3198  int rc;
3199 
3200  /* Allocate I/O buffer */
3201  iobuf = tls_alloc_iob ( tls, len );
3202  if ( ! iobuf )
3203  return -ENOMEM_TX_PLAINTEXT;
3204  memcpy ( iob_put ( iobuf, len ), data, len );
3205 
3206  /* Transmit I/O buffer */
3207  if ( ( rc = tls_send_record ( tls, type, iob_disown ( iobuf ) ) ) != 0 )
3208  return rc;
3209 
3210  return 0;
3211 }
3212 
3213 /**
3214  * Verify block padding
3215  *
3216  * @v tls TLS connection
3217  * @v iobuf Last received I/O buffer
3218  * @ret len Padding length, or negative error
3219  * @ret rc Return status code
3220  */
3221 static int tls_verify_padding ( struct tls_connection *tls,
3222  struct io_buffer *iobuf ) {
3223  uint8_t *padding;
3224  unsigned int pad;
3225  unsigned int i;
3226  size_t len;
3227 
3228  /* Extract and verify padding */
3229  padding = ( iobuf->tail - 1 );
3230  pad = *padding;
3231  len = ( pad + 1 );
3232  if ( len > iob_len ( iobuf ) ) {
3233  DBGC ( tls, "TLS %p received underlength padding\n", tls );
3234  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3235  return -EINVAL_PADDING;
3236  }
3237  for ( i = 0 ; i < pad ; i++ ) {
3238  if ( *(--padding) != pad ) {
3239  DBGC ( tls, "TLS %p received bad padding\n", tls );
3240  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3241  return -EINVAL_PADDING;
3242  }
3243  }
3244 
3245  return len;
3246 }
3247 
3248 /**
3249  * Receive new ciphertext record
3250  *
3251  * @v tls TLS connection
3252  * @v tlshdr Record header
3253  * @v rx_data List of received data buffers
3254  * @ret rc Return status code
3255  */
3256 static int tls_new_ciphertext ( struct tls_connection *tls,
3257  struct tls_header *tlshdr,
3258  struct list_head *rx_data ) {
3259  struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
3260  struct tls_cipher_suite *suite = cipherspec->suite;
3261  struct cipher_algorithm *cipher = suite->cipher;
3262  struct digest_algorithm *digest = suite->digest;
3263  size_t len = ntohs ( tlshdr->length );
3264  struct {
3265  uint8_t fixed[suite->fixed_iv_len];
3266  uint8_t record[suite->record_iv_len];
3267  } __attribute__ (( packed )) iv;
3268  struct tls_auth_header authhdr;
3269  uint8_t verify_mac[digest->digestsize];
3270  uint8_t verify_auth[cipher->authsize];
3271  struct io_buffer *first;
3272  struct io_buffer *last;
3273  struct io_buffer *iobuf;
3274  void *mac;
3275  void *auth;
3276  size_t check_len;
3277  int pad_len;
3278  int rc;
3279 
3280  /* Locate first and last data buffers */
3281  assert ( ! list_empty ( rx_data ) );
3282  first = list_first_entry ( rx_data, struct io_buffer, list );
3283  last = list_last_entry ( rx_data, struct io_buffer, list );
3284 
3285  /* Extract initialisation vector */
3286  if ( iob_len ( first ) < sizeof ( iv.record ) ) {
3287  DBGC ( tls, "TLS %p received underlength IV\n", tls );
3288  DBGC_HD ( tls, first->data, iob_len ( first ) );
3289  return -EINVAL_IV;
3290  }
3291  memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3292  memcpy ( iv.record, first->data, sizeof ( iv.record ) );
3293  iob_pull ( first, sizeof ( iv.record ) );
3294  len -= sizeof ( iv.record );
3295 
3296  /* Extract unencrypted authentication tag */
3297  if ( iob_len ( last ) < cipher->authsize ) {
3298  DBGC ( tls, "TLS %p received underlength authentication tag\n",
3299  tls );
3300  DBGC_HD ( tls, last->data, iob_len ( last ) );
3301  return -EINVAL_MAC;
3302  }
3303  iob_unput ( last, cipher->authsize );
3304  len -= cipher->authsize;
3305  auth = last->tail;
3306 
3307  /* Construct authentication data */
3308  authhdr.seq = cpu_to_be64 ( tls->rx.seq );
3309  authhdr.header.type = tlshdr->type;
3310  authhdr.header.version = tlshdr->version;
3311  authhdr.header.length = htons ( len );
3312 
3313  /* Set initialisation vector */
3314  cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
3315 
3316  /* Process authentication data, if applicable */
3317  if ( is_auth_cipher ( cipher ) ) {
3318  cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
3319  NULL, sizeof ( authhdr ) );
3320  }
3321 
3322  /* Decrypt the received data */
3323  check_len = 0;
3324  list_for_each_entry ( iobuf, &tls->rx.data, list ) {
3325  cipher_decrypt ( cipher, cipherspec->cipher_ctx,
3326  iobuf->data, iobuf->data, iob_len ( iobuf ) );
3327  check_len += iob_len ( iobuf );
3328  }
3329  assert ( check_len == len );
3330 
3331  /* Strip block padding, if applicable */
3332  if ( is_block_cipher ( cipher ) ) {
3333  pad_len = tls_verify_padding ( tls, last );
3334  if ( pad_len < 0 ) {
3335  /* Assume zero padding length to avoid timing attacks */
3336  pad_len = 0;
3337  }
3338  iob_unput ( last, pad_len );
3339  len -= pad_len;
3340  }
3341 
3342  /* Extract decrypted MAC */
3343  if ( iob_len ( last ) < suite->mac_len ) {
3344  DBGC ( tls, "TLS %p received underlength MAC\n", tls );
3345  DBGC_HD ( tls, last->data, iob_len ( last ) );
3346  return -EINVAL_MAC;
3347  }
3348  iob_unput ( last, suite->mac_len );
3349  len -= suite->mac_len;
3350  mac = last->tail;
3351 
3352  /* Dump received data */
3353  DBGC2 ( tls, "Received plaintext data:\n" );
3354  check_len = 0;
3355  list_for_each_entry ( iobuf, rx_data, list ) {
3356  DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3357  check_len += iob_len ( iobuf );
3358  }
3359  assert ( check_len == len );
3360 
3361  /* Generate MAC */
3362  authhdr.header.length = htons ( len );
3363  if ( suite->mac_len )
3364  tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );
3365 
3366  /* Generate authentication tag */
3367  cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );
3368 
3369  /* Verify MAC */
3370  if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
3371  DBGC ( tls, "TLS %p failed MAC verification\n", tls );
3372  return -EINVAL_MAC;
3373  }
3374 
3375  /* Verify authentication tag */
3376  if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
3377  DBGC ( tls, "TLS %p failed authentication tag verification\n",
3378  tls );
3379  return -EINVAL_MAC;
3380  }
3381 
3382  /* Process plaintext record */
3383  if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
3384  return rc;
3385 
3386  return 0;
3387 }
3388 
3389 /******************************************************************************
3390  *
3391  * Plaintext stream operations
3392  *
3393  ******************************************************************************
3394  */
3395 
3396 /**
3397  * Check flow control window
3398  *
3399  * @v tls TLS connection
3400  * @ret len Length of window
3401  */
3402 static size_t tls_plainstream_window ( struct tls_connection *tls ) {
3403 
3404  /* Block window unless we are ready to accept data */
3405  if ( ! tls_ready ( tls ) )
3406  return 0;
3407 
3408  return xfer_window ( &tls->cipherstream );
3409 }
3410 
3411 /**
3412  * Deliver datagram as raw data
3413  *
3414  * @v tls TLS connection
3415  * @v iobuf I/O buffer
3416  * @v meta Data transfer metadata
3417  * @ret rc Return status code
3418  */
3419 static int tls_plainstream_deliver ( struct tls_connection *tls,
3420  struct io_buffer *iobuf,
3421  struct xfer_metadata *meta __unused ) {
3422  int rc;
3423 
3424  /* Refuse unless we are ready to accept data */
3425  if ( ! tls_ready ( tls ) ) {
3426  rc = -ENOTCONN;
3427  goto done;
3428  }
3429 
3430  /* Send data record */
3431  if ( ( rc = tls_send_record ( tls, TLS_TYPE_DATA,
3432  iob_disown ( iobuf ) ) ) != 0 )
3433  goto done;
3434 
3435  done:
3436  free_iob ( iobuf );
3437  return rc;
3438 }
3439 
3440 /**
3441  * Report job progress
3442  *
3443  * @v tls TLS connection
3444  * @v progress Progress report to fill in
3445  * @ret ongoing_rc Ongoing job status code (if known)
3446  */
3447 static int tls_progress ( struct tls_connection *tls,
3448  struct job_progress *progress ) {
3449 
3450  /* Return cipherstream or validator progress as applicable */
3451  if ( is_pending ( &tls->server.validation ) ) {
3452  return job_progress ( &tls->server.validator, progress );
3453  } else {
3454  return job_progress ( &tls->cipherstream, progress );
3455  }
3456 }
3457 
3458 /** TLS plaintext stream interface operations */
3459 static struct interface_operation tls_plainstream_ops[] = {
3460  INTF_OP ( xfer_alloc_iob, struct tls_connection *, tls_alloc_iob ),
3461  INTF_OP ( xfer_deliver, struct tls_connection *,
3462  tls_plainstream_deliver ),
3463  INTF_OP ( xfer_window, struct tls_connection *,
3464  tls_plainstream_window ),
3465  INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
3466  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
3467 };
3468 
3469 /** TLS plaintext stream interface descriptor */
3470 static struct interface_descriptor tls_plainstream_desc =
3471  INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
3472  tls_plainstream_ops, cipherstream );
3473 
3474 /******************************************************************************
3475  *
3476  * Ciphertext stream operations
3477  *
3478  ******************************************************************************
3479  */
3480 
3481 /**
3482  * Handle received TLS header
3483  *
3484  * @v tls TLS connection
3485  * @ret rc Returned status code
3486  */
3487 static int tls_newdata_process_header ( struct tls_connection *tls ) {
3488  struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
3489  struct cipher_algorithm *cipher = cipherspec->suite->cipher;
3490  size_t iv_len = cipherspec->suite->record_iv_len;
3491  size_t data_len = ntohs ( tls->rx.header.length );
3492  size_t remaining = data_len;
3493  size_t frag_len;
3494  size_t reserve;
3495  struct io_buffer *iobuf;
3496  struct io_buffer *tmp;
3497  int rc;
3498 
3499  /* Sanity check */
3500  assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
3501 
3502  /* Calculate alignment reservation at start of first data buffer */
3503  reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
3504  remaining += reserve;
3505 
3506  /* Allocate data buffers now that we know the length */
3507  assert ( list_empty ( &tls->rx.data ) );
3508  while ( remaining ) {
3509 
3510  /* Calculate fragment length. Ensure that no block is
3511  * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
3512  * allocation length if necessary).
