iPXE
tls.c
Go to the documentation of this file.
1/*
2 * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 */
19
20FILE_LICENCE ( GPL2_OR_LATER );
21FILE_SECBOOT ( PERMITTED );
22
23/**
24 * @file
25 *
26 * Transport Layer Security Protocol
27 */
28
29#include <stdint.h>
30#include <stdlib.h>
31#include <stdarg.h>
32#include <string.h>
33#include <time.h>
34#include <errno.h>
35#include <byteswap.h>
36#include <ipxe/pending.h>
37#include <ipxe/hmac.h>
38#include <ipxe/md5.h>
39#include <ipxe/sha1.h>
40#include <ipxe/sha256.h>
41#include <ipxe/aes.h>
42#include <ipxe/rsa.h>
43#include <ipxe/iobuf.h>
44#include <ipxe/xfer.h>
45#include <ipxe/open.h>
46#include <ipxe/x509.h>
47#include <ipxe/privkey.h>
48#include <ipxe/certstore.h>
49#include <ipxe/rootcert.h>
50#include <ipxe/rbg.h>
51#include <ipxe/validator.h>
52#include <ipxe/job.h>
53#include <ipxe/dhe.h>
54#include <ipxe/ecdhe.h>
55#include <ipxe/tls.h>
56#include <config/crypto.h>
57
58/* Disambiguate the various error causes */
59#define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
60#define EINFO_EINVAL_CHANGE_CIPHER \
61 __einfo_uniqify ( EINFO_EINVAL, 0x01, \
62 "Invalid Change Cipher record" )
63#define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
64#define EINFO_EINVAL_ALERT \
65 __einfo_uniqify ( EINFO_EINVAL, 0x02, \
66 "Invalid Alert record" )
67#define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
68#define EINFO_EINVAL_HELLO \
69 __einfo_uniqify ( EINFO_EINVAL, 0x03, \
70 "Invalid Server Hello record" )
71#define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
72#define EINFO_EINVAL_CERTIFICATE \
73 __einfo_uniqify ( EINFO_EINVAL, 0x04, \
74 "Invalid Certificate" )
75#define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
76#define EINFO_EINVAL_CERTIFICATES \
77 __einfo_uniqify ( EINFO_EINVAL, 0x05, \
78 "Invalid Server Certificate record" )
79#define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
80#define EINFO_EINVAL_HELLO_DONE \
81 __einfo_uniqify ( EINFO_EINVAL, 0x06, \
82 "Invalid Server Hello Done record" )
83#define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
84#define EINFO_EINVAL_FINISHED \
85 __einfo_uniqify ( EINFO_EINVAL, 0x07, \
86 "Invalid Server Finished record" )
87#define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
88#define EINFO_EINVAL_HANDSHAKE \
89 __einfo_uniqify ( EINFO_EINVAL, 0x08, \
90 "Invalid Handshake record" )
91#define EINVAL_IV __einfo_error ( EINFO_EINVAL_IV )
92#define EINFO_EINVAL_IV \
93 __einfo_uniqify ( EINFO_EINVAL, 0x0a, \
94 "Invalid initialisation vector" )
95#define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
96#define EINFO_EINVAL_PADDING \
97 __einfo_uniqify ( EINFO_EINVAL, 0x0b, \
98 "Invalid block padding" )
99#define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
100#define EINFO_EINVAL_RX_STATE \
101 __einfo_uniqify ( EINFO_EINVAL, 0x0c, \
102 "Invalid receive state" )
103#define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
104#define EINFO_EINVAL_MAC \
105 __einfo_uniqify ( EINFO_EINVAL, 0x0d, \
106 "Invalid MAC or authentication tag" )
107#define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
108#define EINFO_EINVAL_TICKET \
109 __einfo_uniqify ( EINFO_EINVAL, 0x0e, \
110 "Invalid New Session Ticket record")
111#define EINVAL_KEY_EXCHANGE __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
112#define EINFO_EINVAL_KEY_EXCHANGE \
113 __einfo_uniqify ( EINFO_EINVAL, 0x0f, \
114 "Invalid Server Key Exchange record" )
115#define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
116#define EINFO_EIO_ALERT \
117 __einfo_uniqify ( EINFO_EIO, 0x01, \
118 "Unknown alert level" )
119#define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
120#define EINFO_ENOMEM_CONTEXT \
121 __einfo_uniqify ( EINFO_ENOMEM, 0x01, \
122 "Not enough space for crypto context" )
123#define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
124#define EINFO_ENOMEM_CERTIFICATE \
125 __einfo_uniqify ( EINFO_ENOMEM, 0x02, \
126 "Not enough space for certificate" )
127#define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
128#define EINFO_ENOMEM_CHAIN \
129 __einfo_uniqify ( EINFO_ENOMEM, 0x03, \
130 "Not enough space for certificate chain" )
131#define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
132#define EINFO_ENOMEM_TX_PLAINTEXT \
133 __einfo_uniqify ( EINFO_ENOMEM, 0x04, \
134 "Not enough space for transmitted plaintext" )
135#define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
136#define EINFO_ENOMEM_TX_CIPHERTEXT \
137 __einfo_uniqify ( EINFO_ENOMEM, 0x05, \
138 "Not enough space for transmitted ciphertext" )
139#define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
140#define EINFO_ENOMEM_RX_DATA \
141 __einfo_uniqify ( EINFO_ENOMEM, 0x07, \
142 "Not enough space for received data" )
143#define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
144#define EINFO_ENOMEM_RX_CONCAT \
145 __einfo_uniqify ( EINFO_ENOMEM, 0x08, \
146 "Not enough space to concatenate received data" )
147#define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
148#define EINFO_ENOTSUP_CIPHER \
149 __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
150 "Unsupported cipher" )
151#define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
152#define EINFO_ENOTSUP_NULL \
153 __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
154 "Refusing to use null cipher" )
155#define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
156#define EINFO_ENOTSUP_SIG_HASH \
157 __einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
158 "Unsupported signature and hash algorithm" )
159#define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
160#define EINFO_ENOTSUP_VERSION \
161 __einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
162 "Unsupported protocol version" )
163#define ENOTSUP_CURVE __einfo_error ( EINFO_ENOTSUP_CURVE )
164#define EINFO_ENOTSUP_CURVE \
165 __einfo_uniqify ( EINFO_ENOTSUP, 0x05, \
166 "Unsupported elliptic curve" )
167#define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
168#define EINFO_EPERM_ALERT \
169 __einfo_uniqify ( EINFO_EPERM, 0x01, \
170 "Received fatal alert" )
171#define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
172#define EINFO_EPERM_VERIFY \
173 __einfo_uniqify ( EINFO_EPERM, 0x02, \
174 "Handshake verification failed" )
175#define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
176#define EINFO_EPERM_RENEG_INSECURE \
177 __einfo_uniqify ( EINFO_EPERM, 0x04, \
178 "Secure renegotiation not supported" )
179#define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
180#define EINFO_EPERM_RENEG_VERIFY \
181 __einfo_uniqify ( EINFO_EPERM, 0x05, \
182 "Secure renegotiation verification failed" )
183#define EPERM_KEY_EXCHANGE __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
184#define EINFO_EPERM_KEY_EXCHANGE \
185 __einfo_uniqify ( EINFO_EPERM, 0x06, \
186 "ServerKeyExchange verification failed" )
187#define EPERM_EMS __einfo_error ( EINFO_EPERM_EMS )
188#define EINFO_EPERM_EMS \
189 __einfo_uniqify ( EINFO_EPERM, 0x07, \
190 "Extended master secret extension mismatch" )
191#define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
192#define EINFO_EPROTO_VERSION \
193 __einfo_uniqify ( EINFO_EPROTO, 0x01, \
194 "Illegal protocol version upgrade" )
195
196/** List of TLS session */
197static LIST_HEAD ( tls_sessions );
198
199static void tls_tx_resume_all ( struct tls_session *session );
200static struct io_buffer * tls_alloc_iob ( struct tls_connection *tls,
201 size_t len );
202static int tls_send_record ( struct tls_connection *tls, unsigned int type,
203 struct io_buffer *iobuf );
204static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
205 const void *data, size_t len );
206static void tls_clear_cipher ( struct tls_connection *tls,
207 struct tls_cipherspec *cipherspec );
208static void tls_verify_handshake ( struct tls_connection *tls, void *out );
209
210/******************************************************************************
211 *
212 * Utility functions
213 *
214 ******************************************************************************
215 */
216
217/** A TLS 24-bit integer
218 *
219 * TLS uses 24-bit integers in several places, which are awkward to
220 * parse in C.
221 */
222typedef struct {
223 /** High byte */
224 uint8_t high;
225 /** Low word */
226 uint16_t low;
227} __attribute__ (( packed )) tls24_t;
228
229/**
230 * Extract 24-bit field value
231 *
232 * @v field24 24-bit field
233 * @ret value Field value
234 *
235 */
236static inline __attribute__ (( always_inline )) unsigned long
237tls_uint24 ( const tls24_t *field24 ) {
238
239 return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
240}
241
242/**
243 * Set 24-bit field value
244 *
245 * @v field24 24-bit field
246 * @v value Field value
247 */
248static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
249
250 field24->high = ( value >> 16 );
251 field24->low = cpu_to_be16 ( value );
252}
253
254/**
255 * Determine if TLS connection is ready for application data
256 *
257 * @v tls TLS connection
258 * @ret is_ready TLS connection is ready
259 */
260static int tls_ready ( struct tls_connection *tls ) {
261 return ( ( ! is_pending ( &tls->client.negotiation ) ) &&
262 ( ! is_pending ( &tls->server.negotiation ) ) );
263}
264
265/**
266 * Check for TLS version
267 *
268 * @v tls TLS connection
269 * @v version TLS version
270 * @ret at_least TLS connection is using at least the specified version
271 *
272 * Check that TLS connection uses at least the specified protocol
273 * version. Optimise down to a compile-time constant true result if
274 * this is already guaranteed by the minimum supported version check.
275 */
276static inline __attribute__ (( always_inline )) int
277tls_version ( struct tls_connection *tls, unsigned int version ) {
278 return ( ( TLS_VERSION_MIN >= version ) ||
279 ( tls->version >= version ) );
280}
281
282/******************************************************************************
283 *
284 * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
285 *
286 ******************************************************************************
287 */
288
289/**
290 * Initialise MD5+SHA1 algorithm
291 *
292 * @v ctx MD5+SHA1 context
293 */
294static void md5_sha1_init ( void *ctx ) {
295 struct md5_sha1_context *context = ctx;
296
297 digest_init ( &md5_algorithm, context->md5 );
298 digest_init ( &sha1_algorithm, context->sha1 );
299}
300
301/**
302 * Accumulate data with MD5+SHA1 algorithm
303 *
304 * @v ctx MD5+SHA1 context
305 * @v data Data
306 * @v len Length of data
307 */
308static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
309 struct md5_sha1_context *context = ctx;
310
311 digest_update ( &md5_algorithm, context->md5, data, len );
312 digest_update ( &sha1_algorithm, context->sha1, data, len );
313}
314
315/**
316 * Generate MD5+SHA1 digest
317 *
318 * @v ctx MD5+SHA1 context
319 * @v out Output buffer
320 */
321static void md5_sha1_final ( void *ctx, void *out ) {
322 struct md5_sha1_context *context = ctx;
323 struct md5_sha1_digest *digest = out;
324
325 digest_final ( &md5_algorithm, context->md5, digest->md5 );
326 digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
327}
328
329/** Hybrid MD5+SHA1 digest algorithm */
330static struct digest_algorithm md5_sha1_algorithm = {
331 .name = "md5+sha1",
332 .ctxsize = sizeof ( struct md5_sha1_context ),
333 .blocksize = 0, /* Not applicable */
334 .digestsize = sizeof ( struct md5_sha1_digest ),
335 .init = md5_sha1_init,
336 .update = md5_sha1_update,
337 .final = md5_sha1_final,
338};
339
340/** RSA digestInfo prefix for MD5+SHA1 algorithm */
341struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
342 .digest = &md5_sha1_algorithm,
343 .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
344 .len = 0,
345};
346
347/******************************************************************************
348 *
349 * Cleanup functions
350 *
351 ******************************************************************************
352 */
353
354/**
355 * Free TLS session
356 *
357 * @v refcnt Reference counter
358 */
359static void free_tls_session ( struct refcnt *refcnt ) {
360 struct tls_session *session =
361 container_of ( refcnt, struct tls_session, refcnt );
362
363 /* Sanity check */
364 assert ( list_empty ( &session->conn ) );
365
366 /* Remove from list of sessions */
367 list_del ( &session->list );
368
369 /* Free dynamically-allocated resources */
370 x509_root_put ( session->root );
371 privkey_put ( session->key );
372 free ( session->ticket );
373
374 /* Free session */
375 free ( session );
376}
377
378/**
379 * Free TLS connection
380 *
381 * @v refcnt Reference counter
382 */
383static void free_tls ( struct refcnt *refcnt ) {
384 struct tls_connection *tls =
385 container_of ( refcnt, struct tls_connection, refcnt );
386 struct tls_session *session = tls->session;
387 struct io_buffer *iobuf;
388 struct io_buffer *tmp;
389
390 /* Free dynamically-allocated resources */
391 free ( tls->new_session_ticket );
392 tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
393 tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
394 tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
395 tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
396 free ( tls->server.exchange );
397 free ( tls->handshake_ctx );
398 list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
399 list_del ( &iobuf->list );
400 free_iob ( iobuf );
401 }
402 free_iob ( tls->rx.handshake );
403 privkey_put ( tls->client.key );
404 x509_chain_put ( tls->client.chain );
405 x509_chain_put ( tls->server.chain );
406 x509_root_put ( tls->server.root );
407
408 /* Drop reference to session */
409 assert ( list_empty ( &tls->list ) );
410 ref_put ( &session->refcnt );
411
412 /* Free TLS structure itself */
413 free ( tls );
414}
415
416/**
417 * Finish with TLS connection
418 *
419 * @v tls TLS connection
420 * @v rc Status code
421 */
422static void tls_close ( struct tls_connection *tls, int rc ) {
423
424 /* Remove pending operations, if applicable */
425 pending_put ( &tls->client.negotiation );
426 pending_put ( &tls->server.negotiation );
427 pending_put ( &tls->server.validation );
428
429 /* Remove process */
430 process_del ( &tls->tx.process );
431
432 /* Close all interfaces */
433 intf_shutdown ( &tls->cipherstream, rc );
434 intf_shutdown ( &tls->plainstream, rc );
435 intf_shutdown ( &tls->server.validator, rc );
436
437 /* Remove from session */
438 list_del ( &tls->list );
439 INIT_LIST_HEAD ( &tls->list );
440
441 /* Resume all other connections, in case we were the lead connection */
442 tls_tx_resume_all ( tls->session );
443}
444
445/******************************************************************************
446 *
447 * Random number generation
448 *
449 ******************************************************************************
450 */
451
452/**
453 * Generate random data
454 *
455 * @v tls TLS connection
456 * @v data Buffer to fill
457 * @v len Length of buffer
458 * @ret rc Return status code
459 */
460static int tls_generate_random ( struct tls_connection *tls,
461 void *data, size_t len ) {
462 int rc;
463
464 /* Generate random bits with no additional input and without
465 * prediction resistance
466 */
467 if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
468 DBGC ( tls, "TLS %p could not generate random data: %s\n",
469 tls, strerror ( rc ) );
470 return rc;
471 }
472
473 return 0;
474}
475
476/**
477 * Update HMAC with a list of ( data, len ) pairs
478 *
479 * @v digest Hash function to use
480 * @v ctx HMAC context
481 * @v args ( data, len ) pairs of data, terminated by NULL
482 */
483static void tls_hmac_update_va ( struct digest_algorithm *digest,
484 void *ctx, va_list args ) {
485 void *data;
486 size_t len;
487
488 while ( ( data = va_arg ( args, void * ) ) ) {
489 len = va_arg ( args, size_t );
490 hmac_update ( digest, ctx, data, len );
491 }
492}
493
494/**
495 * Generate secure pseudo-random data using a single hash function
496 *
497 * @v tls TLS connection
498 * @v digest Hash function to use
499 * @v secret Secret
500 * @v secret_len Length of secret
501 * @v out Output buffer
502 * @v out_len Length of output buffer
503 * @v seeds ( data, len ) pairs of seed data, terminated by NULL
504 */
505static void tls_p_hash_va ( struct tls_connection *tls,
506 struct digest_algorithm *digest,
507 const void *secret, size_t secret_len,
508 void *out, size_t out_len,
509 va_list seeds ) {
510 uint8_t ctx[ hmac_ctxsize ( digest ) ];
511 uint8_t ctx_partial[ sizeof ( ctx ) ];
512 uint8_t a[digest->digestsize];
513 uint8_t out_tmp[digest->digestsize];
514 size_t frag_len = digest->digestsize;
515 va_list tmp;
516
517 DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
518 DBGC2_HD ( tls, secret, secret_len );
519
520 /* Calculate A(1) */
521 hmac_init ( digest, ctx, secret, secret_len );
522 va_copy ( tmp, seeds );
523 tls_hmac_update_va ( digest, ctx, tmp );
524 va_end ( tmp );
525 hmac_final ( digest, ctx, a );
526 DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
527 DBGC2_HD ( tls, &a, sizeof ( a ) );
528
529 /* Generate as much data as required */
530 while ( out_len ) {
531 /* Calculate output portion */
532 hmac_init ( digest, ctx, secret, secret_len );
533 hmac_update ( digest, ctx, a, sizeof ( a ) );
534 memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
535 va_copy ( tmp, seeds );
536 tls_hmac_update_va ( digest, ctx, tmp );
537 va_end ( tmp );
538 hmac_final ( digest, ctx, out_tmp );
539
540 /* Copy output */
541 if ( frag_len > out_len )
542 frag_len = out_len;
543 memcpy ( out, out_tmp, frag_len );
544 DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
545 DBGC2_HD ( tls, out, frag_len );
546
547 /* Calculate A(i) */
548 hmac_final ( digest, ctx_partial, a );
549 DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
550 DBGC2_HD ( tls, &a, sizeof ( a ) );
551
552 out += frag_len;
553 out_len -= frag_len;
554 }
555}
556
557/**
558 * Generate secure pseudo-random data
559 *
560 * @v tls TLS connection
561 * @v secret Secret
562 * @v secret_len Length of secret
563 * @v out Output buffer
564 * @v out_len Length of output buffer
565 * @v ... ( data, len ) pairs of seed data, terminated by NULL
566 */
567static void tls_prf ( struct tls_connection *tls, const void *secret,
568 size_t secret_len, void *out, size_t out_len, ... ) {
569 va_list seeds;
570 va_list tmp;
571 size_t subsecret_len;
572 const void *md5_secret;
573 const void *sha1_secret;
574 uint8_t buf[out_len];
575 unsigned int i;
576
577 va_start ( seeds, out_len );
578
579 if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
580 /* Use handshake digest PRF for TLSv1.2 and later */
581 tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
582 out, out_len, seeds );
583 } else {
584 /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
585 * and earlier
586 */
587
588 /* Split secret into two, with an overlap of up to one byte */
589 subsecret_len = ( ( secret_len + 1 ) / 2 );
590 md5_secret = secret;
591 sha1_secret = ( secret + secret_len - subsecret_len );
592
593 /* Calculate MD5 portion */
594 va_copy ( tmp, seeds );
595 tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
596 subsecret_len, out, out_len, seeds );
597 va_end ( tmp );
598
599 /* Calculate SHA1 portion */
600 va_copy ( tmp, seeds );
601 tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
602 subsecret_len, buf, out_len, seeds );
603 va_end ( tmp );
604
605 /* XOR the two portions together into the final output buffer */
606 for ( i = 0 ; i < out_len ; i++ )
607 *( ( uint8_t * ) out + i ) ^= buf[i];
608 }
609
610 va_end ( seeds );
611}
612
613/**
614 * Generate secure pseudo-random data
615 *
616 * @v secret Secret
617 * @v secret_len Length of secret
618 * @v out Output buffer
619 * @v out_len Length of output buffer
620 * @v label String literal label
621 * @v ... ( data, len ) pairs of seed data
622 */
623#define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
624 tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
625 label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
626
627/******************************************************************************
628 *
629 * Secret management
630 *
631 ******************************************************************************
632 */
633
634/**
635 * Generate master secret
636 *
637 * @v tls TLS connection
638 * @v pre_master_secret Pre-master secret
639 * @v pre_master_secret_len Length of pre-master secret
640 *
641 * The client and server random values must already be known.