3513  */
3514  frag_len = remaining;
3515  if ( frag_len > TLS_RX_BUFSIZE )
3516  frag_len = TLS_RX_BUFSIZE;
3517  remaining -= frag_len;
3518  if ( remaining < TLS_RX_MIN_BUFSIZE ) {
3519  frag_len += remaining;
3520  remaining = 0;
3521  }
3522 
3523  /* Allocate buffer */
3524  iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
3525  if ( ! iobuf ) {
3526  DBGC ( tls, "TLS %p could not allocate %zd of %zd "
3527  "bytes for receive buffer\n", tls,
3528  remaining, data_len );
3529  rc = -ENOMEM_RX_DATA;
3530  goto err;
3531  }
3532 
3533  /* Ensure tailroom is exactly what we asked for. This
3534  * will result in unaligned I/O buffers when the
3535  * fragment length is unaligned, which can happen only
3536  * before we switch to using a block cipher.
3537  */
3538  iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
3539 
3540  /* Ensure first buffer length will be aligned to a
3541  * multiple of the cipher alignment size after
3542  * stripping the record IV.
3543  */
3544  iob_reserve ( iobuf, reserve );
3545  reserve = 0;
3546 
3547  /* Add I/O buffer to list */
3548  list_add_tail ( &iobuf->list, &tls->rx.data );
3549  }
3550 
3551  /* Move to data state */
3552  tls->rx.state = TLS_RX_DATA;
3553 
3554  return 0;
3555 
3556  err:
3557  list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
3558  list_del ( &iobuf->list );
3559  free_iob ( iobuf );
3560  }
3561  return rc;
3562 }
3563 
3564 /**
3565  * Handle received TLS data payload
3566  *
3567  * @v tls TLS connection
3568  * @ret rc Returned status code
3569  */
3570 static int tls_newdata_process_data ( struct tls_connection *tls ) {
3571  struct io_buffer *iobuf;
3572  int rc;
3573 
3574  /* Move current buffer to end of list */
3575  iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
3576  list_del ( &iobuf->list );
3577  list_add_tail ( &iobuf->list, &tls->rx.data );
3578 
3579  /* Continue receiving data if any space remains */
3580  iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
3581  if ( iob_tailroom ( iobuf ) )
3582  return 0;
3583 
3584  /* Process record */
3585  if ( ( rc = tls_new_ciphertext ( tls, &tls->rx.header,
3586  &tls->rx.data ) ) != 0 )
3587  return rc;
3588 
3589  /* Increment RX sequence number */
3590  tls->rx.seq += 1;
3591 
3592  /* Return to header state */
3593  assert ( list_empty ( &tls->rx.data ) );
3594  tls->rx.state = TLS_RX_HEADER;
3595  iob_unput ( &tls->rx.iobuf, sizeof ( tls->rx.header ) );
3596 
3597  return 0;
3598 }
3599 
3600 /**
3601  * Check flow control window
3602  *
3603  * @v tls TLS connection
3604  * @ret len Length of window
3605  */
3606 static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
3607 
3608  /* Open window until we are ready to accept data */
3609  if ( ! tls_ready ( tls ) )
3610  return -1UL;
3611 
3612  return xfer_window ( &tls->plainstream );
3613 }
3614 
3615 /**
3616  * Receive new ciphertext
3617  *
3618  * @v tls TLS connection
3619  * @v iobuf I/O buffer
3620  * @v meta Data transfer metadat
3621  * @ret rc Return status code
3622  */
3623 static int tls_cipherstream_deliver ( struct tls_connection *tls,
3624  struct io_buffer *iobuf,
3625  struct xfer_metadata *xfer __unused ) {
3626  size_t frag_len;
3627  int ( * process ) ( struct tls_connection *tls );
3628  struct io_buffer *dest;
3629  int rc;
3630 
3631  while ( iob_len ( iobuf ) ) {
3632 
3633  /* Select buffer according to current state */
3634  switch ( tls->rx.state ) {
3635  case TLS_RX_HEADER:
3636  dest = &tls->rx.iobuf;
3637  process = tls_newdata_process_header;
3638  break;
3639  case TLS_RX_DATA:
3640  dest = list_first_entry ( &tls->rx.data,
3641  struct io_buffer, list );
3642  assert ( dest != NULL );
3643  process = tls_newdata_process_data;
3644  break;
3645  default:
3646  assert ( 0 );
3647  rc = -EINVAL_RX_STATE;
3648  goto done;
3649  }
3650 
3651  /* Copy data portion to buffer */
3652  frag_len = iob_len ( iobuf );
3653  if ( frag_len > iob_tailroom ( dest ) )
3654  frag_len = iob_tailroom ( dest );
3655  memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
3656  iob_pull ( iobuf, frag_len );
3657 
3658  /* Process data if buffer is now full */
3659  if ( iob_tailroom ( dest ) == 0 ) {
3660  if ( ( rc = process ( tls ) ) != 0 ) {
3661  tls_close ( tls, rc );
3662  goto done;
3663  }
3664  }
3665  }
3666  rc = 0;
3667 
3668  done:
3669  free_iob ( iobuf );
3670  return rc;
3671 }
3672 
3673 /** TLS ciphertext stream interface operations */
3674 static struct interface_operation tls_cipherstream_ops[] = {
3675  INTF_OP ( xfer_deliver, struct tls_connection *,
3676  tls_cipherstream_deliver ),
3677  INTF_OP ( xfer_window, struct tls_connection *,
3678  tls_cipherstream_window ),
3679  INTF_OP ( xfer_window_changed, struct tls_connection *,
3680  tls_tx_resume ),
3681  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
3682 };
3683 
3684 /** TLS ciphertext stream interface descriptor */
3685 static struct interface_descriptor tls_cipherstream_desc =
3686  INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
3687  tls_cipherstream_ops, plainstream );
3688 
3689 /******************************************************************************
3690  *
3691  * Certificate validator
3692  *
3693  ******************************************************************************
3694  */
3695 
3696 /**
3697  * Handle certificate validation completion
3698  *
3699  * @v tls TLS connection
3700  * @v rc Reason for completion
3701  */
3702 static void tls_validator_done ( struct tls_connection *tls, int rc ) {
3703  struct tls_session *session = tls->session;
3704  struct x509_certificate *cert;
3705 
3706  /* Mark validation as complete */
3707  pending_put ( &tls->server.validation );
3708 
3709  /* Close validator interface */
3710  intf_restart ( &tls->server.validator, rc );
3711 
3712  /* Check for validation failure */
3713  if ( rc != 0 ) {
3714  DBGC ( tls, "TLS %p certificate validation failed: %s\n",
3715  tls, strerror ( rc ) );
3716  goto err;
3717  }
3718  DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
3719 
3720  /* Extract first certificate */
3721  cert = x509_first ( tls->server.chain );
3722  assert ( cert != NULL );
3723 
3724  /* Verify server name */
3725  if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
3726  DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
3727  tls, session->name, strerror ( rc ) );
3728  goto err;
3729  }
3730 
3731  /* Extract the now trusted server public key */
3732  memcpy ( &tls->server.key, &cert->subject.public_key.raw,
3733  sizeof ( tls->server.key ) );
3734 
3735  /* Schedule transmission of applicable handshake messages */
3736  tls->tx.pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
3737  TLS_TX_CHANGE_CIPHER |
3738  TLS_TX_FINISHED );
3739  if ( tls->client.chain ) {
3740  tls->tx.pending |= TLS_TX_CERTIFICATE;
3741  if ( ! list_empty ( &tls->client.chain->links ) )
3742  tls->tx.pending |= TLS_TX_CERTIFICATE_VERIFY;
3743  }
3744  tls_tx_resume ( tls );
3745 
3746  return;
3747 
3748  err:
3749  tls_close ( tls, rc );
3750  return;
3751 }
3752 
3753 /** TLS certificate validator interface operations */
3754 static struct interface_operation tls_validator_ops[] = {
3755  INTF_OP ( intf_close, struct tls_connection *, tls_validator_done ),
3756 };
3757 
3758 /** TLS certificate validator interface descriptor */
3759 static struct interface_descriptor tls_validator_desc =
3760  INTF_DESC ( struct tls_connection, server.validator,
3761  tls_validator_ops );
3762 
3763 /******************************************************************************
3764  *
3765  * Controlling process
3766  *
3767  ******************************************************************************
3768  */
3769 
3770 /**
3771  * TLS TX state machine
3772  *
3773  * @v tls TLS connection
3774  */
3775 static void tls_tx_step ( struct tls_connection *tls ) {
3776  struct tls_session *session = tls->session;
3777  struct tls_connection *conn;
3778  int rc;
3779 
3780  /* Wait for cipherstream to become ready */
3781  if ( ! xfer_window ( &tls->cipherstream ) )
3782  return;
3783 
3784  /* Send first pending transmission */
3785  if ( tls->tx.pending & TLS_TX_CLIENT_HELLO ) {
3786  /* Serialise server negotiations within a session, to
3787  * provide a consistent view of session IDs and
3788  * session tickets.