642 */
643static void tls_generate_master_secret ( struct tls_connection *tls,
644 const void *pre_master_secret,
645 size_t pre_master_secret_len ) {
646 struct digest_algorithm *digest = tls->handshake_digest;
647 uint8_t digest_out[ digest->digestsize ];
648
649 /* Generate handshake digest */
650 tls_verify_handshake ( tls, digest_out );
651
652 /* Show inputs */
653 DBGC ( tls, "TLS %p pre-master secret:\n", tls );
654 DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
655 DBGC ( tls, "TLS %p client random bytes:\n", tls );
656 DBGC_HD ( tls, &tls->client.random, sizeof ( tls->client.random ) );
657 DBGC ( tls, "TLS %p server random bytes:\n", tls );
658 DBGC_HD ( tls, &tls->server.random, sizeof ( tls->server.random ) );
659 DBGC ( tls, "TLS %p session hash:\n", tls );
660 DBGC_HD ( tls, digest_out, sizeof ( digest_out ) );
661
662 /* Generate master secret */
663 if ( tls->extended_master_secret ) {
664 tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
665 &tls->master_secret,
666 sizeof ( tls->master_secret ),
667 "extended master secret",
668 digest_out, sizeof ( digest_out ) );
669 } else {
670 tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
671 &tls->master_secret,
672 sizeof ( tls->master_secret ),
673 "master secret",
674 &tls->client.random,
675 sizeof ( tls->client.random ),
676 &tls->server.random,
677 sizeof ( tls->server.random ) );
678 }
679
680 /* Show output */
681 DBGC ( tls, "TLS %p generated %smaster secret:\n", tls,
682 ( tls->extended_master_secret ? "extended ": "" ) );
683 DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
684}
685
686/**
687 * Generate key material
688 *
689 * @v tls TLS connection
690 *
691 * The master secret must already be known.
692 */
693static int tls_generate_keys ( struct tls_connection *tls ) {
694 struct tls_cipherspec *tx_cipherspec = &tls->tx.cipherspec.pending;
695 struct tls_cipherspec *rx_cipherspec = &tls->rx.cipherspec.pending;
696 size_t hash_size = tx_cipherspec->suite->mac_len;
697 size_t key_size = tx_cipherspec->suite->key_len;
698 size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
699 size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
700 uint8_t key_block[total];
701 uint8_t *key;
702 int rc;
703
704 /* Generate key block */
705 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
706 key_block, sizeof ( key_block ), "key expansion",
707 &tls->server.random, sizeof ( tls->server.random ),
708 &tls->client.random, sizeof ( tls->client.random ) );
709
710 /* Split key block into portions */
711 key = key_block;
712
713 /* TX MAC secret */
714 memcpy ( tx_cipherspec->mac_secret, key, hash_size );
715 DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
716 DBGC_HD ( tls, key, hash_size );
717 key += hash_size;
718
719 /* RX MAC secret */
720 memcpy ( rx_cipherspec->mac_secret, key, hash_size );
721 DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
722 DBGC_HD ( tls, key, hash_size );
723 key += hash_size;
724
725 /* TX key */
726 if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
727 tx_cipherspec->cipher_ctx,
728 key, key_size ) ) != 0 ) {
729 DBGC ( tls, "TLS %p could not set TX key: %s\n",
730 tls, strerror ( rc ) );
731 return rc;
732 }
733 DBGC ( tls, "TLS %p TX key:\n", tls );
734 DBGC_HD ( tls, key, key_size );
735 key += key_size;
736
737 /* RX key */
738 if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
739 rx_cipherspec->cipher_ctx,
740 key, key_size ) ) != 0 ) {
741 DBGC ( tls, "TLS %p could not set TX key: %s\n",
742 tls, strerror ( rc ) );
743 return rc;
744 }
745 DBGC ( tls, "TLS %p RX key:\n", tls );
746 DBGC_HD ( tls, key, key_size );
747 key += key_size;
748
749 /* TX initialisation vector */
750 memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
751 DBGC ( tls, "TLS %p TX IV:\n", tls );
752 DBGC_HD ( tls, key, iv_size );
753 key += iv_size;
754
755 /* RX initialisation vector */
756 memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
757 DBGC ( tls, "TLS %p RX IV:\n", tls );
758 DBGC_HD ( tls, key, iv_size );
759 key += iv_size;
760
761 assert ( ( key_block + total ) == key );
762
763 return 0;
764}
765
766/******************************************************************************
767 *
768 * Handshake verification
769 *
770 ******************************************************************************
771 */
772
773/**
774 * Clear handshake digest algorithm
775 *
776 * @v tls TLS connection
777 */
778static void tls_clear_handshake ( struct tls_connection *tls ) {
779
780 /* Select null digest algorithm */
781 tls->handshake_digest = &digest_null;
782
783 /* Free any existing context */
784 free ( tls->handshake_ctx );
785 tls->handshake_ctx = NULL;
786}
787
788/**
789 * Select handshake digest algorithm
790 *
791 * @v tls TLS connection
792 * @v digest Handshake digest algorithm
793 * @ret rc Return status code
794 */
795static int tls_select_handshake ( struct tls_connection *tls,
796 struct digest_algorithm *digest ) {
797
798 /* Clear existing handshake digest */
799 tls_clear_handshake ( tls );
800
801 /* Allocate and initialise context */
802 tls->handshake_ctx = malloc ( digest->ctxsize );
803 if ( ! tls->handshake_ctx )
804 return -ENOMEM;
805 tls->handshake_digest = digest;
806 digest_init ( digest, tls->handshake_ctx );
807
808 return 0;
809}
810
811/**
812 * Add handshake record to verification hash
813 *
814 * @v tls TLS connection
815 * @v data Handshake record
816 * @v len Length of handshake record
817 * @ret rc Return status code
818 */
819static int tls_add_handshake ( struct tls_connection *tls,
820 const void *data, size_t len ) {
821 struct digest_algorithm *digest = tls->handshake_digest;
822
823 digest_update ( digest, tls->handshake_ctx, data, len );
824 return 0;
825}
826
827/**
828 * Calculate handshake verification hash
829 *
830 * @v tls TLS connection
831 * @v out Output buffer
832 *
833 * Calculates the digest over all handshake messages seen so far.
834 */
835static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
836 struct digest_algorithm *digest = tls->handshake_digest;
837 uint8_t ctx[ digest->ctxsize ];
838
839 memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
840 digest_final ( digest, ctx, out );
841}
842
843/******************************************************************************
844 *
845 * Cipher suite management
846 *
847 ******************************************************************************
848 */
849
850/** Null cipher suite */
851struct tls_cipher_suite tls_cipher_suite_null = {
852 .exchange = &tls_pubkey_exchange_algorithm,
853 .pubkey = &pubkey_null,
854 .cipher = &cipher_null,
855 .digest = &digest_null,
856};
857
858/** Number of supported cipher suites */
859#define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
860
861/**
862 * Identify cipher suite
863 *
864 * @v cipher_suite Cipher suite specification
865 * @ret suite Cipher suite, or NULL
866 */
867static struct tls_cipher_suite *
868tls_find_cipher_suite ( unsigned int cipher_suite ) {
869 struct tls_cipher_suite *suite;
870
871 /* Identify cipher suite */
872 for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
873 if ( suite->code == cipher_suite )
874 return suite;
875 }
876
877 return NULL;
878}
879
880/**
881 * Clear cipher suite
882 *
883 * @v cipherspec TLS cipher specification
884 */
885static void tls_clear_cipher ( struct tls_connection *tls __unused,
886 struct tls_cipherspec *cipherspec ) {
887
888 free ( cipherspec->dynamic );
889 memset ( cipherspec, 0, sizeof ( *cipherspec ) );
890 cipherspec->suite = &tls_cipher_suite_null;
891}
892
893/**
894 * Set cipher suite
895 *
896 * @v tls TLS connection
897 * @v cipherspec TLS cipher specification
898 * @v suite Cipher suite
899 * @ret rc Return status code
900 */
901static int tls_set_cipher ( struct tls_connection *tls,
902 struct tls_cipherspec *cipherspec,
903 struct tls_cipher_suite *suite ) {
904 struct cipher_algorithm *cipher = suite->cipher;
905 size_t total;
906 void *dynamic;
907
908 /* Clear out old cipher contents, if any */
909 tls_clear_cipher ( tls, cipherspec );
910
911 /* Allocate dynamic storage */
912 total = ( cipher->ctxsize + suite->mac_len + suite->fixed_iv_len );
913 dynamic = zalloc ( total );
914 if ( ! dynamic ) {
915 DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
916 "context\n", tls, total );
917 return -ENOMEM_CONTEXT;
918 }
919
920 /* Assign storage */
921 cipherspec->dynamic = dynamic;
922 cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
923 cipherspec->mac_secret = dynamic; dynamic += suite->mac_len;
924 cipherspec->fixed_iv = dynamic; dynamic += suite->fixed_iv_len;
925 assert ( ( cipherspec->dynamic + total ) == dynamic );
926
927 /* Store parameters */
928 cipherspec->suite = suite;
929
930 return 0;
931}
932
933/**
934 * Select next cipher suite
935 *
936 * @v tls TLS connection
937 * @v cipher_suite Cipher suite specification
938 * @ret rc Return status code
939 */
940static int tls_select_cipher ( struct tls_connection *tls,
941 unsigned int cipher_suite ) {
942 struct tls_cipher_suite *suite;
943 struct digest_algorithm *digest;
944 int rc;
945
946 /* Identify cipher suite */
947 suite = tls_find_cipher_suite ( cipher_suite );
948 if ( ! suite ) {
949 DBGC ( tls, "TLS %p does not support cipher %04x\n",
950 tls, ntohs ( cipher_suite ) );
951 return -ENOTSUP_CIPHER;
952 }
953
954 /* Set handshake digest algorithm */
955 digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
956 suite->handshake : &md5_sha1_algorithm );
957 if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
958 return rc;
959
960 /* Set ciphers */
961 if ( ( rc = tls_set_cipher ( tls, &tls->tx.cipherspec.pending,
962 suite ) ) != 0 )
963 return rc;
964 if ( ( rc = tls_set_cipher ( tls, &tls->rx.cipherspec.pending,
965 suite ) ) != 0 )
966 return rc;
967
968 DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
969 suite->exchange->name, suite->pubkey->name,
970 suite->cipher->name, ( suite->key_len * 8 ),
971 suite->digest->name );
972
973 return 0;
974}
975
976/**
977 * Activate next cipher suite
978 *
979 * @v tls TLS connection
980 * @v pair Cipher specification pair
981 * @ret rc Return status code
982 */
983static int tls_change_cipher ( struct tls_connection *tls,
984 struct tls_cipherspec_pair *pair ) {
985
986 /* Sanity check */
987 if ( pair->pending.suite == &tls_cipher_suite_null ) {
988 DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
989 return -ENOTSUP_NULL;
990 }
991
992 tls_clear_cipher ( tls, &pair->active );
993 memswap ( &pair->active, &pair->pending, sizeof ( pair->active ) );
994 return 0;
995}
996
997/******************************************************************************
998 *
999 * Signature and hash algorithms
1000 *
1001 ******************************************************************************
1002 */
1003
1004/** Number of supported signature and hash algorithms */
1005#define TLS_NUM_SIG_HASH_ALGORITHMS \
1006 table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
1007
1008/**
1009 * Find TLS signature and hash algorithm
1010 *
1011 * @v pubkey Public-key algorithm
1012 * @v digest Digest algorithm
1013 * @ret sig_hash Signature and hash algorithm, or NULL
1014 */
1015static struct tls_signature_hash_algorithm *
1016tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
1017 struct digest_algorithm *digest ) {
1018 struct tls_signature_hash_algorithm *sig_hash;
1019
1020 /* Identify signature and hash algorithm */
1021 for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1022 if ( ( sig_hash->pubkey == pubkey ) &&
1023 ( sig_hash->digest == digest ) ) {
1024 return sig_hash;
1025 }
1026 }
1027
1028 return NULL;
1029}
1030
1031/**
1032 * Find TLS signature algorithm
1033 *
1034 * @v code Signature and hash algorithm identifier
1035 * @ret pubkey Public key algorithm, or NULL
1036 */
1037static struct pubkey_algorithm *
1038tls_signature_hash_pubkey ( struct tls_signature_hash_id code ) {
1039 struct tls_signature_hash_algorithm *sig_hash;
1040
1041 /* Identify signature and hash algorithm */
1042 for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1043 if ( sig_hash->code.signature == code.signature )
1044 return sig_hash->pubkey;
1045 }
1046
1047 return NULL;
1048}
1049
1050/**
1051 * Find TLS hash algorithm
1052 *
1053 * @v code Signature and hash algorithm identifier
1054 * @ret digest Digest algorithm, or NULL
1055 */
1056static struct digest_algorithm *
1057tls_signature_hash_digest ( struct tls_signature_hash_id code ) {
1058 struct tls_signature_hash_algorithm *sig_hash;
1059
1060 /* Identify signature and hash algorithm */
1061 for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1062 if ( sig_hash->code.hash == code.hash )
1063 return sig_hash->digest;
1064 }
1065
1066 return NULL;
1067}
1068
1069/******************************************************************************
1070 *
1071 * Ephemeral Elliptic Curve Diffie-Hellman key exchange
1072 *
1073 ******************************************************************************
1074 */
1075
1076/** Number of supported named curves */
1077#define TLS_NUM_NAMED_CURVES table_num_entries ( TLS_NAMED_CURVES )
1078
1079/**
1080 * Identify named curve
1081 *
1082 * @v named_curve Named curve specification
1083 * @ret curve Named curve, or NULL
1084 */
1085static struct tls_named_curve *
1086tls_find_named_curve ( unsigned int named_curve ) {
1087 struct tls_named_curve *curve;
1088
1089 /* Identify named curve */
1090 for_each_table_entry ( curve, TLS_NAMED_CURVES ) {
1091 if ( curve->code == named_curve )
1092 return curve;
1093 }
1094
1095 return NULL;
1096}
1097
1098/******************************************************************************
1099 *
1100 * Record handling
1101 *
1102 ******************************************************************************
1103 */
1104
1105/**
1106 * Resume TX state machine
1107 *
1108 * @v tls TLS connection
1109 */
1110static void tls_tx_resume ( struct tls_connection *tls ) {
1111 process_add ( &tls->tx.process );
1112}
1113
1114/**
1115 * Resume TX state machine for all connections within a session
1116 *
1117 * @v session TLS session
1118 */
1119static void tls_tx_resume_all ( struct tls_session *session ) {
1120 struct tls_connection *tls;
1121
1122 list_for_each_entry ( tls, &session->conn, list )
1123 tls_tx_resume ( tls );
1124}
1125
1126/**
1127 * Restart negotiation
1128 *
1129 * @v tls TLS connection
1130 */
1131static void tls_restart ( struct tls_connection *tls ) {
1132
1133 /* Sanity check */
1134 assert ( ! tls->tx.pending );
1135 assert ( ! is_pending ( &tls->client.negotiation ) );
1136 assert ( ! is_pending ( &tls->server.negotiation ) );
1137 assert ( ! is_pending ( &tls->server.validation ) );
1138
1139 /* (Re)start negotiation */
1140 tls->tx.pending = TLS_TX_CLIENT_HELLO;
1141 tls_tx_resume ( tls );
1142 pending_get ( &tls->client.negotiation );
1143 pending_get ( &tls->server.negotiation );
1144}
1145
1146/**
1147 * Transmit Handshake record
1148 *
1149 * @v tls TLS connection
1150 * @v data Plaintext record
1151 * @v len Length of plaintext record
1152 * @ret rc Return status code
1153 */
1154static int tls_send_handshake ( struct tls_connection *tls,
1155 const void *data, size_t len ) {
1156
1157 /* Send record */
1158 return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
1159}
1160
1161/**
1162 * Digest or transmit Client Hello record
1163 *
1164 * @v tls TLS connection
1165 * @v action Action to take on Client Hello record
1166 * @ret rc Return status code
1167 */
1168static int tls_client_hello ( struct tls_connection *tls,
1169 int ( * action ) ( struct tls_connection *tls,
1170 const void *data,
1171 size_t len ) ) {
1172 struct tls_session *session = tls->session;
1173 size_t name_len = strlen ( session->name );
1174 struct {
1175 uint16_t type;
1176 uint16_t len;
1177 struct {
1178 uint16_t len;
1179 struct {
1180 uint8_t type;
1181 uint16_t len;
1182 uint8_t name[name_len];
1183 } __attribute__ (( packed )) list[1];
1184 } __attribute__ (( packed )) data;
1185 } __attribute__ (( packed )) *server_name_ext;
1186 struct {
1187 uint16_t type;
1188 uint16_t len;
1189 struct {
1190 uint8_t max;
1191 } __attribute__ (( packed )) data;
1192 } __attribute__ (( packed )) *max_fragment_length_ext;
1193 struct {
1194 uint16_t type;
1195 uint16_t len;
1196 struct {
1197 uint16_t len;
1198 struct tls_signature_hash_id
1199 code[TLS_NUM_SIG_HASH_ALGORITHMS];
1200 } __attribute__ (( packed )) data;
1201 } __attribute__ (( packed )) *signature_algorithms_ext;
1202 struct {
1203 uint16_t type;
1204 uint16_t len;
1205 struct {
1206 uint8_t len;
1207 uint8_t data[ tls->secure_renegotiation ?