3789  */
3790  list_for_each_entry ( conn, &session->conn, list ) {
3791  if ( conn == tls )
3792  break;
3793  if ( is_pending ( &conn->server.negotiation ) )
3794  return;
3795  }
3796  /* Record or generate session ID and associated master secret */
3797  if ( session->id_len ) {
3798  /* Attempt to resume an existing session */
3799  memcpy ( tls->session_id, session->id,
3800  sizeof ( tls->session_id ) );
3801  tls->session_id_len = session->id_len;
3802  memcpy ( tls->master_secret, session->master_secret,
3803  sizeof ( tls->master_secret ) );
3804  } else {
3805  /* No existing session: use a random session ID */
3806  assert ( sizeof ( tls->session_id ) ==
3807  sizeof ( tls->client.random ) );
3808  memcpy ( tls->session_id, &tls->client.random,
3809  sizeof ( tls->session_id ) );
3810  tls->session_id_len = sizeof ( tls->session_id );
3811  }
3812  /* Send Client Hello */
3813  if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
3814  DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
3815  tls, strerror ( rc ) );
3816  goto err;
3817  }
3818  tls->tx.pending &= ~TLS_TX_CLIENT_HELLO;
3819  } else if ( tls->tx.pending & TLS_TX_CERTIFICATE ) {
3820  /* Send Certificate */
3821  if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
3822  DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
3823  tls, strerror ( rc ) );
3824  goto err;
3825  }
3826  tls->tx.pending &= ~TLS_TX_CERTIFICATE;
3827  } else if ( tls->tx.pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
3828  /* Send Client Key Exchange */
3829  if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
3830  DBGC ( tls, "TLS %p could not send Client Key "
3831  "Exchange: %s\n", tls, strerror ( rc ) );
3832  goto err;
3833  }
3834  tls->tx.pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
3835  } else if ( tls->tx.pending & TLS_TX_CERTIFICATE_VERIFY ) {
3836  /* Send Certificate Verify */
3837  if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
3838  DBGC ( tls, "TLS %p could not send Certificate "
3839  "Verify: %s\n", tls, strerror ( rc ) );
3840  goto err;
3841  }
3842  tls->tx.pending &= ~TLS_TX_CERTIFICATE_VERIFY;
3843  } else if ( tls->tx.pending & TLS_TX_CHANGE_CIPHER ) {
3844  /* Send Change Cipher, and then change the cipher in use */
3845  if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
3846  DBGC ( tls, "TLS %p could not send Change Cipher: "
3847  "%s\n", tls, strerror ( rc ) );
3848  goto err;
3849  }
3850  if ( ( rc = tls_change_cipher ( tls,
3851  &tls->tx.cipherspec ) ) != 0 ){
3852  DBGC ( tls, "TLS %p could not activate TX cipher: "
3853  "%s\n", tls, strerror ( rc ) );
3854  goto err;
3855  }
3856  tls->tx.seq = 0;
3857  tls->tx.pending &= ~TLS_TX_CHANGE_CIPHER;
3858  } else if ( tls->tx.pending & TLS_TX_FINISHED ) {
3859  /* Send Finished */
3860  if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
3861  DBGC ( tls, "TLS %p could not send Finished: %s\n",
3862  tls, strerror ( rc ) );
3863  goto err;
3864  }
3865  tls->tx.pending &= ~TLS_TX_FINISHED;
3866  }
3867 
3868  /* Reschedule process if pending transmissions remain,
3869  * otherwise send notification of a window change.
3870  */
3871  if ( tls->tx.pending ) {
3872  tls_tx_resume ( tls );
3873  } else {
3874  xfer_window_changed ( &tls->plainstream );
3875  }
3876 
3877  return;
3878 
3879  err:
3880  tls_close ( tls, rc );
3881 }
3882 
3883 /** TLS TX process descriptor */
3884 static struct process_descriptor tls_process_desc =
3885  PROC_DESC_ONCE ( struct tls_connection, tx.process, tls_tx_step );
3886 
3887 /******************************************************************************
3888  *
3889  * Session management
3890  *
3891  ******************************************************************************
3892  */
3893 
3894 /**
3895  * Find or create session for TLS connection
3896  *
3897  * @v tls TLS connection
3898  * @v name Server name
3899  * @ret rc Return status code
3900  */
3901 static int tls_session ( struct tls_connection *tls, const char *name ) {
3902  struct tls_session *session;
3903  char *name_copy;
3904  int rc;
3905 
3906  /* Find existing matching session, if any */
3907  list_for_each_entry ( session, &tls_sessions, list ) {
3908  if ( ( strcmp ( name, session->name ) == 0 ) &&
3909  ( tls->server.root == session->root ) &&
3910  ( tls->client.key == session->key ) ) {
3911  ref_get ( &session->refcnt );
3912  tls->session = session;
3913  DBGC ( tls, "TLS %p joining session %s\n", tls, name );
3914  return 0;
3915  }
3916  }
3917 
3918  /* Create new session */
3919  session = zalloc ( sizeof ( *session ) + strlen ( name )
3920  + 1 /* NUL */ );
3921  if ( ! session ) {
3922  rc = -ENOMEM;
3923  goto err_alloc;
3924  }
3925  ref_init ( &session->refcnt, free_tls_session );
3926  name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
3927  strcpy ( name_copy, name );
3928  session->name = name_copy;
3929  session->root = x509_root_get ( tls->server.root );
3930  session->key = privkey_get ( tls->client.key );
3931  INIT_LIST_HEAD ( &session->conn );
3932  list_add ( &session->list, &tls_sessions );
3933 
3934  /* Record session */
3935  tls->session = session;
3936 
3937  DBGC ( tls, "TLS %p created session %s\n", tls, name );
3938  return 0;
3939 
3940  ref_put ( &session->refcnt );
3941  err_alloc:
3942  return rc;
3943 }
3944 
3945 /******************************************************************************
3946  *
3947  * Instantiator
3948  *
3949  ******************************************************************************
3950  */
3951 
3952 /**
3953  * Add TLS on an interface
3954  *
3955  * @v xfer Data transfer interface
3956  * @v name Host name
3957  * @v root Root of trust (or NULL to use default)
3958  * @v key Private key (or NULL to use default)
3959  * @ret rc Return status code
3960  */
3961 int add_tls ( struct interface *xfer, const char *name,
3962  struct x509_root *root, struct private_key *key ) {
3963  struct tls_connection *tls;
3964  int rc;
3965 
3966  /* Allocate and initialise TLS structure */
3967  tls = malloc ( sizeof ( *tls ) );
3968  if ( ! tls ) {
3969  rc = -ENOMEM;
3970  goto err_alloc;
3971  }
3972  memset ( tls, 0, sizeof ( *tls ) );
3973  ref_init ( &tls->refcnt, free_tls );
3974  INIT_LIST_HEAD ( &tls->list );
3975  intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
3976  intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
3977  intf_init ( &tls->server.validator, &tls_validator_desc, &tls->refcnt );
3978  process_init_stopped ( &tls->tx.process, &tls_process_desc,
3979  &tls->refcnt );
3980  tls->client.key = privkey_get ( key ? key : &private_key );
3981  tls->server.root = x509_root_get ( root ? root : &root_certificates );
3982  tls->version = TLS_VERSION_MAX;
3983  tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
3984  tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
3985  tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
3986  tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
3987  tls_clear_handshake ( tls );
3988  tls->client.random.gmt_unix_time = time ( NULL );
3989  iob_populate ( &tls->rx.iobuf, &tls->rx.header, 0,
3990  sizeof ( tls->rx.header ) );
3991  INIT_LIST_HEAD ( &tls->rx.data );
3992  if ( ( rc = tls_generate_random ( tls, &tls->client.random.random,
3993  ( sizeof ( tls->client.random.random ) ) ) ) != 0 ) {
3994  goto err_random;
3995  }
3996  if ( ( rc = tls_session ( tls, name ) ) != 0 )
3997  goto err_session;
3998  list_add_tail ( &tls->list, &tls->session->conn );
3999 
4000  /* Start negotiation */
4001  tls_restart ( tls );
4002 
4003  /* Attach to parent interface, mortalise self, and return */
4004  intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
4005  ref_put ( &tls->refcnt );
4006  return 0;
4007 
4008  err_session:
4009  err_random:
4010  ref_put ( &tls->refcnt );
4011  err_alloc:
4012  return rc;
4013 }
4014 
4015 /* Drag in objects via add_tls() */
4016 REQUIRING_SYMBOL ( add_tls );
4017 
4018 /* Drag in crypto configuration */
4019 REQUIRE_OBJECT ( config_crypto );
TLS_MAX_FRAGMENT_LENGTH_VALUE
#define TLS_MAX_FRAGMENT_LENGTH_VALUE
Advertised maximum fragment length.
Definition: tls.h:476
tls.h
Transport Layer Security Protocol.
cpu_to_be16
#define cpu_to_be16(value)
Definition: byteswap.h:109
tls_connection::verify
struct tls_verify_data verify
Verification data.
Definition: tls.h:463
memswap
void * memswap(void *first, void *second, size_t len)
Swap memory regions.
Definition: string.c:153
free_tls
static void free_tls(struct refcnt *refcnt)
Free TLS connection.
Definition: tls.c:382
x509_chain_put
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition: x509.h:299
process
A process.
Definition: process.h:17
iob_pull
#define iob_pull(iobuf, len)
Definition: iobuf.h:106
tls_send_certificate
static int tls_send_certificate(struct tls_connection *tls)
Transmit Certificate record.
Definition: tls.c:1359
tls_session::id
uint8_t id[32]
Session ID.
Definition: tls.h:347
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
__attribute__
#define __attribute__(x)
Definition: compiler.h:10
tls_rx::header
struct tls_header header
Current received record header.
Definition: tls.h:384
interface_operation
An object interface operation.
Definition: interface.h:17
tls_session::extended_master_secret
int extended_master_secret
Extended master secret flag.
Definition: tls.h:357
length
u16 length
Definition: sky2.h:9
is_auth_cipher
static int is_auth_cipher(struct cipher_algorithm *cipher)
Definition: crypto.h:259
cipher_algorithm::blocksize
size_t blocksize
Block size.
Definition: crypto.h:60
tls_signature_hash_algorithm::digest
struct digest_algorithm * digest
Digest algorithm.
Definition: tls.h:282
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:51
tls_auth_header::seq
uint64_t seq
Sequence number.
Definition: tls.h:149
tls_server::random
uint8_t random[32]
Random bytes.
Definition: tls.h:408
EINVAL_PADDING
#define EINVAL_PADDING
Definition: tls.c:94
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
hash
pseudo_bit_t hash[0x00010]
Definition: arbel.h:13
tls_tx_resume_all
static void tls_tx_resume_all(struct tls_session *session)
Resume TX state machine for all connections within a session.
Definition: tls.c:1118
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition: crypto.h:201
name
const char * name
Definition: ath9k_hw.c:1984
xfer_window_changed
void xfer_window_changed(struct interface *intf)
Report change of flow control window.
Definition: xfer.c:146
uint16_t
unsigned short uint16_t
Definition: stdint.h:11
tls_change_cipher
static int tls_change_cipher(struct tls_connection *tls, struct tls_cipherspec_pair *pair)
Activate next cipher suite.
Definition: tls.c:982
intf_close
void intf_close(struct interface *intf, int rc)
Close an object interface.
Definition: interface.c:249
md5_sha1_context
An MD5+SHA1 context.
Definition: tls.h:311
md5_sha1_digest::sha1
uint8_t sha1[SHA1_DIGEST_SIZE]
SHA-1 digest.
Definition: tls.h:326
tls_validator_done
static void tls_validator_done(struct tls_connection *tls, int rc)
Handle certificate validation completion.
Definition: tls.c:3702
privkey_put
static void privkey_put(struct private_key *key)
Drop reference to private key.
Definition: privkey.h:41
intf_restart
void intf_restart(struct interface *intf, int rc)
Shut down and restart an object interface.
Definition: interface.c:343
tls_send_record
static int tls_send_record(struct tls_connection *tls, unsigned int type, struct io_buffer *iobuf)
Send plaintext record(s)
Definition: tls.c:3052
tls_server::key
struct asn1_cursor key
Public key (within server certificate)
Definition: tls.h:418
asn1_builder::data
void * data
Data.
Definition: asn1.h:35
tls_cipher_suite_null
struct tls_cipher_suite tls_cipher_suite_null
Null cipher suite.
Definition: tls.c:850
tls_select_cipher
static int tls_select_cipher(struct tls_connection *tls, unsigned int cipher_suite)
Select next cipher suite.
Definition: tls.c:939
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:124
va_end
#define va_end(ap)
Definition: stdarg.h:9
TLS_NUM_CIPHER_SUITES
#define TLS_NUM_CIPHER_SUITES
Number of supported cipher suites.
Definition: tls.c:858
xfer_metadata
Data transfer metadata.
Definition: xfer.h:22
intf_shutdown
void intf_shutdown(struct interface *intf, int rc)
Shut down an object interface.
Definition: interface.c:278
tls_tx_resume
static void tls_tx_resume(struct tls_connection *tls)
Resume TX state machine.
Definition: tls.c:1109
tls_new_ciphertext
static int tls_new_ciphertext(struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
Receive new ciphertext record.
Definition: tls.c:3256
tls_newdata_process_header
static int tls_newdata_process_header(struct tls_connection *tls)
Handle received TLS header.
Definition: tls.c:3487
TLS_RENEGOTIATION_INFO
#define TLS_RENEGOTIATION_INFO
Definition: tls.h:144
xfer_deliver_iob
int xfer_deliver_iob(struct interface *intf, struct io_buffer *iobuf)
Deliver datagram as I/O buffer without metadata.
Definition: xfer.c:255
tls_cipherspec_pair
A TLS cipher specification pair.
Definition: tls.h:264
tls_tx::process
struct process process
Transmit process.
Definition: tls.h:372
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:89
max
#define max(x, y)
Definition: ath.h:40
tls_connection::session
struct tls_session * session
Session.
Definition: tls.h:433
tls_find_named_curve
static struct tls_named_curve * tls_find_named_curve(unsigned int named_curve)
Identify named curve.
Definition: tls.c:1085
tls_session::master_secret
uint8_t master_secret[48]
Master secret.
Definition: tls.h:355
tls_cipher_suite::exchange
struct tls_key_exchange_algorithm * exchange
Key exchange algorithm.
Definition: tls.h:194
tls_rx::data
struct list_head data
List of received data buffers.
Definition: tls.h:388
md5_sha1_digest::md5
uint8_t md5[MD5_DIGEST_SIZE]
MD5 digest.
Definition: tls.h:324
tls_cipher_suite::record_iv_len
uint8_t record_iv_len
Record initialisation vector length.
Definition: tls.h:210
tls_uint24
static unsigned long tls_uint24(const tls24_t *field24)
Extract 24-bit field value.
Definition: tls.c:236
tls_restart
static void tls_restart(struct tls_connection *tls)
Restart negotiation.
Definition: tls.c:1130
TLS_NUM_NAMED_CURVES
#define TLS_NUM_NAMED_CURVES
Number of supported named curves.
Definition: tls.c:1076
tls_rx::handshake
struct io_buffer * handshake
Received handshake fragment.
Definition: tls.h:390
dhe_key
int dhe_key(const void *modulus, size_t len, const void *generator, size_t generator_len, const void *partner, size_t partner_len, const void *private, size_t private_len, void *public, void *shared)
Calculate Diffie-Hellman key.
Definition: dhe.c:53
tls_signature_hash_pubkey
static struct pubkey_algorithm * tls_signature_hash_pubkey(struct tls_signature_hash_id code)
Find TLS signature algorithm.
Definition: tls.c:1037
sig
u8 sig
Definition: CIB_PRM.h:43
root
struct stp_switch root
Root switch.
Definition: stp.h:26
tls_client::negotiation
struct pending_operation negotiation
Security negotiation pending operation.
Definition: tls.h:402
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
spec
uint16_t spec
ENA specification version.
Definition: ena.h:26
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:204
tls_find_cipher_suite
static struct tls_cipher_suite * tls_find_cipher_suite(unsigned int cipher_suite)
Identify cipher suite.
Definition: tls.c:867
EPERM_KEY_EXCHANGE
#define EPERM_KEY_EXCHANGE
Definition: tls.c:182
first
uint32_t first
First block in range.
Definition: pccrr.h:14
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
errno.h
Error codes.
tls_connection::refcnt
struct refcnt refcnt
Reference counter.
Definition: tls.h:430
EINVAL_HELLO
#define EINVAL_HELLO
Definition: tls.c:66
tls_rx::cipherspec
struct tls_cipherspec_pair cipherspec
Cipher specifications.
Definition: tls.h:378
iob_push
#define iob_push(iobuf, len)
Definition: iobuf.h:88
tls_header::type
uint8_t type
Content type.
Definition: tls.h:33
tls_verify_handshake
static void tls_verify_handshake(struct tls_connection *tls, void *out)
Calculate handshake verification hash.
Definition: tls.c:834
x509_check_name
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition: x509.c:1563
tls_send_client_key_exchange_pubkey
static int tls_send_client_key_exchange_pubkey(struct tls_connection *tls)
Transmit Client Key Exchange record using public key exchange.
Definition: tls.c:1416
iobuf.h
I/O buffers.
tls_cipherstream_deliver
static int tls_cipherstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
Receive new ciphertext.
Definition: tls.c:3623
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:152
alloc_iob_raw
struct io_buffer * alloc_iob_raw(size_t len, size_t align, size_t offset)
Allocate I/O buffer with specified alignment and offset.
Definition: iobuf.c:48
tls_add_handshake
static int tls_add_handshake(struct tls_connection *tls, const void *data, size_t len)
Add handshake record to verification hash.
Definition: tls.c:818
rbg_generate
int rbg_generate(const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate bits using RBG.
Definition: rbg.c:116
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition: crypto.h:207
ENOTSUP_CURVE
#define ENOTSUP_CURVE
Definition: tls.c:162
type
uint32_t type
Operating system type.
Definition: ena.h:12
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1673
tls_generate_master_secret
static void tls_generate_master_secret(struct tls_connection *tls, const void *pre_master_secret, size_t pre_master_secret_len)
Generate master secret.
Definition: tls.c:642
LIST_HEAD
static LIST_HEAD(tls_sessions)
List of TLS session.
cipher_algorithm::alignsize
size_t alignsize
Alignment size.
Definition: crypto.h:72
ENOTSUP_VERSION
#define ENOTSUP_VERSION
Definition: tls.c:158
tls_plainstream_ops
static struct interface_operation tls_plainstream_ops[]
TLS plaintext stream interface operations.
Definition: tls.c:3459
asn1_prepend_raw
int asn1_prepend_raw(struct asn1_builder *builder, const void *data, size_t len)
Prepend raw data to ASN.1 builder.
Definition: asn1.c:936
pending_put
void pending_put(struct pending_operation *pending)
Mark an operation as no longer pending.