1208 sizeof ( tls->verify.client ) :0 ];
1209 } __attribute__ (( packed )) data;
1210 } __attribute__ (( packed )) *renegotiation_info_ext;
1211 struct {
1212 uint16_t type;
1213 uint16_t len;
1214 struct {
1215 uint8_t data[session->ticket_len];
1216 } __attribute__ (( packed )) data;
1217 } __attribute__ (( packed )) *session_ticket_ext;
1218 struct {
1219 uint16_t type;
1220 uint16_t len;
1221 struct {
1222 uint16_t len;
1223 uint16_t code[TLS_NUM_NAMED_CURVES];
1224 } __attribute__ (( packed )) data;
1225 } __attribute__ (( packed )) *named_curve_ext;
1226 struct {
1227 uint16_t type;
1228 uint16_t len;
1229 } __attribute__ (( packed )) *extended_master_secret_ext;
1230 struct {
1231 typeof ( *server_name_ext ) server_name;
1232 typeof ( *max_fragment_length_ext ) max_fragment_length;
1233 typeof ( *signature_algorithms_ext ) signature_algorithms;
1234 typeof ( *renegotiation_info_ext ) renegotiation_info;
1235 typeof ( *session_ticket_ext ) session_ticket;
1236 typeof ( *extended_master_secret_ext ) extended_master_secret;
1237 typeof ( *named_curve_ext )
1238 named_curve[TLS_NUM_NAMED_CURVES ? 1 : 0];
1239 } __attribute__ (( packed )) *extensions;
1240 struct {
1241 uint32_t type_length;
1242 uint16_t version;
1243 uint8_t random[32];
1244 uint8_t session_id_len;
1245 uint8_t session_id[tls->session_id_len];
1246 uint16_t cipher_suite_len;
1247 uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
1248 uint8_t compression_methods_len;
1249 uint8_t compression_methods[1];
1250 uint16_t extensions_len;
1251 typeof ( *extensions ) extensions;
1252 } __attribute__ (( packed )) hello;
1253 struct tls_cipher_suite *suite;
1254 struct tls_signature_hash_algorithm *sighash;
1255 struct tls_named_curve *curve;
1256 unsigned int i;
1257
1258 /* Construct record */
1259 memset ( &hello, 0, sizeof ( hello ) );
1260 hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
1261 htonl ( sizeof ( hello ) -
1262 sizeof ( hello.type_length ) ) );
1263 hello.version = htons ( TLS_VERSION_MAX );
1264 memcpy ( &hello.random, &tls->client.random, sizeof ( hello.random ) );
1265 hello.session_id_len = tls->session_id_len;
1266 memcpy ( hello.session_id, tls->session_id,
1267 sizeof ( hello.session_id ) );
1268 hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1269 i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
1270 hello.cipher_suites[i++] = suite->code;
1271 hello.compression_methods_len = sizeof ( hello.compression_methods );
1272 hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1273 extensions = &hello.extensions;
1274
1275 /* Construct server name extension */
1276 server_name_ext = &extensions->server_name;
1277 server_name_ext->type = htons ( TLS_SERVER_NAME );
1278 server_name_ext->len = htons ( sizeof ( server_name_ext->data ) );
1279 server_name_ext->data.len
1280 = htons ( sizeof ( server_name_ext->data.list ) );
1281 server_name_ext->data.list[0].type = TLS_SERVER_NAME_HOST_NAME;
1282 server_name_ext->data.list[0].len
1283 = htons ( sizeof ( server_name_ext->data.list[0].name ) );
1284 memcpy ( server_name_ext->data.list[0].name, session->name,
1285 sizeof ( server_name_ext->data.list[0].name ) );
1286
1287 /* Construct maximum fragment length extension */
1288 max_fragment_length_ext = &extensions->max_fragment_length;
1289 max_fragment_length_ext->type = htons ( TLS_MAX_FRAGMENT_LENGTH );
1290 max_fragment_length_ext->len
1291 = htons ( sizeof ( max_fragment_length_ext->data ) );
1292 max_fragment_length_ext->data.max = TLS_MAX_FRAGMENT_LENGTH_VALUE;
1293
1294 /* Construct supported signature algorithms extension */
1295 signature_algorithms_ext = &extensions->signature_algorithms;
1296 signature_algorithms_ext->type = htons ( TLS_SIGNATURE_ALGORITHMS );
1297 signature_algorithms_ext->len
1298 = htons ( sizeof ( signature_algorithms_ext->data ) );
1299 signature_algorithms_ext->data.len
1300 = htons ( sizeof ( signature_algorithms_ext->data.code ) );
1301 i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
1302 signature_algorithms_ext->data.code[i++] = sighash->code;
1303
1304 /* Construct renegotiation information extension */
1305 renegotiation_info_ext = &extensions->renegotiation_info;
1306 renegotiation_info_ext->type = htons ( TLS_RENEGOTIATION_INFO );
1307 renegotiation_info_ext->len
1308 = htons ( sizeof ( renegotiation_info_ext->data ) );
1309 renegotiation_info_ext->data.len
1310 = sizeof ( renegotiation_info_ext->data.data );
1311 memcpy ( renegotiation_info_ext->data.data, tls->verify.client,
1312 sizeof ( renegotiation_info_ext->data.data ) );
1313
1314 /* Construct session ticket extension */
1315 session_ticket_ext = &extensions->session_ticket;
1316 session_ticket_ext->type = htons ( TLS_SESSION_TICKET );
1317 session_ticket_ext->len
1318 = htons ( sizeof ( session_ticket_ext->data ) );
1319 memcpy ( session_ticket_ext->data.data, session->ticket,
1320 sizeof ( session_ticket_ext->data.data ) );
1321
1322 /* Construct extended master secret extension */
1323 extended_master_secret_ext = &extensions->extended_master_secret;
1324 extended_master_secret_ext->type
1325 = htons ( TLS_EXTENDED_MASTER_SECRET );
1326 extended_master_secret_ext->len = 0;
1327
1328 /* Construct named curves extension, if applicable */
1329 if ( sizeof ( extensions->named_curve ) ) {
1330 named_curve_ext = &extensions->named_curve[0];
1331 named_curve_ext->type = htons ( TLS_NAMED_CURVE );
1332 named_curve_ext->len
1333 = htons ( sizeof ( named_curve_ext->data ) );
1334 named_curve_ext->data.len
1335 = htons ( sizeof ( named_curve_ext->data.code ) );
1336 i = 0 ; for_each_table_entry ( curve, TLS_NAMED_CURVES )
1337 named_curve_ext->data.code[i++] = curve->code;
1338 }
1339
1340 return action ( tls, &hello, sizeof ( hello ) );
1341}
1342
1343/**
1344 * Transmit Client Hello record
1345 *
1346 * @v tls TLS connection
1347 * @ret rc Return status code
1348 */
1349static int tls_send_client_hello ( struct tls_connection *tls ) {
1350
1351 return tls_client_hello ( tls, tls_send_handshake );
1352}
1353
1354/**
1355 * Transmit Certificate record
1356 *
1357 * @v tls TLS connection
1358 * @ret rc Return status code
1359 */
1360static int tls_send_certificate ( struct tls_connection *tls ) {
1361 struct {
1362 tls24_t length;
1363 uint8_t data[0];
1364 } __attribute__ (( packed )) *certificate;
1365 struct {
1366 uint32_t type_length;
1367 tls24_t length;
1368 typeof ( *certificate ) certificates[0];
1369 } __attribute__ (( packed )) *certificates;
1370 struct x509_link *link;
1371 struct x509_certificate *cert;
1372 struct io_buffer *iobuf;
1373 size_t len;
1374
1375 /* Calculate length of client certificates */
1376 len = 0;
1377 list_for_each_entry ( link, &tls->client.chain->links, list ) {
1378 cert = link->cert;
1379 len += ( sizeof ( *certificate ) + cert->raw.len );
1380 DBGC ( tls, "TLS %p sending client certificate %s\n",
1381 tls, x509_name ( cert ) );
1382 }
1383
1384 /* Allocate storage for Certificate record (which may be too
1385 * large for the stack).
1386 */
1387 iobuf = tls_alloc_iob ( tls, ( sizeof ( *certificates ) + len ) );
1388 if ( ! iobuf )
1389 return -ENOMEM_CERTIFICATE;
1390
1391 /* Populate record */
1392 certificates = iob_put ( iobuf, sizeof ( *certificates ) );
1393 certificates->type_length =
1394 ( cpu_to_le32 ( TLS_CERTIFICATE ) |
1395 htonl ( sizeof ( *certificates ) + len -
1396 sizeof ( certificates->type_length ) ) );
1397 tls_set_uint24 ( &certificates->length, len );
1398 list_for_each_entry ( link, &tls->client.chain->links, list ) {
1399 cert = link->cert;
1400 certificate = iob_put ( iobuf, sizeof ( *certificate ) );
1401 tls_set_uint24 ( &certificate->length, cert->raw.len );
1402 memcpy ( iob_put ( iobuf, cert->raw.len ), cert->raw.data,
1403 cert->raw.len );
1404 }
1405
1406 /* Transmit record */
1407 return tls_send_record ( tls, TLS_TYPE_HANDSHAKE,
1408 iob_disown ( iobuf ) );
1409}
1410
1411/**
1412 * Transmit Client Key Exchange record using public key exchange
1413 *
1414 * @v tls TLS connection
1415 * @ret rc Return status code
1416 */
1417static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
1418 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1419 struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
1420 struct {
1421 uint16_t version;
1422 uint8_t random[46];
1423 } __attribute__ (( packed )) pre_master_secret;
1424 struct asn1_cursor cursor = {
1425 .data = &pre_master_secret,
1426 .len = sizeof ( pre_master_secret ),
1427 };
1428 struct asn1_builder builder = { NULL, 0 };
1429 int rc;
1430
1431 /* Generate pre-master secret */
1432 pre_master_secret.version = htons ( TLS_VERSION_MAX );
1433 if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
1434 ( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
1435 goto err_random;
1436 }
1437
1438 /* Encrypt pre-master secret using server's public key */
1439 if ( ( rc = pubkey_encrypt ( pubkey, &tls->server.key, &cursor,
1440 &builder ) ) != 0 ) {
1441 DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
1442 tls, strerror ( rc ) );
1443 goto err_encrypt;
1444 }
1445
1446 /* Construct Client Key Exchange record */
1447 {
1448 struct {
1449 uint32_t type_length;
1450 uint16_t encrypted_pre_master_secret_len;
1451 } __attribute__ (( packed )) header;
1452
1453 header.type_length =
1454 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1455 htonl ( builder.len + sizeof ( header ) -
1456 sizeof ( header.type_length ) ) );
1457 header.encrypted_pre_master_secret_len = htons ( builder.len );
1458
1459 if ( ( rc = asn1_prepend_raw ( &builder, &header,
1460 sizeof ( header ) ) ) != 0 ) {
1461 DBGC ( tls, "TLS %p could not construct Client Key "
1462 "Exchange: %s\n", tls, strerror ( rc ) );
1463 goto err_prepend;
1464 }
1465 }
1466
1467 /* Transmit Client Key Exchange record */
1468 if ( ( rc = tls_send_handshake ( tls, builder.data,
1469 builder.len ) ) != 0 ) {
1470 goto err_send;
1471 }
1472
1473 /* Generate master secret */
1474 tls_generate_master_secret ( tls, &pre_master_secret,
1475 sizeof ( pre_master_secret ) );
1476
1477 err_random:
1478 err_encrypt:
1479 err_prepend:
1480 err_send:
1481 free ( builder.data );
1482 return rc;
1483}
1484
1485/** Public key exchange algorithm */
1490
1491/**
1492 * Verify Diffie-Hellman parameter signature
1493 *
1494 * @v tls TLS connection
1495 * @v param_len Diffie-Hellman parameter length
1496 * @ret rc Return status code
1497 */
1498static int tls_verify_dh_params ( struct tls_connection *tls,
1499 size_t param_len ) {
1500 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1501 struct pubkey_algorithm *pubkey;
1502 struct digest_algorithm *digest;
1503 int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
1504 const struct {
1505 struct tls_signature_hash_id sig_hash[use_sig_hash];
1506 uint16_t signature_len;
1507 uint8_t signature[0];
1508 } __attribute__ (( packed )) *sig;
1509 struct asn1_cursor signature;
1510 const void *data;
1511 size_t remaining;
1512 int rc;
1513
1514 /* Signature follows parameters */
1515 assert ( param_len <= tls->server.exchange_len );
1516 data = ( tls->server.exchange + param_len );
1517 remaining = ( tls->server.exchange_len - param_len );
1518
1519 /* Parse signature from ServerKeyExchange */
1520 sig = data;
1521 if ( ( sizeof ( *sig ) > remaining ) ||
1522 ( ntohs ( sig->signature_len ) > ( remaining -
1523 sizeof ( *sig ) ) ) ) {
1524 DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1525 tls );
1526 DBGC_HDA ( tls, 0, tls->server.exchange,
1527 tls->server.exchange_len );
1528 return -EINVAL_KEY_EXCHANGE;
1529 }
1530 signature.data = sig->signature;
1531 signature.len = ntohs ( sig->signature_len );
1532
1533 /* Identify signature and hash algorithm */
1534 if ( use_sig_hash ) {
1535 pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
1536 digest = tls_signature_hash_digest ( sig->sig_hash[0] );
1537 if ( ( ! pubkey ) || ( ! digest ) ) {
1538 DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
1539 "signature and hash algorithm\n", tls );
1540 return -ENOTSUP_SIG_HASH;
1541 }
1542 if ( pubkey != cipherspec->suite->pubkey ) {
1543 DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
1544 "signature algorithm %s (expected %s)\n", tls,
1545 pubkey->name, cipherspec->suite->pubkey->name );
1546 return -EPERM_KEY_EXCHANGE;
1547 }
1548 } else {
1549 pubkey = cipherspec->suite->pubkey;
1550 digest = &md5_sha1_algorithm;
1551 }
1552
1553 /* Verify signature */
1554 {
1555 uint8_t ctx[digest->ctxsize];
1556 uint8_t hash[digest->digestsize];
1557
1558 /* Calculate digest */
1559 digest_init ( digest, ctx );
1560 digest_update ( digest, ctx, &tls->client.random,
1561 sizeof ( tls->client.random ) );
1562 digest_update ( digest, ctx, tls->server.random,
1563 sizeof ( tls->server.random ) );
1564 digest_update ( digest, ctx, tls->server.exchange, param_len );
1565 digest_final ( digest, ctx, hash );
1566
1567 /* Verify signature */
1568 if ( ( rc = pubkey_verify ( pubkey, &tls->server.key, digest,
1569 hash, &signature ) ) != 0 ) {
1570 DBGC ( tls, "TLS %p ServerKeyExchange failed "
1571 "verification\n", tls );
1572 DBGC_HDA ( tls, 0, tls->server.exchange,
1573 tls->server.exchange_len );
1574 return -EPERM_KEY_EXCHANGE;
1575 }
1576 }
1577
1578 return 0;
1579}
1580
1581/**
1582 * Transmit Client Key Exchange record using DHE key exchange
1583 *
1584 * @v tls TLS connection
1585 * @ret rc Return status code
1586 */
1587static int tls_send_client_key_exchange_dhe ( struct tls_connection *tls ) {
1588 uint8_t private[ sizeof ( tls->client.random.random ) ];
1589 const struct {
1590 uint16_t len;
1591 uint8_t data[0];
1592 } __attribute__ (( packed )) *dh_val[3];
1593 const void *data;
1594 size_t remaining;
1595 size_t frag_len;
1596 size_t param_len;
1597 unsigned int i;
1598 int rc;
1599
1600 /* Parse ServerKeyExchange */
1601 data = tls->server.exchange;
1602 remaining = tls->server.exchange_len;
1603 for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
1604 dh_val[i] = data;
1605 if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
1606 ( ntohs ( dh_val[i]->len ) > ( remaining -
1607 sizeof ( *dh_val[i] ) ) )){
1608 DBGC ( tls, "TLS %p received underlength "
1609 "ServerKeyExchange\n", tls );
1610 DBGC_HDA ( tls, 0, tls->server.exchange,
1611 tls->server.exchange_len );
1612 rc = -EINVAL_KEY_EXCHANGE;
1613 goto err_header;
1614 }
1615 frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
1616 data += frag_len;
1617 remaining -= frag_len;
1618 }
1619 param_len = ( tls->server.exchange_len - remaining );
1620
1621 /* Verify parameter signature */
1622 if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1623 goto err_verify;
1624
1625 /* Generate Diffie-Hellman private key */
1626 if ( ( rc = tls_generate_random ( tls, private,
1627 sizeof ( private ) ) ) != 0 ) {
1628 goto err_random;
1629 }
1630
1631 /* Construct pre-master secret and ClientKeyExchange record */
1632 {
1633 typeof ( dh_val[0] ) dh_p = dh_val[0];
1634 typeof ( dh_val[1] ) dh_g = dh_val[1];
1635 typeof ( dh_val[2] ) dh_ys = dh_val[2];
1636 size_t len = ntohs ( dh_p->len );
1637 struct {
1638 uint32_t type_length;
1639 uint16_t dh_xs_len;
1640 uint8_t dh_xs[len];
1641 } __attribute__ (( packed )) *key_xchg;
1642 struct {
1643 uint8_t pre_master_secret[len];
1644 typeof ( *key_xchg ) key_xchg;
1645 } *dynamic;