Definition: pending.c:58
TLS_CLIENT_HELLO
#define TLS_CLIENT_HELLO
Definition: tls.h:69
root_certificates
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:78
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:238
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
tls_server::exchange
void * exchange
Server Key Exchange record (if any)
Definition: tls.h:410
tls_connection::new_session_ticket_len
size_t new_session_ticket_len
Length of new session ticket.
Definition: tls.h:443
ENOMEM_RX_CONCAT
#define ENOMEM_RX_CONCAT
Definition: tls.c:142
process_descriptor
A process descriptor.
Definition: process.h:31
TLS_VERSION_TLS_1_2
#define TLS_VERSION_TLS_1_2
TLS version 1.2.
Definition: tls.h:47
TLS_CERTIFICATE
#define TLS_CERTIFICATE
Definition: tls.h:72
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1637
privkey_get
static struct private_key * privkey_get(struct private_key *key)
Get reference to private key.
Definition: privkey.h:30
tls_connection::session_id
uint8_t session_id[32]
Session ID.
Definition: tls.h:437
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER)
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition: x509.c:1614
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:403
EINVAL_HELLO_DONE
#define EINVAL_HELLO_DONE
Definition: tls.c:78
tls_header::length
uint16_t length
Length of payload.
Definition: tls.h:40
uint64_t
unsigned long long uint64_t
Definition: stdint.h:13
xfer_alloc_iob
struct io_buffer * xfer_alloc_iob(struct interface *intf, size_t len)
Allocate I/O buffer.
Definition: xfer.c:158
fixed
struct eltorito_descriptor_fixed fixed
Fixed portion.
Definition: eltorito.h:13
alert
void alert(unsigned int row, const char *fmt,...)
Show alert message.
Definition: message.c:103
pubkey_null
struct pubkey_algorithm pubkey_null
Definition: crypto_null.c:122
EPROTO_VERSION
#define EPROTO_VERSION
Definition: tls.c:190
EIO_ALERT
#define EIO_ALERT
Definition: tls.c:114
tls_pubkey_exchange_algorithm
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm
Public key exchange algorithm.
Definition: tls.c:1485
data_len
uint32_t data_len
Microcode data size (or 0 to indicate 2000 bytes)
Definition: ucode.h:26
tls_signature_hash_digest
static struct digest_algorithm * tls_signature_hash_digest(struct tls_signature_hash_id code)
Find TLS hash algorithm.
Definition: tls.c:1056
tls_validator_ops
static struct interface_operation tls_validator_ops[]
TLS certificate validator interface operations.
Definition: tls.c:3754
ENOMEM_CHAIN
#define ENOMEM_CHAIN
Definition: tls.c:126
va_copy
#define va_copy(dest, src)
Definition: stdarg.h:10
ntohs
#define ntohs(value)
Definition: byteswap.h:136
TLS_SERVER_HELLO_DONE
#define TLS_SERVER_HELLO_DONE
Definition: tls.h:75
PROC_DESC_ONCE
#define PROC_DESC_ONCE(object_type, process, _step)
Define a process descriptor for a process that runs only once.
Definition: process.h:97
tls_close
static void tls_close(struct tls_connection *tls, int rc)
Finish with TLS connection.
Definition: tls.c:421
TLS_CERTIFICATE_REQUEST
#define TLS_CERTIFICATE_REQUEST
Definition: tls.h:74
tls_auth_header
TLS authentication header.
Definition: tls.h:147
pad
u32 pad[9]
Padding.
Definition: ar9003_mac.h:90
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
md5_sha1_final
static void md5_sha1_final(void *ctx, void *out)
Generate MD5+SHA1 digest.
Definition: tls.c:320
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tls_cipherspec
A TLS cipher specification.
Definition: tls.h:250
iob_populate
static void iob_populate(struct io_buffer *iobuf, void *data, size_t len, size_t max_len)
Create a temporary I/O buffer.
Definition: iobuf.h:194
EINVAL_CERTIFICATE
#define EINVAL_CERTIFICATE
Definition: tls.c:70
free_tls_session
static void free_tls_session(struct refcnt *refcnt)
Free TLS session.
Definition: tls.c:358
tls_key_exchange_algorithm::name
const char * name
Algorithm name.
Definition: tls.h:181
tls_cipher_suite::pubkey
struct pubkey_algorithm * pubkey
Public-key encryption algorithm.
Definition: tls.h:196
md5_sha1_init
static void md5_sha1_init(void *ctx)
Initialise MD5+SHA1 algorithm.
Definition: tls.c:293
list_last_entry
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition: list.h:346
process_del
void process_del(struct process *process)
Remove process from process list.
Definition: process.c:79
code
static unsigned int code
Response code.
Definition: hyperv.h:26
out
__be32 out[4]
Definition: CIB_PRM.h:36
htonl
#define htonl(value)
Definition: byteswap.h:133
xfer_window
size_t xfer_window(struct interface *intf)
Check flow control window.
Definition: xfer.c:116
iv
u8 iv[16]
Initialization vector.
Definition: wpa.h:60
tls_hmac_final
static void tls_hmac_final(struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
Finalise HMAC.
Definition: tls.c:2941
tls_cipherstream_desc
static struct interface_descriptor tls_cipherstream_desc
TLS ciphertext stream interface descriptor.
Definition: tls.c:3685
list_head
A doubly-linked list entry (or list head)
Definition: list.h:18
TLS_MAX_FRAGMENT_LENGTH
#define TLS_MAX_FRAGMENT_LENGTH
Definition: tls.h:122
tls_send_handshake
static int tls_send_handshake(struct tls_connection *tls, const void *data, size_t len)
Transmit Handshake record.
Definition: tls.c:1153
xfer.h
Data transfer interfaces.
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
refcnt
A reference counter.
Definition: refcnt.h:26
privkey_cursor
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition: privkey.h:52
tls_validator_desc
static struct interface_descriptor tls_validator_desc
TLS certificate validator interface descriptor.
Definition: tls.c:3759
EINVAL_CHANGE_CIPHER
#define EINVAL_CHANGE_CIPHER
Definition: tls.c:58
privkey.h
Private key.
TLS_NAMED_CURVE
#define TLS_NAMED_CURVE
Definition: tls.h:129
tls_client::key
struct private_key * key
Private key (if used)
Definition: tls.h:398
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
tls_hmac_list
static void tls_hmac_list(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, struct list_head *list, void *hmac)
Calculate HMAC over list of I/O buffers.
Definition: tls.c:2976
tmp
unsigned long tmp
Definition: linux_pci.h:64
tls_connection::server
struct tls_server server
Server state.
Definition: tls.h:472
ENOMEM_CONTEXT
#define ENOMEM_CONTEXT
Definition: tls.c:118
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:389
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:228
list_first_entry
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition: list.h:333
tls_session::refcnt
struct refcnt refcnt
Reference counter.
Definition: tls.h:335
cipher_algorithm::authsize
size_t authsize
Authentication tag size.
Definition: crypto.h:74
EINVAL_MAC
#define EINVAL_MAC
Definition: tls.c:102
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
tls_send_client_key_exchange_ecdhe
static int tls_send_client_key_exchange_ecdhe(struct tls_connection *tls)
Transmit Client Key Exchange record using ECDHE key exchange.
Definition: tls.c:1711
io_buffer::tail
void * tail
End of data.
Definition: iobuf.h:54
tls_new_hello_request
static int tls_new_hello_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Hello Request handshake record.
Definition: tls.c:2085
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
pubkey_sign
static int pubkey_sign(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, struct asn1_builder *signature)
Definition: crypto.h:278
ENOTSUP_NULL
#define ENOTSUP_NULL
Definition: tls.c:150
iob_disown
#define iob_disown(iobuf)
Disown an I/O buffer.
Definition: iobuf.h:216
TLS_NAMED_CURVE_TYPE
#define TLS_NAMED_CURVE_TYPE
TLS named curved type.
Definition: tls.h:224
tls_connection::handshake_ctx
uint8_t * handshake_ctx
Digest algorithm context used for handshake verification.
Definition: tls.h:457
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
ecdhe.h
Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange.
certstore.h
Certificate store.
va_arg
#define va_arg(ap, type)
Definition: stdarg.h:8
tls_hmac_update_va
static void tls_hmac_update_va(struct digest_algorithm *digest, void *ctx, va_list args)
Update HMAC with a list of ( data, len ) pairs.
Definition: tls.c:482
tls_key_exchange_algorithm::exchange
int(* exchange)(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.h:188
version
u32 version
Driver version.
Definition: ath9k_hw.c:1983
REQUIRE_OBJECT
REQUIRE_OBJECT(config_crypto)
tls_newdata_process_data
static int tls_newdata_process_data(struct tls_connection *tls)
Handle received TLS data payload.
Definition: tls.c:3570
create_validator
int create_validator(struct interface *job, struct x509_chain *chain, struct x509_root *root)
Instantiate a certificate validator.
Definition: validator.c:759
TLS_TYPE_CHANGE_CIPHER
#define TLS_TYPE_CHANGE_CIPHER
Change cipher content type.
Definition: tls.h:53
ENOTSUP_CIPHER
#define ENOTSUP_CIPHER
Definition: tls.c:146
tls_session::id_len
size_t id_len
Length of session ID.
Definition: tls.h:349
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
validator.h
Certificate validator.
tls_signature_hash_algorithm
static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm(struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
Find TLS signature and hash algorithm.
Definition: tls.c:1015
interface
An object interface.
Definition: interface.h:124
hmac.h
Keyed-Hashing for Message Authentication.
ENOMEM_RX_DATA
#define ENOMEM_RX_DATA
Definition: tls.c:138
TLS_RX_ALIGN
#define TLS_RX_ALIGN
RX I/O buffer alignment.
Definition: tls.h:505
tls_connection::new_session_ticket
void * new_session_ticket
New session ticket.