1646 uint8_t *pre_master_secret;
1647
1648 /* Allocate space */
1649 dynamic = malloc ( sizeof ( *dynamic ) );
1650 if ( ! dynamic ) {
1651 rc = -ENOMEM;
1652 goto err_alloc;
1653 }
1654 pre_master_secret = dynamic->pre_master_secret;
1655 key_xchg = &dynamic->key_xchg;
1656 key_xchg->type_length =
1657 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1658 htonl ( sizeof ( *key_xchg ) -
1659 sizeof ( key_xchg->type_length ) ) );
1660 key_xchg->dh_xs_len = htons ( len );
1661
1662 /* Calculate pre-master secret and client public value */
1663 if ( ( rc = dhe_key ( dh_p->data, len,
1664 dh_g->data, ntohs ( dh_g->len ),
1665 dh_ys->data, ntohs ( dh_ys->len ),
1666 private, sizeof ( private ),
1667 key_xchg->dh_xs,
1668 pre_master_secret ) ) != 0 ) {
1669 DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
1670 tls, strerror ( rc ) );
1671 goto err_dhe_key;
1672 }
1673
1674 /* Strip leading zeroes from pre-master secret */
1675 while ( len && ( ! *pre_master_secret ) ) {
1676 pre_master_secret++;
1677 len--;
1678 }
1679
1680 /* Transmit Client Key Exchange record */
1681 if ( ( rc = tls_send_handshake ( tls, key_xchg,
1682 sizeof ( *key_xchg ) ) ) !=0){
1683 goto err_send_handshake;
1684 }
1685
1686 /* Generate master secret */
1687 tls_generate_master_secret ( tls, pre_master_secret, len );
1688
1689 err_send_handshake:
1690 err_dhe_key:
1691 free ( dynamic );
1692 }
1693 err_alloc:
1694 err_random:
1695 err_verify:
1696 err_header:
1697 return rc;
1698}
1699
1700/** Ephemeral Diffie-Hellman key exchange algorithm */
1705
1706/**
1707 * Transmit Client Key Exchange record using ECDHE key exchange
1708 *
1709 * @v tls TLS connection
1710 * @ret rc Return status code
1711 */
1712static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
1713 struct tls_named_curve *curve;
1714 const struct {
1715 uint8_t curve_type;
1716 uint16_t named_curve;
1717 uint8_t public_len;
1718 uint8_t public[0];
1719 } __attribute__ (( packed )) *ecdh;
1720 size_t param_len;
1721 size_t pointsize;
1722 size_t keysize;
1723 size_t offset;
1724 int rc;
1725
1726 /* Parse ServerKeyExchange record */
1727 ecdh = tls->server.exchange;
1728 if ( ( sizeof ( *ecdh ) > tls->server.exchange_len ) ||
1729 ( ecdh->public_len > ( tls->server.exchange_len -
1730 sizeof ( *ecdh ) ) ) ) {
1731 DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1732 tls );
1733 DBGC_HDA ( tls, 0, tls->server.exchange,
1734 tls->server.exchange_len );
1735 return -EINVAL_KEY_EXCHANGE;
1736 }
1737 param_len = ( sizeof ( *ecdh ) + ecdh->public_len );
1738
1739 /* Verify parameter signature */
1740 if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1741 return rc;
1742
1743 /* Identify named curve */
1744 if ( ecdh->curve_type != TLS_NAMED_CURVE_TYPE ) {
1745 DBGC ( tls, "TLS %p unsupported curve type %d\n",
1746 tls, ecdh->curve_type );
1747 DBGC_HDA ( tls, 0, tls->server.exchange,
1748 tls->server.exchange_len );
1749 return -ENOTSUP_CURVE;
1750 }
1751 curve = tls_find_named_curve ( ecdh->named_curve );
1752 if ( ! curve ) {
1753 DBGC ( tls, "TLS %p unsupported named curve %d\n",
1754 tls, ntohs ( ecdh->named_curve ) );
1755 DBGC_HDA ( tls, 0, tls->server.exchange,
1756 tls->server.exchange_len );
1757 return -ENOTSUP_CURVE;
1758 }
1759 DBGC ( tls, "TLS %p using named curve %s\n", tls, curve->curve->name );
1760 pointsize = curve->curve->pointsize;
1761 keysize = curve->curve->keysize;
1762 offset = ( curve->format ? 1 : 0 );
1763
1764 /* Check key length */
1765 if ( ecdh->public_len != ( offset + pointsize ) ) {
1766 DBGC ( tls, "TLS %p invalid %s key\n",
1767 tls, curve->curve->name );
1768 DBGC_HDA ( tls, 0, tls->server.exchange,
1769 tls->server.exchange_len );
1770 return -EINVAL_KEY_EXCHANGE;
1771 }
1772
1773 /* Check curve point format byte (if present) */
1774 if ( curve->format && ( ecdh->public[0] != curve->format ) ) {
1775 DBGC ( tls, "TLS %p invalid %s curve point format\n",
1776 tls, curve->curve->name );
1777 DBGC_HDA ( tls, 0, tls->server.exchange,
1778 tls->server.exchange_len );
1779 return -EINVAL_KEY_EXCHANGE;
1780 }
1781
1782 /* Construct pre-master secret and ClientKeyExchange record */
1783 {
1784 uint8_t private[keysize];
1785 uint8_t pre_master_secret[pointsize];
1786 struct {
1787 uint32_t type_length;
1788 uint8_t public_len;
1789 uint8_t public[ecdh->public_len];
1790 } __attribute__ (( packed )) key_xchg;
1791
1792 /* Generate ephemeral private key */
1793 if ( ( rc = tls_generate_random ( tls, private,
1794 sizeof ( private ) ) ) != 0){
1795 return rc;
1796 }
1797
1798 /* Exchange keys */
1799 if ( ( rc = ecdhe_key ( curve->curve, ( ecdh->public + offset ),
1800 private, ( key_xchg.public + offset ),
1801 pre_master_secret ) ) != 0 ) {
1802 DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
1803 tls, strerror ( rc ) );
1804 return rc;
1805 }
1806
1807 /* Generate Client Key Exchange record */
1808 key_xchg.type_length =
1809 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1810 htonl ( sizeof ( key_xchg ) -
1811 sizeof ( key_xchg.type_length ) ) );
1812 key_xchg.public_len = sizeof ( key_xchg.public );
1813 if ( curve->format )
1814 key_xchg.public[0] = curve->format;
1815
1816 /* Transmit Client Key Exchange record */
1817 if ( ( rc = tls_send_handshake ( tls, &key_xchg,
1818 sizeof ( key_xchg ) ) ) !=0){
1819 return rc;
1820 }
1821
1822 /* Generate master secret */
1823 tls_generate_master_secret ( tls, pre_master_secret,
1824 curve->pre_master_secret_len );
1825 }
1826
1827 return 0;
1828}
1829
1830/** Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm */
1835
1836/**
1837 * Transmit Client Key Exchange record
1838 *
1839 * @v tls TLS connection
1840 * @ret rc Return status code
1841 */
1842static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
1843 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1844 struct tls_cipher_suite *suite = cipherspec->suite;
1845 int rc;
1846
1847 /* Transmit Client Key Exchange record via key exchange algorithm */
1848 if ( ( rc = suite->exchange->exchange ( tls ) ) != 0 ) {
1849 DBGC ( tls, "TLS %p could not exchange keys: %s\n",
1850 tls, strerror ( rc ) );
1851 return rc;
1852 }
1853
1854 /* Generate keys from master secret */
1855 if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
1856 DBGC ( tls, "TLS %p could not generate keys: %s\n",
1857 tls, strerror ( rc ) );
1858 return rc;
1859 }
1860
1861 return 0;
1862}
1863
1864/**
1865 * Transmit Certificate Verify record
1866 *
1867 * @v tls TLS connection
1868 * @ret rc Return status code
1869 */
1870static int tls_send_certificate_verify ( struct tls_connection *tls ) {
1871 struct digest_algorithm *digest = tls->handshake_digest;
1872 struct x509_certificate *cert = x509_first ( tls->client.chain );
1873 struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
1874 struct asn1_cursor *key = privkey_cursor ( tls->client.key );
1875 uint8_t digest_out[ digest->digestsize ];
1876 struct tls_signature_hash_algorithm *sig_hash = NULL;
1877 struct asn1_builder builder = { NULL, 0 };
1878 int rc;
1879
1880 /* Generate digest to be signed */
1881 tls_verify_handshake ( tls, digest_out );
1882
1883 /* TLSv1.2 and later use explicit algorithm identifiers */
1884 if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
1885 sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
1886 if ( ! sig_hash ) {
1887 DBGC ( tls, "TLS %p could not identify (%s,%s) "
1888 "signature and hash algorithm\n", tls,
1889 pubkey->name, digest->name );
1890 rc = -ENOTSUP_SIG_HASH;
1891 goto err_sig_hash;
1892 }
1893 }
1894
1895 /* Sign digest */
1896 if ( ( rc = pubkey_sign ( pubkey, key, digest, digest_out,
1897 &builder ) ) != 0 ) {
1898 DBGC ( tls, "TLS %p could not sign %s digest using %s client "
1899 "private key: %s\n", tls, digest->name, pubkey->name,
1900 strerror ( rc ) );
1901 goto err_pubkey_sign;
1902 }
1903
1904 /* Construct Certificate Verify record */
1905 {
1906 int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
1907 struct {
1908 uint32_t type_length;
1909 struct tls_signature_hash_id sig_hash[use_sig_hash];
1910 uint16_t signature_len;
1911 } __attribute__ (( packed )) header;
1912
1913 header.type_length = ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
1914 htonl ( builder.len +
1915 sizeof ( header ) -
1916 sizeof ( header.type_length )));
1917 if ( use_sig_hash ) {
1918 memcpy ( &header.sig_hash[0], &sig_hash->code,
1919 sizeof ( header.sig_hash[0] ) );
1920 }
1921 header.signature_len = htons ( builder.len );
1922
1923 if ( ( rc = asn1_prepend_raw ( &builder, &header,
1924 sizeof ( header ) ) ) != 0 ) {
1925 DBGC ( tls, "TLS %p could not construct Certificate "
1926 "Verify: %s\n", tls, strerror ( rc ) );
1927 goto err_prepend;
1928 }
1929 }
1930
1931 /* Transmit record */
1932 if ( ( rc = tls_send_handshake ( tls, builder.data,
1933 builder.len ) ) != 0 ) {
1934 goto err_send;
1935 }
1936
1937 err_send:
1938 err_prepend:
1939 err_pubkey_sign:
1940 err_sig_hash:
1941 free ( builder.data );
1942 return rc;
1943}
1944
1945/**
1946 * Transmit Change Cipher record
1947 *
1948 * @v tls TLS connection
1949 * @ret rc Return status code
1950 */
1951static int tls_send_change_cipher ( struct tls_connection *tls ) {
1952 static const struct {
1953 uint8_t spec;
1954 } __attribute__ (( packed )) change_cipher = {
1955 .spec = TLS_CHANGE_CIPHER_SPEC,
1956 };
1957
1958 return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
1959 &change_cipher, sizeof ( change_cipher ) );
1960}
1961
1962/**
1963 * Transmit Finished record
1964 *
1965 * @v tls TLS connection
1966 * @ret rc Return status code
1967 */
1968static int tls_send_finished ( struct tls_connection *tls ) {
1969 struct digest_algorithm *digest = tls->handshake_digest;
1970 struct {
1971 uint32_t type_length;
1972 uint8_t verify_data[ sizeof ( tls->verify.client ) ];
1973 } __attribute__ (( packed )) finished;
1974 uint8_t digest_out[ digest->digestsize ];
1975 int rc;
1976
1977 /* Construct client verification data */
1978 tls_verify_handshake ( tls, digest_out );
1979 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1980 tls->verify.client, sizeof ( tls->verify.client ),
1981 "client finished", digest_out, sizeof ( digest_out ) );
1982
1983 /* Construct record */
1984 memset ( &finished, 0, sizeof ( finished ) );
1985 finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
1986 htonl ( sizeof ( finished ) -
1987 sizeof ( finished.type_length ) ) );
1988 memcpy ( finished.verify_data, tls->verify.client,
1989 sizeof ( finished.verify_data ) );
1990
1991 /* Transmit record */
1992 if ( ( rc = tls_send_handshake ( tls, &finished,
1993 sizeof ( finished ) ) ) != 0 )
1994 return rc;
1995
1996 /* Mark client as finished */
1997 pending_put ( &tls->client.negotiation );
1998
1999 return 0;
2000}
2001
2002/**
2003 * Receive new Change Cipher record
2004 *
2005 * @v tls TLS connection
2006 * @v iobuf I/O buffer
2007 * @ret rc Return status code
2008 */
2009static int tls_new_change_cipher ( struct tls_connection *tls,
2010 struct io_buffer *iobuf ) {
2011 const struct {
2012 uint8_t spec;
2013 } __attribute__ (( packed )) *change_cipher = iobuf->data;
2014 size_t len = iob_len ( iobuf );
2015 int rc;
2016
2017 /* Sanity check */
2018 if ( ( sizeof ( *change_cipher ) != len ) ||
2019 ( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
2020 DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
2021 DBGC_HD ( tls, change_cipher, len );
2022 return -EINVAL_CHANGE_CIPHER;
2023 }
2024 iob_pull ( iobuf, sizeof ( *change_cipher ) );
2025
2026 /* Change receive cipher spec */
2027 if ( ( rc = tls_change_cipher ( tls, &tls->rx.cipherspec ) ) != 0 ) {
2028 DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
2029 tls, strerror ( rc ) );
2030 return rc;
2031 }
2032 tls->rx.seq = ~( ( uint64_t ) 0 );
2033
2034 return 0;
2035}
2036
2037/**
2038 * Receive new Alert record
2039 *
2040 * @v tls TLS connection
2041 * @v iobuf I/O buffer
2042 * @ret rc Return status code
2043 */
2044static int tls_new_alert ( struct tls_connection *tls,
2045 struct io_buffer *iobuf ) {
2046 const struct {
2047 uint8_t level;
2048 uint8_t description;
2049 char next[0];
2050 } __attribute__ (( packed )) *alert = iobuf->data;
2051 size_t len = iob_len ( iobuf );
2052
2053 /* Sanity check */
2054 if ( sizeof ( *alert ) != len ) {
2055 DBGC ( tls, "TLS %p received overlength Alert\n", tls );
2056 DBGC_HD ( tls, alert, len );
2057 return -EINVAL_ALERT;
2058 }
2059 iob_pull ( iobuf, sizeof ( *alert ) );
2060
2061 /* Handle alert */
2062 switch ( alert->level ) {
2063 case TLS_ALERT_WARNING:
2064 DBGC ( tls, "TLS %p received warning alert %d\n",
2065 tls, alert->description );
2066 return 0;
2067 case TLS_ALERT_FATAL:
2068 DBGC ( tls, "TLS %p received fatal alert %d\n",
2069 tls, alert->description );
2070 return -EPERM_ALERT;
2071 default:
2072 DBGC ( tls, "TLS %p received unknown alert level %d"
2073 "(alert %d)\n", tls, alert->level, alert->description );
2074 return -EIO_ALERT;
2075 }
2076}
2077
2078/**
2079 * Receive new Hello Request handshake record
2080 *
2081 * @v tls TLS connection
2082 * @v data Plaintext handshake record
2083 * @v len Length of plaintext handshake record
2084 * @ret rc Return status code
2085 */
2086static int tls_new_hello_request ( struct tls_connection *tls,
2087 const void *data __unused,
2088 size_t len __unused ) {
2089
2090 /* Ignore if a handshake is in progress */
2091 if ( ! tls_ready ( tls ) ) {
2092 DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
2093 return 0;
2094 }
2095
2096 /* Fail unless server supports secure renegotiation */
2097 if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
2098 DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
2099 tls );
2100 return -EPERM_RENEG_INSECURE;
2101 }
2102
2103 /* Restart negotiation */
2104 tls_restart ( tls );
2105
2106 return 0;
2107}
2108
2109/**
2110 * Receive new Server Hello handshake record
2111 *
2112 * @v tls TLS connection
2113 * @v data Plaintext handshake record
2114 * @v len Length of plaintext handshake record
2115 * @ret rc Return status code
2116 */
2117static int tls_new_server_hello ( struct tls_connection *tls,
2118 const void *data, size_t len ) {
2119 const struct {
2120 uint16_t version;
2121 uint8_t random[32];
2122 uint8_t session_id_len;
2123 uint8_t session_id[0];
2124 } __attribute__ (( packed )) *hello_a = data;
2125 const uint8_t *session_id;
2126 const struct {
2127 uint16_t cipher_suite;
2128 uint8_t compression_method;
2129 char next[0];
2130 } __attribute__ (( packed )) *hello_b;
2131 const struct {
2132 uint16_t len;
2133 uint8_t data[0];
2134 } __attribute__ (( packed )) *exts;
2135 const struct {
2136 uint16_t type;
2137 uint16_t len;
2138 uint8_t data[0];
2139 } __attribute__ (( packed )) *ext;
2140 const struct {
2141 uint8_t len;
2142 uint8_t data[0];
2143 } __attribute__ (( packed )) *reneg = NULL;
2144 const struct {
2145 uint8_t data[0];
2146 } __attribute__ (( packed )) *ems = NULL;
2147 uint16_t version;
2148 size_t exts_len;
2149 size_t ext_len;
2150 size_t remaining;
2151 int rc;
2152
2153 /* Parse header */
2154 if ( ( sizeof ( *hello_a ) > len ) ||
2155 ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
2156 ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
2157 hello_a->session_id_len ) ) ) {
2158 DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
2159 DBGC_HD ( tls, data, len );
2160 return -EINVAL_HELLO;
2161 }
2162 session_id = hello_a->session_id;
2163 hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
2164
2165 /* Parse extensions, if present */
2166 remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
2167 sizeof ( *hello_b ) );
2168 if ( remaining ) {
2169
2170 /* Parse extensions length */
2171 exts = ( ( void * ) hello_b->next );
2172 if ( ( sizeof ( *exts ) > remaining ) ||
2173 ( ( exts_len = ntohs ( exts->len ) ) >
2174 ( remaining - sizeof ( *exts ) ) ) ) {
2175 DBGC ( tls, "TLS %p received underlength extensions\n",
2176 tls );
2177 DBGC_HD ( tls, data, len );
2178 return -EINVAL_HELLO;
2179 }
2180
2181 /* Parse extensions */
2182 for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
2183 remaining ;
2184 ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
2185 remaining -= ( sizeof ( *ext ) + ext_len ) ) {
2186
2187 /* Parse extension length */
2188 if ( ( sizeof ( *ext ) > remaining ) ||
2189 ( ( ext_len = ntohs ( ext->len ) ) >
2190 ( remaining - sizeof ( *ext ) ) ) ) {
2191 DBGC ( tls, "TLS %p received underlength "
2192 "extension\n", tls );
2193 DBGC_HD ( tls, data, len );
2194 return -EINVAL_HELLO;
2195 }
2196
2197 /* Record known extensions */
2198 switch ( ext->type ) {
2199 case htons ( TLS_RENEGOTIATION_INFO ) :
2200 reneg = ( ( void * ) ext->data );
2201 if ( ( sizeof ( *reneg ) > ext_len ) ||
2202 ( reneg->len >
2203 ( ext_len - sizeof ( *reneg ) ) ) ) {
2204 DBGC ( tls, "TLS %p received "
2205 "underlength renegotiation "
2206 "info\n", tls );
2207 DBGC_HD ( tls, data, len );
2208 return -EINVAL_HELLO;
2209 }
2210 break;
2211 case htons ( TLS_EXTENDED_MASTER_SECRET ) :
2212 ems = ( ( void * ) ext->data );
2213 break;
2214 }
2215 }
2216 }
2217
2218 /* Check and store protocol version */
2219 version = ntohs ( hello_a->version );
2220 if ( version < TLS_VERSION_MIN ) {
2221 DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
2222 tls, ( version >> 8 ), ( version & 0xff ) );
2223 return -ENOTSUP_VERSION;
2224 }
2225 if ( version > tls->version ) {
2226 DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
2227 "protocol version %d.%d\n",
2228 tls, ( version >> 8 ), ( version & 0xff ) );
2229 return -EPROTO_VERSION;
2230 }
2231 tls->version = version;
2232 DBGC ( tls, "TLS %p using protocol version %d.%d\n",
2233 tls, ( version >> 8 ), ( version & 0xff ) );
2234
2235 /* Select cipher suite */
2236 if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
2237 return rc;
2238
2239 /* Add preceding Client Hello to handshake digest */
2240 if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
2241 return rc;
2242
2243 /* Copy out server random bytes */
2244 memcpy ( &tls->server.random, &hello_a->random,
2245 sizeof ( tls->server.random ) );
2246
2247 /* Handle extended master secret */
2248 tls->extended_master_secret = ( !! ems );
2249
2250 /* Check session ID */
2251 if ( hello_a->session_id_len &&
2252 ( hello_a->session_id_len == tls->session_id_len ) &&
2253 ( memcmp ( session_id, tls->session_id,
2254 tls->session_id_len ) == 0 ) ) {
2255
2256 /* Session ID match: reuse master secret */
2257 DBGC ( tls, "TLS %p resuming session ID:\n", tls );
2258 DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
2259 if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
2260 return rc;
2261
2262 /* Ensure master secret generation method matches */
2263 if ( tls->extended_master_secret !=
2264 tls->session->extended_master_secret ) {
2265 DBGC ( tls, "TLS %p mismatched extended master secret "
2266 "extension\n", tls );
2267 return -EPERM_EMS;
2268 }
2269
2270 } else {
2271
2272 /* Record new session ID, if present */
2273 if ( hello_a->session_id_len &&
2274 ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
2275 tls->session_id_len = hello_a->session_id_len;
2276 memcpy ( tls->session_id, session_id,
2277 tls->session_id_len );
2278 DBGC ( tls, "TLS %p new session ID:\n", tls );
2279 DBGC_HDA ( tls, 0, tls->session_id,
2280 tls->session_id_len );
2281 }
2282 }
2283
2284 /* Handle secure renegotiation */
2285 if ( tls->secure_renegotiation ) {
2286
2287 /* Secure renegotiation is expected; verify data */
2288 if ( ( reneg == NULL ) ||
2289 ( reneg->len != sizeof ( tls->verify ) ) ||
2290 ( memcmp ( reneg->data, &tls->verify,
2291 sizeof ( tls->verify ) ) != 0 ) ) {
2292 DBGC ( tls, "TLS %p server failed secure "
2293 "renegotiation\n", tls );
2294 return -EPERM_RENEG_VERIFY;
2295 }
2296
2297 } else if ( reneg != NULL ) {
2298
2299 /* Secure renegotiation is being enabled */
2300 if ( reneg->len != 0 ) {
2301 DBGC ( tls, "TLS %p server provided non-empty initial "
2302 "renegotiation\n", tls );
2303 return -EPERM_RENEG_VERIFY;
2304 }
2305 tls->secure_renegotiation = 1;
2306 }
2307
2308 return 0;
2309}
2310
2311/**
2312 * Receive New Session Ticket handshake record
2313 *
2314 * @v tls TLS connection
2315 * @v data Plaintext handshake record
2316 * @v len Length of plaintext handshake record
2317 * @ret rc Return status code
2318 */
2319static int tls_new_session_ticket ( struct tls_connection *tls,
2320 const void *data, size_t len ) {
2321 const struct {
2322 uint32_t lifetime;
2323 uint16_t len;
2324 uint8_t ticket[0];
2325 } __attribute__ (( packed )) *new_session_ticket = data;
2326 size_t ticket_len;
2327
2328 /* Parse header */
2329 if ( sizeof ( *new_session_ticket ) > len ) {
2330 DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
2331 tls );
2332 DBGC_HD ( tls, data, len );
2333 return -EINVAL_TICKET;
2334 }
2335 ticket_len = ntohs ( new_session_ticket->len );
2336 if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
2337 DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
2338 tls );
2339 DBGC_HD ( tls, data, len );
2340 return -EINVAL_TICKET;
2341 }
2342
2343 /* Free any unapplied new session ticket */
2344 free ( tls->new_session_ticket );
2345 tls->new_session_ticket = NULL;
2346 tls->new_session_ticket_len = 0;
2347
2348 /* Record ticket */
2349 tls->new_session_ticket = malloc ( ticket_len );
2350 if ( ! tls->new_session_ticket )
2351 return -ENOMEM;
2352 memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
2353 ticket_len );
2354 tls->new_session_ticket_len = ticket_len;
2355 DBGC ( tls, "TLS %p new session ticket:\n", tls );
2356 DBGC_HDA ( tls, 0, tls->new_session_ticket,
2357 tls->new_session_ticket_len );
2358
2359 return 0;
2360}
2361
2362/**
2363 * Parse certificate chain
2364 *
2365 * @v tls TLS connection
2366 * @v data Certificate chain
2367 * @v len Length of certificate chain
2368 * @ret rc Return status code
2369 */
2370static int tls_parse_chain ( struct tls_connection *tls,
2371 const void *data, size_t len ) {
2372 size_t remaining = len;
2373 int rc;
2374
2375 /* Free any existing certificate chain */
2376 memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
2377 x509_chain_put ( tls->server.chain );
2378 tls->server.chain = NULL;
2379
2380 /* Create certificate chain */
2381 tls->server.chain = x509_alloc_chain();
2382 if ( ! tls->server.chain ) {
2383 rc = -ENOMEM_CHAIN;
2384 goto err_alloc_chain;
2385 }
2386
2387 /* Add certificates to chain */
2388 while ( remaining ) {
2389 const struct {
2390 tls24_t length;
2391 uint8_t data[0];
2392 } __attribute__ (( packed )) *certificate = data;
2393 size_t certificate_len;
2394 size_t record_len;
2395 struct x509_certificate *cert;
2396
2397 /* Parse header */
2398 if ( sizeof ( *certificate ) > remaining ) {
2399 DBGC ( tls, "TLS %p underlength certificate:\n", tls );
2400 DBGC_HDA ( tls, 0, data, remaining );
2401 rc = -EINVAL_CERTIFICATE;
2402 goto err_underlength;
2403 }
2404 certificate_len = tls_uint24 ( &certificate->length );
2405 if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
2406 DBGC ( tls, "TLS %p overlength certificate:\n", tls );
2407 DBGC_HDA ( tls, 0, data, remaining );
2408 rc = -EINVAL_CERTIFICATE;
2409 goto err_overlength;
2410 }
2411 record_len = ( sizeof ( *certificate ) + certificate_len );
2412
2413 /* Add certificate to chain */
2414 if ( ( rc = x509_append_raw ( tls->server.chain,
2415 certificate->data,
2416 certificate_len ) ) != 0 ) {
2417 DBGC ( tls, "TLS %p could not append certificate: %s\n",
2418 tls, strerror ( rc ) );
2419 DBGC_HDA ( tls, 0, data, remaining );
2420 goto err_parse;
2421 }
2422 cert = x509_last ( tls->server.chain );
2423 DBGC ( tls, "TLS %p found certificate %s\n",
2424 tls, x509_name ( cert ) );
2425
2426 /* Move to next certificate in list */
2427 data += record_len;
2428 remaining -= record_len;
2429 }
2430
2431 return 0;
2432
2433 err_parse:
2434 err_overlength:
2435 err_underlength:
2436 memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
2437 x509_chain_put ( tls->server.chain );
2438 tls->server.chain = NULL;
2439 err_alloc_chain:
2440 return rc;
2441}
2442
2443/**
2444 * Receive new Certificate handshake record
2445 *
2446 * @v tls TLS connection
2447 * @v data Plaintext handshake record
2448 * @v len Length of plaintext handshake record
2449 * @ret rc Return status code
2450 */
2451static int tls_new_certificate ( struct tls_connection *tls,
2452 const void *data, size_t len ) {
2453 const struct {
2454 tls24_t length;
2455 uint8_t certificates[0];
2456 } __attribute__ (( packed )) *certificate = data;
2457 size_t certificates_len;
2458 int rc;
2459
2460 /* Parse header */
2461 if ( sizeof ( *certificate ) > len ) {
2462 DBGC ( tls, "TLS %p received underlength Server Certificate\n",
2463 tls );
2464 DBGC_HD ( tls, data, len );
2465 return -EINVAL_CERTIFICATES;
2466 }
2467 certificates_len = tls_uint24 ( &certificate->length );
2468 if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
2469 DBGC ( tls, "TLS %p received overlength Server Certificate\n",
2470 tls );
2471 DBGC_HD ( tls, data, len );
2472 return -EINVAL_CERTIFICATES;
2473 }
2474
2475 /* Parse certificate chain */
2476 if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
2477 certificates_len ) ) != 0 )
2478 return rc;
2479
2480 return 0;
2481}
2482
2483/**
2484 * Receive new Server Key Exchange handshake record
2485 *
2486 * @v tls TLS connection
2487 * @v data Plaintext handshake record
2488 * @v len Length of plaintext handshake record
2489 * @ret rc Return status code
2490 */
2491static int tls_new_server_key_exchange ( struct tls_connection *tls,
2492 const void *data, size_t len ) {
2493
2494 /* Free any existing server key exchange record */
2495 free ( tls->server.exchange );
2496 tls->server.exchange_len = 0;
2497
2498 /* Allocate copy of server key exchange record */
2499 tls->server.exchange = malloc ( len );
2500 if ( ! tls->server.exchange )
2501 return -ENOMEM;
2502
2503 /* Store copy of server key exchange record for later
2504 * processing. We cannot verify the signature at this point
2505 * since the certificate validation will not yet have
2506 * completed.
2507 */
2508 memcpy ( tls->server.exchange, data, len );
2509 tls->server.exchange_len = len;
2510
2511 return 0;
2512}
2513
2514/**
2515 * Receive new Certificate Request handshake record
2516 *
2517 * @v tls TLS connection
2518 * @v data Plaintext handshake record
2519 * @v len Length of plaintext handshake record
2520 * @ret rc Return status code
2521 */
2522static int tls_new_certificate_request ( struct tls_connection *tls,
2523 const void *data __unused,
2524 size_t len __unused ) {
2525 struct x509_certificate *cert;
2526 int rc;
2527
2528 /* We can only send a single certificate, so there is no point
2529 * in parsing the Certificate Request.
2530 */
2531
2532 /* Free any existing client certificate chain */
2533 x509_chain_put ( tls->client.chain );
2534 tls->client.chain = NULL;
2535
2536 /* Create client certificate chain */
2537 tls->client.chain = x509_alloc_chain();
2538 if ( ! tls->client.chain ) {
2539 rc = -ENOMEM;
2540 goto err_alloc;
2541 }
2542
2543 /* Determine client certificate to be sent, if any */
2544 cert = x509_find_key ( NULL, tls->client.key );
2545 if ( cert ) {
2546 DBGC ( tls, "TLS %p selected client certificate %s\n",
2547 tls, x509_name ( cert ) );
2548
2549 /* Append client certificate to chain */
2550 if ( ( rc = x509_append ( tls->client.chain, cert ) ) != 0 )
2551 goto err_append;
2552
2553 /* Append any relevant issuer certificates */
2554 if ( ( rc = x509_auto_append ( tls->client.chain,
2555 &certstore ) ) != 0 )
2556 goto err_auto_append;
2557 } else {
2558
2559 /* Send an empty certificate chain */
2560 DBGC ( tls, "TLS %p could not find certificate corresponding "
2561 "to private key\n", tls );
2562 }
2563
2564 return 0;
2565
2566 err_auto_append:
2567 err_append:
2568 x509_chain_put ( tls->client.chain );
2569 tls->client.chain = NULL;
2570 err_alloc:
2571 return rc;
2572}
2573
2574/**
2575 * Receive new Server Hello Done handshake record
2576 *
2577 * @v tls TLS connection
2578 * @v data Plaintext handshake record
2579 * @v len Length of plaintext handshake record
2580 * @ret rc Return status code
2581 */
2582static int tls_new_server_hello_done ( struct tls_connection *tls,
2583 const void *data, size_t len ) {
2584 const struct {
2585 char next[0];
2586 } __attribute__ (( packed )) *hello_done = data;
2587 int rc;
2588
2589 /* Sanity check */
2590 if ( sizeof ( *hello_done ) != len ) {
2591 DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
2592 tls );
2593 DBGC_HD ( tls, data, len );
2594 return -EINVAL_HELLO_DONE;
2595 }
2596
2597 /* Begin certificate validation */
2598 if ( ( rc = create_validator ( &tls->server.validator,
2599 tls->server.chain,
2600 tls->server.root ) ) != 0 ) {
2601 DBGC ( tls, "TLS %p could not start certificate validation: "
2602 "%s\n", tls, strerror ( rc ) );
2603 return rc;
2604 }
2605 pending_get ( &tls->server.validation );
2606
2607 return 0;
2608}
2609
2610/**
2611 * Receive new Finished handshake record
2612 *
2613 * @v tls TLS connection
2614 * @v data Plaintext handshake record
2615 * @v len Length of plaintext handshake record
2616 * @ret rc Return status code
2617 */
2618static int tls_new_finished ( struct tls_connection *tls,
2619 const void *data, size_t len ) {
2620 struct tls_session *session = tls->session;
2621 struct digest_algorithm *digest = tls->handshake_digest;
2622 const struct {
2623 uint8_t verify_data[ sizeof ( tls->verify.server ) ];
2624 char next[0];
2625 } __attribute__ (( packed )) *finished = data;
2626 uint8_t digest_out[ digest->digestsize ];
2627
2628 /* Sanity check */
2629 if ( sizeof ( *finished ) != len ) {
2630 DBGC ( tls, "TLS %p received overlength Finished\n", tls );
2631 DBGC_HD ( tls, data, len );
2632 return -EINVAL_FINISHED;
2633 }
2634
2635 /* Verify data */
2636 tls_verify_handshake ( tls, digest_out );
2637 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
2638 tls->verify.server, sizeof ( tls->verify.server ),
2639 "server finished", digest_out, sizeof ( digest_out ) );
2640 if ( memcmp ( tls->verify.server, finished->verify_data,
2641 sizeof ( tls->verify.server ) ) != 0 ) {
2642 DBGC ( tls, "TLS %p verification failed\n", tls );
2643 return -EPERM_VERIFY;
2644 }
2645
2646 /* Mark server as finished */
2647 pending_put ( &tls->server.negotiation );
2648
2649 /* If we are resuming a session (i.e. if the server Finished
2650 * arrives before the client Finished is sent), then schedule
2651 * transmission of Change Cipher and Finished.