Definition: tls.h:441
tls_connection::client
struct tls_client client
Client state.
Definition: tls.h:470
tls_progress
static int tls_progress(struct tls_connection *tls, struct job_progress *progress)
Report job progress.
Definition: tls.c:3447
tls_send_change_cipher
static int tls_send_change_cipher(struct tls_connection *tls)
Transmit Change Cipher record.
Definition: tls.c:1950
tls_cipherspec::cipher_ctx
void * cipher_ctx
Bulk encryption cipher context.
Definition: tls.h:256
tls_tx_step
static void tls_tx_step(struct tls_connection *tls)
TLS TX state machine.
Definition: tls.c:3775
tls_iob_reserved
static size_t tls_iob_reserved(struct tls_connection *tls, size_t len)
Calculate maximum additional length required for transmitted record(s)
Definition: tls.c:2998
tls_connection::extended_master_secret
int extended_master_secret
Extended master secret flag.
Definition: tls.h:461
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
value
pseudo_bit_t value[0x00020]
Definition: arbel.h:13
TLS_SESSION_TICKET
#define TLS_SESSION_TICKET
Definition: tls.h:141
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
__unused
#define __unused
Declare a variable or data structure as unused.
Definition: compiler.h:573
tls_new_session_ticket
static int tls_new_session_ticket(struct tls_connection *tls, const void *data, size_t len)
Receive New Session Ticket handshake record.
Definition: tls.c:2318
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
tls_cipherspec::suite
struct tls_cipher_suite * suite
Cipher suite.
Definition: tls.h:252
tls_hmac_update
static void tls_hmac_update(struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: tls.c:2927
len
ring len
Length.
Definition: dwmac.h:231
EINVAL_FINISHED
#define EINVAL_FINISHED
Definition: tls.c:82
tls_cipher_suite::digest
struct digest_algorithm * digest
MAC digest algorithm.
Definition: tls.h:200
tls_prf
static void tls_prf(struct tls_connection *tls, const void *secret, size_t secret_len, void *out, size_t out_len,...)
Generate secure pseudo-random data.
Definition: tls.c:566
tls_connection::list
struct list_head list
List of connections within the same session.
Definition: tls.h:435
tls_client_random::gmt_unix_time
uint32_t gmt_unix_time
GMT Unix time.
Definition: tls.h:305
be16_to_cpu
#define be16_to_cpu(value)
Definition: byteswap.h:115
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
tls_cipher_suite::fixed_iv_len
uint8_t fixed_iv_len
Fixed initialisation vector length.
Definition: tls.h:208
count
static unsigned int count
Number of entries.
Definition: dwmac.h:225
tls_cipher_suite
A TLS cipher suite.
Definition: tls.h:192
strcpy
char * strcpy(char *dest, const char *src)
Copy string.
Definition: string.c:346
TLS_SERVER_NAME
#define TLS_SERVER_NAME
Definition: tls.h:118
tls_signature_hash_algorithm
A TLS signature algorithm.
Definition: tls.h:280
is_pending
static int is_pending(struct pending_operation *pending)
Check if an operation is pending.
Definition: pending.h:24
TLS_TX_BUFSIZE
#define TLS_TX_BUFSIZE
TX maximum fragment length.
Definition: tls.h:484
EPERM_VERIFY
#define EPERM_VERIFY
Definition: tls.c:170
tls_new_alert
static int tls_new_alert(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Alert record.
Definition: tls.c:2043
EPERM_EMS
#define EPERM_EMS
Definition: tls.c:186
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition: x509.h:392
tls_session::ticket_len
size_t ticket_len
Length of session ticket.
Definition: tls.h:353
tls_connection::master_secret
uint8_t master_secret[48]
Master secret.
Definition: tls.h:453
tls_session::list
struct list_head list
List of sessions.
Definition: tls.h:337
tls_hmac_init
static void tls_hmac_init(struct tls_cipherspec *cipherspec, void *ctx, struct tls_auth_header *authhdr)
Initialise HMAC.
Definition: tls.c:2910
TLS_ALERT_WARNING
#define TLS_ALERT_WARNING
Definition: tls.h:81
tls_send_client_key_exchange
static int tls_send_client_key_exchange(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.c:1841
tls_new_data
static int tls_new_data(struct tls_connection *tls, struct list_head *rx_data)
Receive new data record.
Definition: tls.c:2800
elliptic_curve::name
const char * name
Curve name.
Definition: crypto.h:179
tls_tx::cipherspec
struct tls_cipherspec_pair cipherspec
Cipher specifications.
Definition: tls.h:366
EINVAL_RX_STATE
#define EINVAL_RX_STATE
Definition: tls.c:98
tls_new_change_cipher
static int tls_new_change_cipher(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Change Cipher record.
Definition: tls.c:2008
TLS_RX_BUFSIZE
#define TLS_RX_BUFSIZE
RX I/O buffer size.
Definition: tls.h:494
list_for_each_entry_safe
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition: list.h:458
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:107
ecdhe_key
int ecdhe_key(struct elliptic_curve *curve, const void *partner, const void *private, void *public, void *shared)
Calculate ECDHE key.
Definition: ecdhe.c:45
TLS_NAMED_CURVES
#define TLS_NAMED_CURVES
TLS named curve table.
Definition: tls.h:242
md5_sha1_algorithm
static struct digest_algorithm md5_sha1_algorithm
Hybrid MD5+SHA1 digest algorithm.
Definition: tls.c:329
rbg.h
RBG mechanism.
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:65
process_add
void process_add(struct process *process)
Add process to process list.
Definition: process.c:59
tls_named_curve::pre_master_secret_len
uint8_t pre_master_secret_len
Pre-master secret length.
Definition: tls.h:238
ENOTCONN
#define ENOTCONN
The socket is not connected.
Definition: errno.h:569
aes.h
AES algorithm.
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition: crypto.h:196
elliptic_curve::keysize
size_t keysize
Scalar (and private key) size.
Definition: crypto.h:183
iob_concatenate
struct io_buffer * iob_concatenate(struct list_head *list)
Concatenate I/O buffers into a single buffer.
Definition: iobuf.c:249
interface_descriptor
An object interface descriptor.
Definition: interface.h:55
TLS_NUM_SIG_HASH_ALGORITHMS
#define TLS_NUM_SIG_HASH_ALGORITHMS
Number of supported signature and hash algorithms.
Definition: tls.c:1004
TLS_HELLO_REQUEST
#define TLS_HELLO_REQUEST
Definition: tls.h:68
tls_auth_header::header
struct tls_header header
TLS header.
Definition: tls.h:151
iob_unput
#define iob_unput(iobuf, len)
Definition: iobuf.h:139
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:170
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1867
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:324
tls_send_plaintext
static int tls_send_plaintext(struct tls_connection *tls, unsigned int type, const void *data, size_t len)
Send plaintext record.
Definition: tls.c:3195
hmac_ctxsize
static size_t hmac_ctxsize(struct digest_algorithm *digest)
Calculate HMAC context size.
Definition: hmac.h:28
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
tls_tx::seq
uint64_t seq
Sequence number.
Definition: tls.h:368
x509_certificate
An X.509 certificate.
Definition: x509.h:215
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
tls_connection::cipherstream
struct interface cipherstream
Ciphertext stream.
Definition: tls.h:448
tls_server::negotiation
struct pending_operation negotiation
Security negotiation pending operation.
Definition: tls.h:424
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:661
DBGC2_HD
#define DBGC2_HD(...)
Definition: compiler.h:524
tls_new_finished
static int tls_new_finished(struct tls_connection *tls, const void *data, size_t len)
Receive new Finished handshake record.
Definition: tls.c:2617
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:244
tls_signature_hash_id::hash
uint8_t hash
Hash algorithm.
Definition: tls.h:274
tls_session::ticket
void * ticket
Session ticket.
Definition: tls.h:351
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92
digest_null
struct digest_algorithm digest_null
Definition: crypto_null.c:48
tls_named_curve::curve
struct elliptic_curve * curve
Elliptic curve.
Definition: tls.h:232
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:159
tls_cipherstream_ops
static struct interface_operation tls_cipherstream_ops[]
TLS ciphertext stream interface operations.
Definition: tls.c:3674
job_progress
Job progress.
Definition: job.h:15
INTF_OP
#define INTF_OP(op_type, object_type, op_func)
Define an object interface operation.
Definition: interface.h:32
tls_server::chain
struct x509_chain * chain
Certificate chain.
Definition: tls.h:416
tls_new_server_hello
static int tls_new_server_hello(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello handshake record.
Definition: tls.c:2116
EINVAL_ALERT
#define EINVAL_ALERT
Definition: tls.c:62
DBGC_HD
#define DBGC_HD(...)
Definition: compiler.h:507
cipher_setiv
static void cipher_setiv(struct cipher_algorithm *cipher, void *ctx, const void *iv, size_t ivlen)
Definition: crypto.h:218
asn1_builder
An ASN.1 object builder.
Definition: asn1.h:28
for_each_table_entry
#define for_each_table_entry(pointer, table)
Iterate through all entries within a linker table.
Definition: tables.h:385
tls_cipher_suite::mac_len
uint8_t mac_len
MAC length.
Definition: tls.h:212
random
long int random(void)
Generate a pseudo-random number between 0 and 2147483647L or 2147483562?
Definition: random.c:31
iob_tailroom
static size_t iob_tailroom(struct io_buffer *iobuf)
Calculate available space at end of an I/O buffer.
Definition: iobuf.h:179
xfer_deliver
int xfer_deliver(struct interface *intf, struct io_buffer *iobuf, struct xfer_metadata *meta)
Deliver datagram.
Definition: xfer.c:194
strlen
size_t strlen(const char *src)
Get length of string.
Definition: string.c:243
tls_server::validation
struct pending_operation validation
Certificate validation pending operation.
Definition: tls.h:422
tls_verify_dh_params
static int tls_verify_dh_params(struct tls_connection *tls, size_t param_len)
Verify Diffie-Hellman parameter signature.
Definition: tls.c:1497
rsa_digestinfo_prefix
An RSA digestInfo prefix.
Definition: rsa.h:42
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
tls_signature_hash_id::signature
uint8_t signature
Signature algorithm.
Definition: tls.h:276
open.h
Data transfer interface opening.
TLS_ALERT_FATAL
#define TLS_ALERT_FATAL
Definition: tls.h:82
EPERM_RENEG_VERIFY
#define EPERM_RENEG_VERIFY
Definition: tls.c:178
TLS_SIG_HASH_ALGORITHMS
#define TLS_SIG_HASH_ALGORITHMS
TLS signature hash algorithm table.
Definition: tls.h:294
REQUIRING_SYMBOL
REQUIRING_SYMBOL(add_tls)
keysize
u16 keysize
Length of encryption key to be used, network byte order.
Definition: wpa.h:37
hello
uint16_t hello
Hello time.
Definition: stp.h:38
process_init_stopped
static void process_init_stopped(struct process *process, struct process_descriptor *desc, struct refcnt *refcnt)
Initialise process without adding to process list.
Definition: process.h:145
x509.h
X.509 certificates.
tls_tx::pending
unsigned int pending
Pending transmissions.
Definition: tls.h:370
lifetime
u32 lifetime
For Lifetime-type KDEs, the lifetime in seconds.
Definition: wpa.h:54
tls_cipherspec_pair::pending
struct tls_cipherspec pending
Next cipher specification.
Definition: tls.h:268
cipher_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:54
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:238
uint32_t
unsigned int uint32_t
Definition: stdint.h:12
next
uint32_t next
Next descriptor address.
Definition: dwmac.h:22
TLS_EXTENDED_MASTER_SECRET
#define TLS_EXTENDED_MASTER_SECRET
Definition: tls.h:138
malloc
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:620
tls_plainstream_deliver
static int tls_plainstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
Deliver datagram as raw data.
Definition: tls.c:3419
tls_new_certificate_request
static int tls_new_certificate_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Certificate Request handshake record.
Definition: tls.c:2521
memmove
void * memmove(void *dest, const void *src, size_t len) __nonnull
TLS_RX_MIN_BUFSIZE
#define TLS_RX_MIN_BUFSIZE
Minimum RX I/O buffer size.
Definition: tls.h:502
tls_connection::rx
struct tls_rx rx
Receive state.
Definition: tls.h:468
cipher_null
struct cipher_algorithm cipher_null
Definition: crypto_null.c:83
crypto.h
Cryptographic configuration.
job.h
Job control interfaces.
tls_signature_hash_algorithm::code
struct tls_signature_hash_id code
Numeric code.
Definition: tls.h:286
TLS_NEW_SESSION_TICKET
#define TLS_NEW_SESSION_TICKET
Definition: tls.h:71
ext
uint16_t ext
Extended status.
Definition: ena.h:20
tls_rx::state
enum tls_rx_state state
State machine current state.
Definition: tls.h:382
TLS_VERSION_MAX
#define TLS_VERSION_MAX
Maximum supported TLS version.
Definition: tls.h:50
TLS_SERVER_NAME_HOST_NAME
#define TLS_SERVER_NAME_HOST_NAME
Definition: tls.h:119
tls_verify_data::client
uint8_t client[12]
Client verification data.
Definition: tls.h:157
md5_sha1_digest
An MD5+SHA1 digest.
Definition: tls.h:322
x509_root
An X.509 root certificate list.
Definition: x509.h:374
tls_header
A TLS header.
Definition: tls.h:28
time.h
Date and time.
tls_connection::tx
struct tls_tx tx
Transmit state.
Definition: tls.h:466
pending.h
Pending operations.
pad_len
long pad_len
Definition: bigint.h:30
TLS_TYPE_HANDSHAKE
#define TLS_TYPE_HANDSHAKE
Handshake content type.
Definition: tls.h:62
rsa.h
RSA public-key cryptography.
tls24_t
A TLS 24-bit integer.
Definition: tls.c:221
tls_plainstream_desc
static struct interface_descriptor tls_plainstream_desc
TLS plaintext stream interface descriptor.
Definition: tls.c:3470
iob_reserve
#define iob_reserve(iobuf, len)
Definition: iobuf.h:71
tls_generate_keys
static int tls_generate_keys(struct tls_connection *tls)
Generate key material.
Definition: tls.c:692
intf_insert
void intf_insert(struct interface *intf, struct interface *upper, struct interface *lower)
Insert a filter interface.
Definition: interface.c:401
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
INTF_DESC
#define INTF_DESC(object_type, intf, operations)
Define an object interface descriptor.
Definition: interface.h:80
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
tls_version
static int tls_version(struct tls_connection *tls, unsigned int version)
Check for TLS version.
Definition: tls.c:276
tls_send_certificate_verify
static int tls_send_certificate_verify(struct tls_connection *tls)
Transmit Certificate Verify record.
Definition: tls.c:1869
EPERM_RENEG_INSECURE
#define EPERM_RENEG_INSECURE
Definition: tls.c:174
tls_connection::handshake_digest
struct digest_algorithm * handshake_digest
Digest algorithm used for handshake verification.
Definition: tls.h:455
tls_client_random::random
uint8_t random[28]
Random data.
Definition: tls.h:307
tls_client_hello
static int tls_client_hello(struct tls_connection *tls, int(*action)(struct tls_connection *tls, const void *data, size_t len))
Digest or transmit Client Hello record.
Definition: tls.c:1167
tls_rx::seq
uint64_t seq
Sequence number.
Definition: tls.h:380
ENOMEM_TX_PLAINTEXT
#define ENOMEM_TX_PLAINTEXT
Definition: tls.c:130
tls_hmac
static void tls_hmac(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, const void *data, size_t len, void *hmac)
Calculate HMAC.
Definition: tls.c:2957
io_buffer::list
struct list_head list
List of which this buffer is a member.
Definition: iobuf.h:44
EINVAL_IV
#define EINVAL_IV
Definition: tls.c:90
tls_new_handshake
static int tls_new_handshake(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Handshake record.
Definition: tls.c:2695
tls_parse_chain
static int tls_parse_chain(struct tls_connection *tls, const void *data, size_t len)
Parse certificate chain.
Definition: tls.c:2369
tls_session
A TLS session.
Definition: tls.h:333
pubkey_verify
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const struct asn1_cursor *signature)
Definition: crypto.h:285
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:22
TLS_SERVER_KEY_EXCHANGE
#define TLS_SERVER_KEY_EXCHANGE
Definition: tls.h:73
tls_process_desc
static struct process_descriptor tls_process_desc
TLS TX process descriptor.
Definition: tls.c:3884
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
va_list
__builtin_va_list va_list
Definition: stdarg.h:6
pubkey_encrypt
static int pubkey_encrypt(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, const struct asn1_cursor *plaintext, struct asn1_builder *ciphertext)
Definition: crypto.h:264
strcmp
int strcmp(const char *first, const char *second)
Compare strings.
Definition: string.c:173
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:26
sha1.h
SHA-1 algorithm.
digest_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:20
md5_sha1_context::sha1
uint8_t sha1[SHA1_CTX_SIZE]
SHA-1 context.
Definition: tls.h:315
tls_rx::iobuf
struct io_buffer iobuf
Current received record header (static I/O buffer)
Definition: tls.h:386
tls_cipher_suite::handshake
struct digest_algorithm * handshake
Handshake digest algorithm (for TLSv1.2 and above)
Definition: tls.h:202
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:52
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition: x509.h:310
tls24_t::low
uint16_t low
Low word.
Definition: tls.c:225
dhe.h
Ephemeral Diffie-Hellman key exchange.
tls_server::validator
struct interface validator
Certificate validator.
Definition: tls.h:420
header
struct ena_llq_option header
Header locations.
Definition: ena.h:16
job_progress
int job_progress(struct interface *intf, struct job_progress *progress)
Get job progress.
Definition: job.c:43
ENOMEM_CERTIFICATE
#define ENOMEM_CERTIFICATE
Definition: tls.c:122
tls_client::chain
struct x509_chain * chain
Certificate chain (if used)
Definition: tls.h:400
tls_header::version
uint16_t version
Protocol version.
Definition: tls.h:38
EPERM_ALERT
#define EPERM_ALERT
Definition: tls.c:166
digest_algorithm
A message digest algorithm.
Definition: crypto.h:18
dest
if(len >=6 *4) __asm__ __volatile__("movsl" if(len >=5 *4) __asm__ __volatile__("movsl" if(len >=4 *4) __asm__ __volatile__("movsl" if(len >=3 *4) __asm__ __volatile__("movsl" if(len >=2 *4) __asm__ __volatile__("movsl" if(len >=1 *4) __asm__ __volatile__("movsl" if((len % 4) >=2) __asm__ __volatile__("movsw" if((len % 2) >=1) __asm__ __volatile__("movsb" return dest
Definition: string.h:150
tls_connection::version
uint16_t version
Protocol version.
Definition: tls.h:451
cpu_to_be64
#define cpu_to_be64(value)
Definition: byteswap.h:111
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
tls_clear_handshake
static void tls_clear_handshake(struct tls_connection *tls)
Clear handshake digest algorithm.
Definition: tls.c:777
tls_cipherspec_pair::active
struct tls_cipherspec active
Current cipher specification.
Definition: tls.h:266
cipher_algorithm
A cipher algorithm.
Definition: crypto.h:50
private_key
A private key.
Definition: privkey.h:16
tls_verify_data::server
uint8_t server[12]
Server verification data.