2652 */
2653 if ( is_pending ( &tls->client.negotiation ) ) {
2654 tls->tx.pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
2655 tls_tx_resume ( tls );
2656 }
2657
2658 /* Record session ID, ticket, and master secret, if applicable */
2659 if ( tls->session_id_len || tls->new_session_ticket_len ) {
2660 memcpy ( session->master_secret, tls->master_secret,
2661 sizeof ( session->master_secret ) );
2662 session->extended_master_secret = tls->extended_master_secret;
2663 }
2664 if ( tls->session_id_len ) {
2665 session->id_len = tls->session_id_len;
2666 memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
2667 }
2668 if ( tls->new_session_ticket_len ) {
2669 free ( session->ticket );
2670 session->ticket = tls->new_session_ticket;
2671 session->ticket_len = tls->new_session_ticket_len;
2672 tls->new_session_ticket = NULL;
2673 tls->new_session_ticket_len = 0;
2674 }
2675
2676 /* Move to end of session's connection list and allow other
2677 * connections to start making progress.
2678 */
2679 list_del ( &tls->list );
2680 list_add_tail ( &tls->list, &session->conn );
2681 tls_tx_resume_all ( session );
2682
2683 /* Send notification of a window change */
2684 xfer_window_changed ( &tls->plainstream );
2685
2686 return 0;
2687}
2688
2689/**
2690 * Receive new Handshake record
2691 *
2692 * @v tls TLS connection
2693 * @v iobuf I/O buffer
2694 * @ret rc Return status code
2695 */
2696static int tls_new_handshake ( struct tls_connection *tls,
2697 struct io_buffer *iobuf ) {
2698 size_t remaining;
2699 int rc;
2700
2701 while ( ( remaining = iob_len ( iobuf ) ) ) {
2702 const struct {
2703 uint8_t type;
2704 tls24_t length;
2705 uint8_t payload[0];
2706 } __attribute__ (( packed )) *handshake = iobuf->data;
2707 const void *payload;
2708 size_t payload_len;
2709 size_t record_len;
2710
2711 /* Parse header */
2712 if ( sizeof ( *handshake ) > remaining ) {
2713 /* Leave remaining fragment unconsumed */
2714 break;
2715 }
2716 payload_len = tls_uint24 ( &handshake->length );
2717 if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
2718 /* Leave remaining fragment unconsumed */
2719 break;
2720 }
2721 payload = &handshake->payload;
2722 record_len = ( sizeof ( *handshake ) + payload_len );
2723
2724 /* Handle payload */
2725 switch ( handshake->type ) {
2726 case TLS_HELLO_REQUEST:
2727 rc = tls_new_hello_request ( tls, payload,
2728 payload_len );
2729 break;
2730 case TLS_SERVER_HELLO:
2731 rc = tls_new_server_hello ( tls, payload, payload_len );
2732 break;
2733 case TLS_NEW_SESSION_TICKET:
2734 rc = tls_new_session_ticket ( tls, payload,
2735 payload_len );
2736 break;
2737 case TLS_CERTIFICATE:
2738 rc = tls_new_certificate ( tls, payload, payload_len );
2739 break;
2740 case TLS_SERVER_KEY_EXCHANGE:
2741 rc = tls_new_server_key_exchange ( tls, payload,
2742 payload_len );
2743 break;
2744 case TLS_CERTIFICATE_REQUEST:
2745 rc = tls_new_certificate_request ( tls, payload,
2746 payload_len );
2747 break;
2748 case TLS_SERVER_HELLO_DONE:
2749 rc = tls_new_server_hello_done ( tls, payload,
2750 payload_len );
2751 break;
2752 case TLS_FINISHED:
2753 rc = tls_new_finished ( tls, payload, payload_len );
2754 break;
2755 default:
2756 DBGC ( tls, "TLS %p ignoring handshake type %d\n",
2757 tls, handshake->type );
2758 rc = 0;
2759 break;
2760 }
2761
2762 /* Add to handshake digest (except for Hello Requests,
2763 * which are explicitly excluded).
2764 */
2765 if ( handshake->type != TLS_HELLO_REQUEST )
2766 tls_add_handshake ( tls, handshake, record_len );
2767
2768 /* Abort on failure */
2769 if ( rc != 0 )
2770 return rc;
2771
2772 /* Move to next handshake record */
2773 iob_pull ( iobuf, record_len );
2774 }
2775
2776 return 0;
2777}
2778
2779/**
2780 * Receive new unknown record
2781 *
2782 * @v tls TLS connection
2783 * @v iobuf I/O buffer
2784 * @ret rc Return status code
2785 */
2786static int tls_new_unknown ( struct tls_connection *tls __unused,
2787 struct io_buffer *iobuf ) {
2788
2789 /* RFC4346 says that we should just ignore unknown record types */
2790 iob_pull ( iobuf, iob_len ( iobuf ) );
2791 return 0;
2792}
2793
2794/**
2795 * Receive new data record
2796 *
2797 * @v tls TLS connection
2798 * @v rx_data List of received data buffers
2799 * @ret rc Return status code
2800 */
2801static int tls_new_data ( struct tls_connection *tls,
2802 struct list_head *rx_data ) {
2803 struct io_buffer *iobuf;
2804 int rc;
2805
2806 /* Fail unless we are ready to receive data */
2807 if ( ! tls_ready ( tls ) )
2808 return -ENOTCONN;
2809
2810 /* Deliver each I/O buffer in turn */
2811 while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
2812 list ) ) ) {
2813 list_del ( &iobuf->list );
2814 if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
2815 iobuf ) ) != 0 ) {
2816 DBGC ( tls, "TLS %p could not deliver data: "
2817 "%s\n", tls, strerror ( rc ) );
2818 return rc;
2819 }
2820 }
2821
2822 return 0;
2823}
2824
2825/**
2826 * Receive new record
2827 *
2828 * @v tls TLS connection
2829 * @v type Record type
2830 * @v rx_data List of received data buffers
2831 * @ret rc Return status code
2832 */
2833static int tls_new_record ( struct tls_connection *tls, unsigned int type,
2834 struct list_head *rx_data ) {
2835 int ( * handler ) ( struct tls_connection *tls,
2836 struct io_buffer *iobuf );
2837 struct io_buffer *tmp = NULL;
2838 struct io_buffer **iobuf;
2839 int rc;
2840
2841 /* Deliver data records as-is to the plainstream interface */
2842 if ( type == TLS_TYPE_DATA )
2843 return tls_new_data ( tls, rx_data );
2844
2845 /* Determine handler and fragment buffer */
2846 iobuf = &tmp;
2847 switch ( type ) {
2848 case TLS_TYPE_CHANGE_CIPHER:
2849 handler = tls_new_change_cipher;
2850 break;
2851 case TLS_TYPE_ALERT:
2852 handler = tls_new_alert;
2853 break;
2854 case TLS_TYPE_HANDSHAKE:
2855 handler = tls_new_handshake;
2856 iobuf = &tls->rx.handshake;
2857 break;
2858 default:
2859 DBGC ( tls, "TLS %p unknown record type %d\n", tls, type );
2860 handler = tls_new_unknown;
2861 break;
2862 }
2863
2864 /* Merge into a single I/O buffer */
2865 if ( *iobuf )
2866 list_add ( &(*iobuf)->list, rx_data );
2867 *iobuf = iob_concatenate ( rx_data );
2868 if ( ! *iobuf ) {
2869 DBGC ( tls, "TLS %p could not concatenate non-data record "
2870 "type %d\n", tls, type );
2871 rc = -ENOMEM_RX_CONCAT;
2872 goto err_concatenate;
2873 }
2874
2875 /* Handle record */
2876 if ( ( rc = handler ( tls, *iobuf ) ) != 0 )
2877 goto err_handle;
2878
2879 /* Discard I/O buffer if empty */
2880 if ( ! iob_len ( *iobuf ) ) {
2881 free_iob ( *iobuf );
2882 *iobuf = NULL;
2883 }
2884
2885 /* Sanity check */
2886 assert ( tmp == NULL );
2887
2888 return 0;
2889
2890 err_handle:
2891 free_iob ( *iobuf );
2892 *iobuf = NULL;
2893 err_concatenate:
2894 return rc;
2895}
2896
2897/******************************************************************************
2898 *
2899 * Record encryption/decryption
2900 *
2901 ******************************************************************************
2902 */
2903
2904/**
2905 * Initialise HMAC
2906 *
2907 * @v cipherspec Cipher specification
2908 * @v ctx Context
2909 * @v authhdr Authentication header
2910 */
2911static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
2912 struct tls_auth_header *authhdr ) {
2913 struct tls_cipher_suite *suite = cipherspec->suite;
2914 struct digest_algorithm *digest = suite->digest;
2915
2916 hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
2917 hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
2918}
2919
2920/**
2921 * Update HMAC
2922 *
2923 * @v cipherspec Cipher specification
2924 * @v ctx Context
2925 * @v data Data
2926 * @v len Length of data
2927 */
2928static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
2929 const void *data, size_t len ) {
2930 struct digest_algorithm *digest = cipherspec->suite->digest;
2931
2932 hmac_update ( digest, ctx, data, len );
2933}
2934
2935/**
2936 * Finalise HMAC
2937 *
2938 * @v cipherspec Cipher specification
2939 * @v ctx Context
2940 * @v mac HMAC to fill in
2941 */
2942static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
2943 void *hmac ) {
2944 struct digest_algorithm *digest = cipherspec->suite->digest;
2945
2946 hmac_final ( digest, ctx, hmac );
2947}
2948
2949/**
2950 * Calculate HMAC
2951 *
2952 * @v cipherspec Cipher specification
2953 * @v authhdr Authentication header
2954 * @v data Data
2955 * @v len Length of data
2956 * @v mac HMAC to fill in
2957 */
2958static void tls_hmac ( struct tls_cipherspec *cipherspec,
2959 struct tls_auth_header *authhdr,
2960 const void *data, size_t len, void *hmac ) {
2961 struct digest_algorithm *digest = cipherspec->suite->digest;
2962 uint8_t ctx[ hmac_ctxsize ( digest ) ];
2963
2964 tls_hmac_init ( cipherspec, ctx, authhdr );
2965 tls_hmac_update ( cipherspec, ctx, data, len );
2966 tls_hmac_final ( cipherspec, ctx, hmac );
2967}
2968
2969/**
2970 * Calculate HMAC over list of I/O buffers
2971 *
2972 * @v cipherspec Cipher specification
2973 * @v authhdr Authentication header
2974 * @v list List of I/O buffers
2975 * @v mac HMAC to fill in
2976 */
2977static void tls_hmac_list ( struct tls_cipherspec *cipherspec,
2978 struct tls_auth_header *authhdr,
2979 struct list_head *list, void *hmac ) {
2980 struct digest_algorithm *digest = cipherspec->suite->digest;
2981 uint8_t ctx[ hmac_ctxsize ( digest ) ];
2982 struct io_buffer *iobuf;
2983
2984 tls_hmac_init ( cipherspec, ctx, authhdr );
2985 list_for_each_entry ( iobuf, list, list ) {
2986 tls_hmac_update ( cipherspec, ctx, iobuf->data,
2987 iob_len ( iobuf ) );
2988 }
2989 tls_hmac_final ( cipherspec, ctx, hmac );
2990}
2991
2992/**
2993 * Calculate maximum additional length required for transmitted record(s)
2994 *
2995 * @v tls TLS connection
2996 * @v len I/O buffer payload length
2997 * @ret reserve Maximum additional length to reserve
2998 */
2999static size_t tls_iob_reserved ( struct tls_connection *tls, size_t len ) {
3000 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
3001 struct tls_cipher_suite *suite = cipherspec->suite;
3002 struct cipher_algorithm *cipher = suite->cipher;
3003 struct tls_header *tlshdr;
3004 unsigned int count;
3005 size_t each;
3006
3007 /* Calculate number of records (allowing for zero-length records) */
3008 count = ( len ? ( ( len + TLS_TX_BUFSIZE - 1 ) / TLS_TX_BUFSIZE ) : 1 );
3009
3010 /* Calculate maximum additional length per record */
3011 each = ( sizeof ( *tlshdr ) + suite->record_iv_len + suite->mac_len +
3012 ( is_block_cipher ( cipher ) ? cipher->blocksize : 0 ) +
3013 cipher->authsize );
3014
3015 /* Calculate maximum total additional length */
3016 return ( count * each );
3017}
3018
3019/**
3020 * Allocate I/O buffer for transmitted record(s)
3021 *
3022 * @v tls TLS connection
3023 * @v len I/O buffer payload length
3024 * @ret iobuf I/O buffer
3025 */
3026static struct io_buffer * tls_alloc_iob ( struct tls_connection *tls,
3027 size_t len ) {
3028 struct io_buffer *iobuf;
3029 size_t reserve;
3030
3031 /* Calculate maximum additional length to reserve */
3032 reserve = tls_iob_reserved ( tls, len );
3033
3034 /* Allocate I/O buffer */
3035 iobuf = xfer_alloc_iob ( &tls->cipherstream, ( reserve + len ) );
3036 if ( ! iobuf )
3037 return NULL;
3038
3039 /* Reserve space */
3040 iob_reserve ( iobuf, reserve );
3041
3042 return iobuf;
3043}
3044
3045/**
3046 * Send plaintext record(s)
3047 *
3048 * @v tls TLS connection
3049 * @v type Record type
3050 * @v iobuf I/O buffer
3051 * @ret rc Return status code
3052 */
3053static int tls_send_record ( struct tls_connection *tls, unsigned int type,
3054 struct io_buffer *iobuf ) {
3055 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
3056 struct tls_cipher_suite *suite = cipherspec->suite;
3057 struct cipher_algorithm *cipher = suite->cipher;
3058 struct digest_algorithm *digest = suite->digest;
3059 struct {
3060 uint8_t fixed[suite->fixed_iv_len];
3061 uint8_t rec[suite->record_iv_len];
3062 } __attribute__ (( packed )) iv;
3063 struct tls_auth_header authhdr;
3064 struct tls_header *tlshdr;
3065 uint8_t mac[digest->digestsize];
3066 const void *plaintext;
3067 const void *encrypt;
3068 void *ciphertext;
3069 size_t record_len;
3070 size_t encrypt_len;
3071 size_t pad_len;
3072 size_t len;
3073 int rc;
3074
3075 /* Record plaintext pointer and length */
3076 plaintext = iobuf->data;
3077 len = iob_len ( iobuf );
3078
3079 /* Add to handshake digest if applicable */
3080 if ( type == TLS_TYPE_HANDSHAKE )
3081 tls_add_handshake ( tls, plaintext, len );
3082
3083 /* Start constructing ciphertext at start of reserved space */
3084 iob_push ( iobuf, tls_iob_reserved ( tls, len ) );
3085 iob_unput ( iobuf, iob_len ( iobuf ) );
3086
3087 /* Construct records */
3088 do {
3089 /* Limit length of this record (may be zero) */
3090 record_len = len;
3091 if ( record_len > TLS_TX_BUFSIZE )
3092 record_len = TLS_TX_BUFSIZE;
3093
3094 /* Construct and set initialisation vector */
3095 memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3096 if ( ( rc = tls_generate_random ( tls, iv.rec,
3097 sizeof ( iv.rec ) ) ) != 0 ) {
3098 goto err_random;
3099 }
3100 cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv,
3101 sizeof ( iv ) );
3102
3103 /* Construct and process authentication data */
3104 authhdr.seq = cpu_to_be64 ( tls->tx.seq );
3105 authhdr.header.type = type;
3106 authhdr.header.version = htons ( tls->version );
3107 authhdr.header.length = htons ( record_len );
3108 if ( suite->mac_len ) {
3109 tls_hmac ( cipherspec, &authhdr, plaintext, record_len,
3110 mac );
3111 }
3112 if ( is_auth_cipher ( cipher ) ) {
3113 cipher_encrypt ( cipher, cipherspec->cipher_ctx,
3114 &authhdr, NULL, sizeof ( authhdr ) );
3115 }
3116
3117 /* Calculate encryption length */
3118 encrypt_len = ( record_len + suite->mac_len );
3119 if ( is_block_cipher ( cipher ) ) {
3120 pad_len = ( ( ( cipher->blocksize - 1 ) &
3121 -( encrypt_len + 1 ) ) + 1 );
3122 } else {
3123 pad_len = 0;
3124 }
3125 encrypt_len += pad_len;
3126
3127 /* Add record header */
3128 tlshdr = iob_put ( iobuf, sizeof ( *tlshdr ) );
3129 tlshdr->type = type;
3130 tlshdr->version = htons ( tls->version );
3131 tlshdr->length = htons ( sizeof ( iv.rec ) + encrypt_len +
3132 cipher->authsize );
3133
3134 /* Add record initialisation vector, if applicable */
3135 memcpy ( iob_put ( iobuf, sizeof ( iv.rec ) ), iv.rec,
3136 sizeof ( iv.rec ) );
3137
3138 /* Copy plaintext data if necessary */
3139 ciphertext = iob_put ( iobuf, record_len );
3140 assert ( ciphertext <= plaintext );
3141 if ( encrypt_len > record_len ) {
3142 memmove ( ciphertext, plaintext, record_len );
3143 encrypt = ciphertext;
3144 } else {
3145 encrypt = plaintext;
3146 }
3147
3148 /* Add MAC, if applicable */
3149 memcpy ( iob_put ( iobuf, suite->mac_len ), mac,
3150 suite->mac_len );
3151
3152 /* Add padding, if applicable */
3153 memset ( iob_put ( iobuf, pad_len ), ( pad_len - 1 ), pad_len );
3154
3155 /* Encrypt data and append authentication tag */
3156 DBGC2 ( tls, "Sending plaintext data:\n" );
3157 DBGC2_HDA ( tls, 0, encrypt, encrypt_len );
3158 cipher_encrypt ( cipher, cipherspec->cipher_ctx, encrypt,
3159 ciphertext, encrypt_len );
3160 cipher_auth ( cipher, cipherspec->cipher_ctx,
3161 iob_put ( iobuf, cipher->authsize ) );
3162
3163 /* Move to next record */
3164 tls->tx.seq += 1;
3165 plaintext += record_len;
3166 len -= record_len;
3167
3168 } while ( len );
3169
3170 /* Send ciphertext */
3171 if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
3172 iob_disown ( iobuf ) ) ) != 0 ) {
3173 DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
3174 tls, strerror ( rc ) );
3175 goto err_deliver;
3176 }
3177
3178 assert ( iobuf == NULL );
3179 return 0;
3180
3181 err_deliver:
3182 err_random:
3183 free_iob ( iobuf );
3184 return rc;
3185}
3186
3187/**
3188 * Send plaintext record
3189 *
3190 * @v tls TLS connection
3191 * @v type Record type
3192 * @v data Plaintext record
3193 * @v len Length of plaintext record
3194 * @ret rc Return status code
3195 */
3196static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
3197 const void *data, size_t len ) {
3198 struct io_buffer *iobuf;
3199 int rc;
3200
3201 /* Allocate I/O buffer */
3202 iobuf = tls_alloc_iob ( tls, len );
3203 if ( ! iobuf )
3204 return -ENOMEM_TX_PLAINTEXT;
3205 memcpy ( iob_put ( iobuf, len ), data, len );
3206
3207 /* Transmit I/O buffer */
3208 if ( ( rc = tls_send_record ( tls, type, iob_disown ( iobuf ) ) ) != 0 )
3209 return rc;
3210
3211 return 0;
3212}
3213
3214/**
3215 * Verify block padding
3216 *
3217 * @v tls TLS connection