Definition: tls.h:159
tls_key_exchange_algorithm
A TLS key exchange algorithm.
Definition: tls.h:179
rsa_digestinfo_prefix::digest
struct digest_algorithm * digest
Digest algorithm.
Definition: rsa.h:44
tls_session::root
struct x509_root * root
Root of trust.
Definition: tls.h:342
rootcert.h
Root certificate store.
tls_connection
A TLS connection.
Definition: tls.h:428
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
tls_clear_cipher
static void tls_clear_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec)
tls_session::key
struct private_key * key
Private key.
Definition: tls.h:344
tls_client::random
struct tls_client_random random
Random bytes.
Definition: tls.h:396
x509_find_key
struct x509_certificate * x509_find_key(struct x509_chain *store, struct private_key *key)
Identify X.509 certificate by corresponding public key.
Definition: x509.c:1834
cipher_auth
static void cipher_auth(struct cipher_algorithm *cipher, void *ctx, void *auth)
Definition: crypto.h:244
md5_sha1_context::md5
uint8_t md5[MD5_CTX_SIZE]
MD5 context.
Definition: tls.h:313
EINVAL_TICKET
#define EINVAL_TICKET
Definition: tls.c:106
INTF_DESC_PASSTHRU
#define INTF_DESC_PASSTHRU(object_type, intf, operations, passthru)
Define an object interface descriptor with pass-through interface.
Definition: interface.h:97
tls_set_uint24
static void tls_set_uint24(tls24_t *field24, unsigned long value)
Set 24-bit field value.
Definition: tls.c:247
tls_new_record
static int tls_new_record(struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
Receive new record.
Definition: tls.c:2832
tls_cipher_suite::cipher
struct cipher_algorithm * cipher
Bulk encryption cipher algorithm.
Definition: tls.h:198
tls_ecdhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm
Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm.
Definition: tls.c:1830
tls_session::conn
struct list_head conn
List of connections.
Definition: tls.h:360
tls_cipherstream_window
static size_t tls_cipherstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:3606
tls_connection::secure_renegotiation
int secure_renegotiation
Secure renegotiation flag.
Definition: tls.h:459
tls_named_curve
A TLS named curve.
Definition: tls.h:230
tls_send_finished
static int tls_send_finished(struct tls_connection *tls)
Transmit Finished record.
Definition: tls.c:1967
typeof
typeof(acpi_finder=acpi_find)
ACPI table finder.
Definition: acpi.c:47
EINVAL_KEY_EXCHANGE
#define EINVAL_KEY_EXCHANGE
Definition: tls.c:110
tls_new_certificate
static int tls_new_certificate(struct tls_connection *tls, const void *data, size_t len)
Receive new Certificate handshake record.
Definition: tls.c:2450
tls_signature_hash_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm.
Definition: tls.h:284
tls_p_hash_va
static void tls_p_hash_va(struct tls_connection *tls, struct digest_algorithm *digest, const void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
Generate secure pseudo-random data using a single hash function.
Definition: tls.c:504
tls_session
static int tls_session(struct tls_connection *tls, const char *name)
Find or create session for TLS connection.
Definition: tls.c:3901
tls_cipherspec::dynamic
void * dynamic
Dynamically-allocated storage.
Definition: tls.h:254
tls24_t::high
uint8_t high
High byte.
Definition: tls.c:223
offset
uint16_t offset
Offset to command line.
Definition: bzimage.h:8
meta
uint8_t meta
Metadata flags.
Definition: ena.h:14
tls_send_client_hello
static int tls_send_client_hello(struct tls_connection *tls)
Transmit Client Hello record.
Definition: tls.c:1348
va_start
#define va_start(ap, last)
Definition: stdarg.h:7
tls_generate_random
static int tls_generate_random(struct tls_connection *tls, void *data, size_t len)
Generate random data.
Definition: tls.c:459
__rsa_digestinfo_prefix
struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix
RSA digestInfo prefix for MD5+SHA1 algorithm.
Definition: tls.c:340
EINVAL_CERTIFICATES
#define EINVAL_CERTIFICATES
Definition: tls.c:74
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:230
tls_ready
static int tls_ready(struct tls_connection *tls)
Determine if TLS connection is ready for application data.
Definition: tls.c:259
tls_session::name
const char * name
Server name.
Definition: tls.h:340
tls_signature_hash_id
A TLS signature and hash algorithm identifier.
Definition: tls.h:272
intf_init
static void intf_init(struct interface *intf, struct interface_descriptor *desc, struct refcnt *refcnt)
Initialise an object interface.
Definition: interface.h:203
cipher_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:52
TLS_CERTIFICATE_VERIFY
#define TLS_CERTIFICATE_VERIFY
Definition: tls.h:76
TLS_TYPE_DATA
#define TLS_TYPE_DATA
Application data content type.
Definition: tls.h:65
elliptic_curve::pointsize
size_t pointsize
Point (and public key) size.
Definition: crypto.h:181
ENOTSUP_SIG_HASH
#define ENOTSUP_SIG_HASH
Definition: tls.c:154
tls_server::exchange_len
size_t exchange_len
Server Key Exchange record length.
Definition: tls.h:412
tls_connection::session_id_len
size_t session_id_len
Length of session ID.
Definition: tls.h:439
TLS_TYPE_ALERT
#define TLS_TYPE_ALERT
Alert content type.
Definition: tls.h:59
tls_verify_padding
static int tls_verify_padding(struct tls_connection *tls, struct io_buffer *iobuf)
Verify block padding.
Definition: tls.c:3221
tls_connection::plainstream
struct interface plainstream
Plaintext stream.
Definition: tls.h:446
TLS_VERSION_MIN
#define TLS_VERSION_MIN
Minimum TLS version.
Definition: crypto.h:13
tls_dhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm
Ephemeral Diffie-Hellman key exchange algorithm.
Definition: tls.c:1700
signature
u8 signature
CPU signature.
Definition: CIB_PRM.h:35
md5.h
MD5 algorithm.
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
sha256.h
SHA-256 algorithm.
tls_set_cipher
static int tls_set_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
Set cipher suite.
Definition: tls.c:900
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
asn1_builder::len
size_t len
Length of data.
Definition: asn1.h:37
tls_select_handshake
static int tls_select_handshake(struct tls_connection *tls, struct digest_algorithm *digest)
Select handshake digest algorithm.
Definition: tls.c:794
string.h
String functions.
tls_prf_label
#define tls_prf_label(tls, secret, secret_len, out, out_len, label,...)
Generate secure pseudo-random data.
Definition: tls.c:622
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
TLS_CIPHER_SUITES
#define TLS_CIPHER_SUITES
TLS cipher suite table.
Definition: tls.h:216
pubkey_algorithm
A public key algorithm.
Definition: crypto.h:121
htons
#define htons(value)
Definition: byteswap.h:135
tls_named_curve::format
uint8_t format
Curve point format byte (if any)
Definition: tls.h:236
TLS_CLIENT_KEY_EXCHANGE
#define TLS_CLIENT_KEY_EXCHANGE
Definition: tls.h:77
pending_get
void pending_get(struct pending_operation *pending)
Mark an operation as pending.
Definition: pending.c:45
done
struct bofm_section_header done
Definition: bofm_test.c:46
tls_cipherspec::fixed_iv
void * fixed_iv
Fixed initialisation vector.
Definition: tls.h:260
TLS_SERVER_HELLO
#define TLS_SERVER_HELLO
Definition: tls.h:70
key
union @391 key
Sense key.
Definition: scsi.h:17
tls_new_server_hello_done
static int tls_new_server_hello_done(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello Done handshake record.
Definition: tls.c:2581
TLS_FINISHED
#define TLS_FINISHED
Definition: tls.h:78
add_tls
int add_tls(struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key)
Add TLS on an interface.
Definition: tls.c:3961
md5_sha1_update
static void md5_sha1_update(void *ctx, const void *data, size_t len)
Accumulate data with MD5+SHA1 algorithm.
Definition: tls.c:307
TLS_SIGNATURE_ALGORITHMS
#define TLS_SIGNATURE_ALGORITHMS
Definition: tls.h:135
tls_new_server_key_exchange
static int tls_new_server_key_exchange(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Key Exchange handshake record.
Definition: tls.c:2490
pubkey_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:123
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:286
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:212
tls_alloc_iob
static struct io_buffer * tls_alloc_iob(struct tls_connection *tls, size_t len)
Allocate I/O buffer for transmitted record(s)
Definition: tls.c:3025
tls_plainstream_window
static size_t tls_plainstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:3402
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106
tls_send_client_key_exchange_dhe
static int tls_send_client_key_exchange_dhe(struct tls_connection *tls)
Transmit Client Key Exchange record using DHE key exchange.
Definition: tls.c:1586
tx
u8 tx[WPA_TKIP_MIC_KEY_LEN]
MIC key for packets to the AP.
Definition: wpa.h:237
tls_cipher_suite::code
uint16_t code
Numeric code (in network-endian order)
Definition: tls.h:204
tls_new_unknown
static int tls_new_unknown(struct tls_connection *tls __unused, struct io_buffer *iobuf)
Receive new unknown record.
Definition: tls.c:2785
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257
tls_cipherspec::mac_secret
void * mac_secret
MAC secret.
Definition: tls.h:258
is_block_cipher
static int is_block_cipher(struct cipher_algorithm *cipher)
Definition: crypto.h:254
memset
void * memset(void *dest, int character, size_t len) __nonnull
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:37
TLS_CHANGE_CIPHER_SPEC
#define TLS_CHANGE_CIPHER_SPEC
Change cipher spec magic byte.
Definition: tls.h:56
tls_server::root
struct x509_root * root
Root of trust.
Definition: tls.h:414
tls_cipher_suite::key_len
uint8_t key_len
Key length.
Definition: tls.h:206
Generated by   doxygen 1.8.15