3218 * @v iobuf Last received I/O buffer
3219 * @ret len Padding length, or negative error
3220 * @ret rc Return status code
3221 */
3222static int tls_verify_padding ( struct tls_connection *tls,
3223 struct io_buffer *iobuf ) {
3224 uint8_t *padding;
3225 unsigned int pad;
3226 unsigned int i;
3227 size_t len;
3228
3229 /* Extract and verify padding */
3230 padding = ( iobuf->tail - 1 );
3231 pad = *padding;
3232 len = ( pad + 1 );
3233 if ( len > iob_len ( iobuf ) ) {
3234 DBGC ( tls, "TLS %p received underlength padding\n", tls );
3235 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3236 return -EINVAL_PADDING;
3237 }
3238 for ( i = 0 ; i < pad ; i++ ) {
3239 if ( *(--padding) != pad ) {
3240 DBGC ( tls, "TLS %p received bad padding\n", tls );
3241 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3242 return -EINVAL_PADDING;
3243 }
3244 }
3245
3246 return len;
3247}
3248
3249/**
3250 * Receive new ciphertext record
3251 *
3252 * @v tls TLS connection
3253 * @v tlshdr Record header
3254 * @v rx_data List of received data buffers
3255 * @ret rc Return status code
3256 */
3257static int tls_new_ciphertext ( struct tls_connection *tls,
3258 struct tls_header *tlshdr,
3259 struct list_head *rx_data ) {
3260 struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
3261 struct tls_cipher_suite *suite = cipherspec->suite;
3262 struct cipher_algorithm *cipher = suite->cipher;
3263 struct digest_algorithm *digest = suite->digest;
3264 size_t len = ntohs ( tlshdr->length );
3265 struct {
3266 uint8_t fixed[suite->fixed_iv_len];
3267 uint8_t record[suite->record_iv_len];
3268 } __attribute__ (( packed )) iv;
3269 struct tls_auth_header authhdr;
3270 uint8_t verify_mac[digest->digestsize];
3271 uint8_t verify_auth[cipher->authsize];
3272 struct io_buffer *first;
3273 struct io_buffer *last;
3274 struct io_buffer *iobuf;
3275 void *mac;
3276 void *auth;
3277 size_t check_len;
3278 int pad_len;
3279 int rc;
3280
3281 /* Locate first and last data buffers */
3282 assert ( ! list_empty ( rx_data ) );
3283 first = list_first_entry ( rx_data, struct io_buffer, list );
3284 last = list_last_entry ( rx_data, struct io_buffer, list );
3285
3286 /* Extract initialisation vector */
3287 if ( iob_len ( first ) < sizeof ( iv.record ) ) {
3288 DBGC ( tls, "TLS %p received underlength IV\n", tls );
3289 DBGC_HD ( tls, first->data, iob_len ( first ) );
3290 return -EINVAL_IV;
3291 }
3292 memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3293 memcpy ( iv.record, first->data, sizeof ( iv.record ) );
3294 iob_pull ( first, sizeof ( iv.record ) );
3295 len -= sizeof ( iv.record );
3296
3297 /* Extract unencrypted authentication tag */
3298 if ( iob_len ( last ) < cipher->authsize ) {
3299 DBGC ( tls, "TLS %p received underlength authentication tag\n",
3300 tls );
3301 DBGC_HD ( tls, last->data, iob_len ( last ) );
3302 return -EINVAL_MAC;
3303 }
3304 iob_unput ( last, cipher->authsize );
3305 len -= cipher->authsize;
3306 auth = last->tail;
3307
3308 /* Construct authentication data */
3309 authhdr.seq = cpu_to_be64 ( tls->rx.seq );
3310 authhdr.header.type = tlshdr->type;
3311 authhdr.header.version = tlshdr->version;
3312 authhdr.header.length = htons ( len );
3313
3314 /* Set initialisation vector */
3315 cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
3316
3317 /* Process authentication data, if applicable */
3318 if ( is_auth_cipher ( cipher ) ) {
3319 cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
3320 NULL, sizeof ( authhdr ) );
3321 }
3322
3323 /* Decrypt the received data */
3324 check_len = 0;
3325 list_for_each_entry ( iobuf, &tls->rx.data, list ) {
3326 cipher_decrypt ( cipher, cipherspec->cipher_ctx,
3327 iobuf->data, iobuf->data, iob_len ( iobuf ) );
3328 check_len += iob_len ( iobuf );
3329 }
3330 assert ( check_len == len );
3331
3332 /* Strip block padding, if applicable */
3333 if ( is_block_cipher ( cipher ) ) {
3334 pad_len = tls_verify_padding ( tls, last );
3335 if ( pad_len < 0 ) {
3336 /* Assume zero padding length to avoid timing attacks */
3337 pad_len = 0;
3338 }
3339 iob_unput ( last, pad_len );
3340 len -= pad_len;
3341 }
3342
3343 /* Extract decrypted MAC */
3344 if ( iob_len ( last ) < suite->mac_len ) {
3345 DBGC ( tls, "TLS %p received underlength MAC\n", tls );
3346 DBGC_HD ( tls, last->data, iob_len ( last ) );
3347 return -EINVAL_MAC;
3348 }
3349 iob_unput ( last, suite->mac_len );
3350 len -= suite->mac_len;
3351 mac = last->tail;
3352
3353 /* Dump received data */
3354 DBGC2 ( tls, "Received plaintext data:\n" );
3355 check_len = 0;
3356 list_for_each_entry ( iobuf, rx_data, list ) {
3357 DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3358 check_len += iob_len ( iobuf );
3359 }
3360 assert ( check_len == len );
3361
3362 /* Generate MAC */
3363 authhdr.header.length = htons ( len );
3364 if ( suite->mac_len )
3365 tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );
3366
3367 /* Generate authentication tag */
3368 cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );
3369
3370 /* Verify MAC */
3371 if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
3372 DBGC ( tls, "TLS %p failed MAC verification\n", tls );
3373 return -EINVAL_MAC;
3374 }
3375
3376 /* Verify authentication tag */
3377 if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
3378 DBGC ( tls, "TLS %p failed authentication tag verification\n",
3379 tls );
3380 return -EINVAL_MAC;
3381 }
3382
3383 /* Process plaintext record */
3384 if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
3385 return rc;
3386
3387 return 0;
3388}
3389
3390/******************************************************************************
3391 *
3392 * Plaintext stream operations
3393 *
3394 ******************************************************************************
3395 */
3396
3397/**
3398 * Check flow control window
3399 *
3400 * @v tls TLS connection
3401 * @ret len Length of window
3402 */
3403static size_t tls_plainstream_window ( struct tls_connection *tls ) {
3404
3405 /* Block window unless we are ready to accept data */
3406 if ( ! tls_ready ( tls ) )
3407 return 0;
3408
3409 return xfer_window ( &tls->cipherstream );
3410}
3411
3412/**
3413 * Deliver datagram as raw data
3414 *
3415 * @v tls TLS connection
3416 * @v iobuf I/O buffer
3417 * @v meta Data transfer metadata
3418 * @ret rc Return status code
3419 */
3420static int tls_plainstream_deliver ( struct tls_connection *tls,
3421 struct io_buffer *iobuf,
3422 struct xfer_metadata *meta __unused ) {
3423 int rc;
3424
3425 /* Refuse unless we are ready to accept data */
3426 if ( ! tls_ready ( tls ) ) {
3427 rc = -ENOTCONN;
3428 goto done;
3429 }
3430
3431 /* Send data record */
3432 if ( ( rc = tls_send_record ( tls, TLS_TYPE_DATA,
3433 iob_disown ( iobuf ) ) ) != 0 )
3434 goto done;
3435
3436 done:
3437 free_iob ( iobuf );
3438 return rc;
3439}
3440
3441/**
3442 * Report job progress
3443 *
3444 * @v tls TLS connection
3445 * @v progress Progress report to fill in
3446 * @ret ongoing_rc Ongoing job status code (if known)
3447 */
3448static int tls_progress ( struct tls_connection *tls,
3449 struct job_progress *progress ) {
3450
3451 /* Return cipherstream or validator progress as applicable */
3452 if ( is_pending ( &tls->server.validation ) ) {
3453 return job_progress ( &tls->server.validator, progress );
3454 } else {
3455 return job_progress ( &tls->cipherstream, progress );
3456 }
3457}
3458
3459/** TLS plaintext stream interface operations */
3469
3470/** TLS plaintext stream interface descriptor */
3471static struct interface_descriptor tls_plainstream_desc =
3472 INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
3473 tls_plainstream_ops, cipherstream );
3474
3475/******************************************************************************
3476 *
3477 * Ciphertext stream operations
3478 *
3479 ******************************************************************************
3480 */
3481
3482/**
3483 * Handle received TLS header
3484 *
3485 * @v tls TLS connection
3486 * @ret rc Returned status code
3487 */
3488static int tls_newdata_process_header ( struct tls_connection *tls ) {
3489 struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
3490 struct cipher_algorithm *cipher = cipherspec->suite->cipher;
3491 size_t iv_len = cipherspec->suite->record_iv_len;
3492 size_t data_len = ntohs ( tls->rx.header.length );
3493 size_t remaining = data_len;
3494 size_t frag_len;
3495 size_t reserve;
3496 struct io_buffer *iobuf;
3497 struct io_buffer *tmp;
3498 int rc;
3499
3500 /* Sanity check */
3501 assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
3502
3503 /* Calculate alignment reservation at start of first data buffer */
3504 reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
3505 remaining += reserve;
3506
3507 /* Allocate data buffers now that we know the length */
3508 assert ( list_empty ( &tls->rx.data ) );
3509 while ( remaining ) {
3510
3511 /* Calculate fragment length. Ensure that no block is
3512 * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
3513 * allocation length if necessary).
3514 */
3515 frag_len = remaining;
3516 if ( frag_len > TLS_RX_BUFSIZE )
3517 frag_len = TLS_RX_BUFSIZE;
3518 remaining -= frag_len;
3519 if ( remaining < TLS_RX_MIN_BUFSIZE ) {
3520 frag_len += remaining;
3521 remaining = 0;
3522 }
3523
3524 /* Allocate buffer */
3525 iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
3526 if ( ! iobuf ) {
3527 DBGC ( tls, "TLS %p could not allocate %zd of %zd "
3528 "bytes for receive buffer\n", tls,
3529 remaining, data_len );
3530 rc = -ENOMEM_RX_DATA;
3531 goto err;
3532 }
3533
3534 /* Ensure tailroom is exactly what we asked for. This
3535 * will result in unaligned I/O buffers when the
3536 * fragment length is unaligned, which can happen only
3537 * before we switch to using a block cipher.
3538 */
3539 iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
3540
3541 /* Ensure first buffer length will be aligned to a
3542 * multiple of the cipher alignment size after
3543 * stripping the record IV.
3544 */
3545 iob_reserve ( iobuf, reserve );
3546 reserve = 0;
3547
3548 /* Add I/O buffer to list */
3549 list_add_tail ( &iobuf->list, &tls->rx.data );
3550 }
3551
3552 /* Move to data state */
3553 tls->rx.state = TLS_RX_DATA;
3554
3555 return 0;
3556
3557 err:
3558 list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
3559 list_del ( &iobuf->list );
3560 free_iob ( iobuf );
3561 }
3562 return rc;
3563}
3564
3565/**
3566 * Handle received TLS data payload
3567 *
3568 * @v tls TLS connection
3569 * @ret rc Returned status code
3570 */
3571static int tls_newdata_process_data ( struct tls_connection *tls ) {
3572 struct io_buffer *iobuf;
3573 int rc;
3574
3575 /* Move current buffer to end of list */
3576 iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
3577 list_del ( &iobuf->list );
3578 list_add_tail ( &iobuf->list, &tls->rx.data );
3579
3580 /* Continue receiving data if any space remains */
3581 iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
3582 if ( iob_tailroom ( iobuf ) )
3583 return 0;
3584
3585 /* Process record */
3586 if ( ( rc = tls_new_ciphertext ( tls, &tls->rx.header,
3587 &tls->rx.data ) ) != 0 )
3588 return rc;
3589
3590 /* Increment RX sequence number */
3591 tls->rx.seq += 1;
3592
3593 /* Return to header state */
3594 assert ( list_empty ( &tls->rx.data ) );
3595 tls->rx.state = TLS_RX_HEADER;
3596 iob_unput ( &tls->rx.iobuf, sizeof ( tls->rx.header ) );
3597
3598 return 0;
3599}
3600
3601/**
3602 * Check flow control window
3603 *
3604 * @v tls TLS connection
3605 * @ret len Length of window
3606 */
3607static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
3608
3609 /* Open window until we are ready to accept data */
3610 if ( ! tls_ready ( tls ) )
3611 return -1UL;
3612
3613 return xfer_window ( &tls->plainstream );
3614}
3615
3616/**
3617 * Receive new ciphertext
3618 *
3619 * @v tls TLS connection
3620 * @v iobuf I/O buffer
3621 * @v meta Data transfer metadat
3622 * @ret rc Return status code
3623 */
3624static int tls_cipherstream_deliver ( struct tls_connection *tls,
3625 struct io_buffer *iobuf,
3626 struct xfer_metadata *xfer __unused ) {
3627 size_t frag_len;
3628 int ( * process ) ( struct tls_connection *tls );
3629 struct io_buffer *dest;
3630 int rc;
3631
3632 while ( iob_len ( iobuf ) ) {
3633
3634 /* Select buffer according to current state */
3635 switch ( tls->rx.state ) {
3636 case TLS_RX_HEADER:
3637 dest = &tls->rx.iobuf;
3638 process = tls_newdata_process_header;
3639 break;
3640 case TLS_RX_DATA:
3641 dest = list_first_entry ( &tls->rx.data,
3642 struct io_buffer, list );
3643 assert ( dest != NULL );
3644 process = tls_newdata_process_data;
3645 break;
3646 default:
3647 assert ( 0 );
3648 rc = -EINVAL_RX_STATE;
3649 goto done;
3650 }
3651
3652 /* Copy data portion to buffer */
3653 frag_len = iob_len ( iobuf );
3654 if ( frag_len > iob_tailroom ( dest ) )
3655 frag_len = iob_tailroom ( dest );
3656 memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
3657 iob_pull ( iobuf, frag_len );
3658
3659 /* Process data if buffer is now full */
3660 if ( iob_tailroom ( dest ) == 0 ) {
3661 if ( ( rc = process ( tls ) ) != 0 ) {
3662 tls_close ( tls, rc );
3663 goto done;
3664 }
3665 }
3666 }
3667 rc = 0;
3668
3669 done:
3670 free_iob ( iobuf );
3671 return rc;
3672}
3673
3674/** TLS ciphertext stream interface operations */
3684
3685/** TLS ciphertext stream interface descriptor */
3686static struct interface_descriptor tls_cipherstream_desc =
3687 INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
3688 tls_cipherstream_ops, plainstream );
3689
3690/******************************************************************************
3691 *
3692 * Certificate validator
3693 *
3694 ******************************************************************************
3695 */
3696
3697/**
3698 * Handle certificate validation completion
3699 *
3700 * @v tls TLS connection
3701 * @v rc Reason for completion
3702 */
3703static void tls_validator_done ( struct tls_connection *tls, int rc ) {
3704 struct tls_session *session = tls->session;
3705 struct x509_certificate *cert;
3706
3707 /* Mark validation as complete */
3708 pending_put ( &tls->server.validation );
3709
3710 /* Close validator interface */
3711 intf_restart ( &tls->server.validator, rc );
3712
3713 /* Check for validation failure */
3714 if ( rc != 0 ) {
3715 DBGC ( tls, "TLS %p certificate validation failed: %s\n",
3716 tls, strerror ( rc ) );
3717 goto err;
3718 }
3719 DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
3720
3721 /* Extract first certificate */
3722 cert = x509_first ( tls->server.chain );
3723 assert ( cert != NULL );
3724
3725 /* Verify server name */
3726 if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
3727 DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
3728 tls, session->name, strerror ( rc ) );
3729 goto err;
3730 }
3731
3732 /* Extract the now trusted server public key */
3733 memcpy ( &tls->server.key, &cert->subject.public_key.raw,
3734 sizeof ( tls->server.key ) );
3735
3736 /* Schedule transmission of applicable handshake messages */
3737 tls->tx.pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
3738 TLS_TX_CHANGE_CIPHER |
3739 TLS_TX_FINISHED );
3740 if ( tls->client.chain ) {
3741 tls->tx.pending |= TLS_TX_CERTIFICATE;
3742 if ( ! list_empty ( &tls->client.chain->links ) )
3743 tls->tx.pending |= TLS_TX_CERTIFICATE_VERIFY;
3744 }
3745 tls_tx_resume ( tls );
3746
3747 return;
3748
3749 err:
3750 tls_close ( tls, rc );
3751 return;
3752}
3753
3754/** TLS certificate validator interface operations */
3758
3759/** TLS certificate validator interface descriptor */
3760static struct interface_descriptor tls_validator_desc =
3761 INTF_DESC ( struct tls_connection, server.validator,
3762 tls_validator_ops );
3763
3764/******************************************************************************
3765 *
3766 * Controlling process
3767 *
3768 ******************************************************************************
3769 */
3770
3771/**
3772 * TLS TX state machine
3773 *
3774 * @v tls TLS connection
3775 */
3776static void tls_tx_step ( struct tls_connection *tls ) {
3777 struct tls_session *session = tls->session;
3778 struct tls_connection *conn;
3779 int rc;
3780
3781 /* Wait for cipherstream to become ready */
3782 if ( ! xfer_window ( &tls->cipherstream ) )
3783 return;
3784
3785 /* Send first pending transmission */
3786 if ( tls->tx.pending & TLS_TX_CLIENT_HELLO ) {
3787 /* Serialise server negotiations within a session, to
3788 * provide a consistent view of session IDs and
3789 * session tickets.
3790 */
3791 list_for_each_entry ( conn, &session->conn, list ) {
3792 if ( conn == tls )
3793 break;
3794 if ( is_pending ( &conn->server.negotiation ) )
3795 return;
3796 }
3797 /* Record or generate session ID and associated master secret */
3798 if ( session->id_len ) {
3799 /* Attempt to resume an existing session */
3800 memcpy ( tls->session_id, session->id,
3801 sizeof ( tls->session_id ) );
3802 tls->session_id_len = session->id_len;
3803 memcpy ( tls->master_secret, session->master_secret,
3804 sizeof ( tls->master_secret ) );
3805 } else {
3806 /* No existing session: use a random session ID */
3807 assert ( sizeof ( tls->session_id ) ==
3808 sizeof ( tls->client.random ) );
3809 memcpy ( tls->session_id, &tls->client.random,
3810 sizeof ( tls->session_id ) );
3811 tls->session_id_len = sizeof ( tls->session_id );
3812 }
3813 /* Send Client Hello */
3814 if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
3815 DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
3816 tls, strerror ( rc ) );
3817 goto err;
3818 }
3819 tls->tx.pending &= ~TLS_TX_CLIENT_HELLO;
3820 } else if ( tls->tx.pending & TLS_TX_CERTIFICATE ) {
3821 /* Send Certificate */
3822 if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
3823 DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
3824 tls, strerror ( rc ) );
3825 goto err;
3826 }
3827 tls->tx.pending &= ~TLS_TX_CERTIFICATE;
3828 } else if ( tls->tx.pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
3829 /* Send Client Key Exchange */
3830 if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
3831 DBGC ( tls, "TLS %p could not send Client Key "
3832 "Exchange: %s\n", tls, strerror ( rc ) );
3833 goto err;
3834 }
3835 tls->tx.pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
3836 } else if ( tls->tx.pending & TLS_TX_CERTIFICATE_VERIFY ) {
3837 /* Send Certificate Verify */
3838 if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
3839 DBGC ( tls, "TLS %p could not send Certificate "
3840 "Verify: %s\n", tls, strerror ( rc ) );
3841 goto err;
3842 }
3843 tls->tx.pending &= ~TLS_TX_CERTIFICATE_VERIFY;
3844 } else if ( tls->tx.pending & TLS_TX_CHANGE_CIPHER ) {
3845 /* Send Change Cipher, and then change the cipher in use */
3846 if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
3847 DBGC ( tls, "TLS %p could not send Change Cipher: "
3848 "%s\n", tls, strerror ( rc ) );
3849 goto err;
3850 }
3851 if ( ( rc = tls_change_cipher ( tls,
3852 &tls->tx.cipherspec ) ) != 0 ){
3853 DBGC ( tls, "TLS %p could not activate TX cipher: "
3854 "%s\n", tls, strerror ( rc ) );
3855 goto err;
3856 }
3857 tls->tx.seq = 0;
3858 tls->tx.pending &= ~TLS_TX_CHANGE_CIPHER;
3859 } else if ( tls->tx.pending & TLS_TX_FINISHED ) {
3860 /* Send Finished */
3861 if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
3862 DBGC ( tls, "TLS %p could not send Finished: %s\n",
3863 tls, strerror ( rc ) );
3864 goto err;
3865 }
3866 tls->tx.pending &= ~TLS_TX_FINISHED;
3867 }
3868
3869 /* Reschedule process if pending transmissions remain,
3870 * otherwise send notification of a window change.
3871 */
3872 if ( tls->tx.pending ) {
3873 tls_tx_resume ( tls );
3874 } else {
3875 xfer_window_changed ( &tls->plainstream );
3876 }
3877
3878 return;
3879
3880 err:
3881 tls_close ( tls, rc );
3882}
3883
3884/** TLS TX process descriptor */
3885static struct process_descriptor tls_process_desc =
3886 PROC_DESC_ONCE ( struct tls_connection, tx.process, tls_tx_step );
3887
3888/******************************************************************************
3889 *
3890 * Session management
3891 *
3892 ******************************************************************************
3893 */
3894
3895/**
3896 * Find or create session for TLS connection
3897 *
3898 * @v tls TLS connection
3899 * @v name Server name
3900 * @ret rc Return status code
3901 */
3902static int tls_session ( struct tls_connection *tls, const char *name ) {
3903 struct tls_session *session;
3904 char *name_copy;
3905 int rc;
3906
3907 /* Find existing matching session, if any */
3908 list_for_each_entry ( session, &tls_sessions, list ) {
3909 if ( ( strcmp ( name, session->name ) == 0 ) &&
3910 ( tls->server.root == session->root ) &&
3911 ( tls->client.key == session->key ) ) {
3912 ref_get ( &session->refcnt );
3913 tls->session = session;
3914 DBGC ( tls, "TLS %p joining session %s\n", tls, name );
3915 return 0;
3916 }
3917 }
3918
3919 /* Create new session */
3920 session = zalloc ( sizeof ( *session ) + strlen ( name )
3921 + 1 /* NUL */ );
3922 if ( ! session ) {
3923 rc = -ENOMEM;
3924 goto err_alloc;
3925 }
3926 ref_init ( &session->refcnt, free_tls_session );
3927 name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
3928 strcpy ( name_copy, name );
3929 session->name = name_copy;
3930 session->root = x509_root_get ( tls->server.root );
3931 session->key = privkey_get ( tls->client.key );
3932 INIT_LIST_HEAD ( &session->conn );
3933 list_add ( &session->list, &tls_sessions );
3934
3935 /* Record session */
3936 tls->session = session;
3937
3938 DBGC ( tls, "TLS %p created session %s\n", tls, name );
3939 return 0;
3940
3941 ref_put ( &session->refcnt );
3942 err_alloc:
3943 return rc;
3944}
3945
3946/******************************************************************************
3947 *
3948 * Instantiator
3949 *
3950 ******************************************************************************
3951 */
3952
3953/**
3954 * Add TLS on an interface
3955 *
3956 * @v xfer Data transfer interface
3957 * @v name Host name
3958 * @v root Root of trust (or NULL to use default)
3959 * @v key Private key (or NULL to use default)
3960 * @ret rc Return status code
3961 */
3962int add_tls ( struct interface *xfer, const char *name,
3963 struct x509_root *root, struct private_key *key ) {
3964 struct tls_connection *tls;
3965 int rc;
3966
3967 /* Allocate and initialise TLS structure */
3968 tls = malloc ( sizeof ( *tls ) );
3969 if ( ! tls ) {
3970 rc = -ENOMEM;
3971 goto err_alloc;
3972 }
3973 memset ( tls, 0, sizeof ( *tls ) );
3974 ref_init ( &tls->refcnt, free_tls );
3975 INIT_LIST_HEAD ( &tls->list );
3976 intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
3977 intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
3978 intf_init ( &tls->server.validator, &tls_validator_desc, &tls->refcnt );
3979 process_init_stopped ( &tls->tx.process, &tls_process_desc,
3980 &tls->refcnt );
3981 tls->client.key = privkey_get ( key ? key : &private_key );
3982 tls->server.root = x509_root_get ( root ? root : &root_certificates );
3983 tls->version = TLS_VERSION_MAX;
3984 tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
3985 tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
3986 tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
3987 tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
3988 tls_clear_handshake ( tls );
3989 tls->client.random.gmt_unix_time = time ( NULL );
3990 iob_populate ( &tls->rx.iobuf, &tls->rx.header, 0,
3991 sizeof ( tls->rx.header ) );
3992 INIT_LIST_HEAD ( &tls->rx.data );
3993 if ( ( rc = tls_generate_random ( tls, &tls->client.random.random,
3994 ( sizeof ( tls->client.random.random ) ) ) ) != 0 ) {
3995 goto err_random;
3996 }
3997 if ( ( rc = tls_session ( tls, name ) ) != 0 )
3998 goto err_session;
3999 list_add_tail ( &tls->list, &tls->session->conn );
4000
4001 /* Start negotiation */
4002 tls_restart ( tls );
4003
4004 /* Attach to parent interface, mortalise self, and return */
4005 intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
4006 ref_put ( &tls->refcnt );
4007 return 0;
4008
4009 err_session:
4010 err_random:
4011 ref_put ( &tls->refcnt );
4012 err_alloc:
4013 return rc;
4014}
4015
4016/* Drag in objects via add_tls() */
4017REQUIRING_SYMBOL ( add_tls );
4018
4019/* Drag in crypto configuration */
4020REQUIRE_OBJECT ( config_crypto );
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
key
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
ctx
struct golan_eq_context ctx
Definition CIB_PRM.h:0
sig
u8 sig
Definition CIB_PRM.h:15
signature
u8 signature
CPU signature.
Definition CIB_PRM.h:7
out
__be32 out[4]
Definition CIB_PRM.h:8
typeof
typeof(acpi_finder=acpi_find)
ACPI table finder.
Definition acpi.c:48
aes.h
AES algorithm.
link
u32 link
Link to next descriptor.
Definition ar9003_mac.h:1
pad
u32 pad[9]
Padding.
Definition ar9003_mac.h:23
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
value
pseudo_bit_t value[0x00020]
Definition arbel.h:2
hash
pseudo_bit_t hash[0x00010]
Definition arbel.h:2
code
static unsigned int code
Response code.
Definition hyperv.h:26
uint16_t
unsigned short uint16_t
Definition stdint.h:11
uint32_t
unsigned int uint32_t
Definition stdint.h:12
uint64_t
unsigned long long uint64_t
Definition stdint.h:13
uint8_t
unsigned char uint8_t
Definition stdint.h:10
pad_len
long pad_len
Definition bigint.h:31
dest
if(len >=6 *4) __asm__ __volatile__("movsl" if(len >=5 *4) __asm__ __volatile__("movsl" if(len >=4 *4) __asm__ __volatile__("movsl" if(len >=3 *4) __asm__ __volatile__("movsl" if(len >=2 *4) __asm__ __volatile__("movsl" if(len >=1 *4) __asm__ __volatile__("movsl" if((len % 4) >=2) __asm__ __volatile__("movsw" if((len % 2) >=1) __asm__ __volatile__("movsb" retur dest)
Definition string.h:151
asn1_prepend_raw
int asn1_prepend_raw(struct asn1_builder *builder, const void *data, size_t len)
Prepend raw data to ASN.1 builder.
Definition asn1.c:949
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
version
u32 version
Driver version.
Definition ath9k_hw.c:1985
name
const char * name
Definition ath9k_hw.c:1986
max
#define max(x, y)
Definition ath.h:41
done
struct bofm_section_header done
Definition bofm_test.c:46
offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3
certstore
struct x509_chain certstore
Certificate store.
Definition certstore.c:90
certstore.h
Certificate store.
crypto.h
Cryptographic configuration.
TLS_VERSION_MIN
#define TLS_VERSION_MIN
Minimum TLS version.
Definition crypto.h:14
cipher_null
struct cipher_algorithm cipher_null
Definition crypto_null.c:84
pubkey_null
struct pubkey_algorithm pubkey_null
Definition crypto_null.c:123
digest_null
struct digest_algorithm digest_null
Definition crypto_null.c:49
dhe_key
int dhe_key(const void *modulus, size_t len, const void *generator, size_t generator_len, const void *partner, size_t partner_len, const void *private, size_t private_len, void *public, void *shared)
Calculate Diffie-Hellman key.
Definition dhe.c:54
dhe.h
Ephemeral Diffie-Hellman key exchange.
next
uint32_t next
Next descriptor address.
Definition dwmac.h:11
len
ring len
Length.
Definition dwmac.h:226
ecdhe_key
int ecdhe_key(struct elliptic_curve *curve, const void *partner, const void *private, void *public, void *shared)
Calculate ECDHE key.
Definition ecdhe.c:47
ecdhe.h
Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange.
fixed
struct eltorito_descriptor_fixed fixed
Fixed portion.
Definition eltorito.h:1
ext
uint16_t ext
Extended status.
Definition ena.h:9
type
uint32_t type
Operating system type.
Definition ena.h:1
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
spec
uint16_t spec
ENA specification version.
Definition ena.h:15
header
struct ena_llq_option header
Header locations.
Definition ena.h:5
meta
uint8_t meta
Metadata flags.
Definition ena.h:3
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition ena.h:13
errno.h
Error codes.
__unused
#define __unused
Declare a variable or data structure as unused.
Definition compiler.h:573
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC2_HD
#define DBGC2_HD(...)
Definition compiler.h:524
DBGC_HD
#define DBGC_HD(...)
Definition compiler.h:507
DBGC2_HDA
#define DBGC2_HDA(...)
Definition compiler.h:523
DBGC
#define DBGC(...)
Definition compiler.h:505
DBGC_HDA
#define DBGC_HDA(...)
Definition compiler.h:506
count
static unsigned int count
Number of entries.
Definition dwmac.h:220
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
REQUIRE_OBJECT
#define REQUIRE_OBJECT(object)
Require an object.
Definition compiler.h:202
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
ENOTCONN
#define ENOTCONN
The socket is not connected.
Definition errno.h:570
FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
REQUIRING_SYMBOL
#define REQUIRING_SYMBOL(symbol)
Specify the file's requiring symbol.
Definition compiler.h:140
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition hmac.c:58
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition hmac.c:88
hmac.h
Keyed-Hashing for Message Authentication.
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition hmac.h:43
hmac_ctxsize
static size_t hmac_ctxsize(struct digest_algorithm *digest)
Calculate HMAC context size.
Definition hmac.h:29
cpu_to_be16
#define cpu_to_be16(value)
Definition byteswap.h:110
htonl
#define htonl(value)
Definition byteswap.h:134
cpu_to_le32
#define cpu_to_le32(value)
Definition byteswap.h:108
htons
#define htons(value)
Definition byteswap.h:136
ntohs
#define ntohs(value)
Definition byteswap.h:137
cpu_to_be64
#define cpu_to_be64(value)
Definition byteswap.h:112
be16_to_cpu
#define be16_to_cpu(value)
Definition byteswap.h:116
__attribute__
#define __attribute__(x)
Definition compiler.h:10
is_block_cipher
static int is_block_cipher(struct cipher_algorithm *cipher)
Definition crypto.h:277
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition crypto.h:219
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition crypto.h:235
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition crypto.h:230
pubkey_encrypt
static int pubkey_encrypt(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, const struct asn1_cursor *plaintext, struct asn1_builder *ciphertext)
Definition crypto.h:287
pubkey_verify
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const struct asn1_cursor *signature)
Definition crypto.h:308
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition crypto.h:224
cipher_setiv
static void cipher_setiv(struct cipher_algorithm *cipher, void *ctx, const void *iv, size_t ivlen)
Definition crypto.h:241
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition crypto.h:261
is_auth_cipher
static int is_auth_cipher(struct cipher_algorithm *cipher)
Definition crypto.h:282
pubkey_sign
static int pubkey_sign(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, struct asn1_builder *signature)
Definition crypto.h:301
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition crypto.h:251
cipher_auth
static void cipher_auth(struct cipher_algorithm *cipher, void *ctx, void *auth)
Definition crypto.h:267
string.h
String functions.
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
memset
void * memset(void *dest, int character, size_t len) __nonnull
memmove
void * memmove(void *dest, const void *src, size_t len) __nonnull
time.h
Date and time.
intf_close
void intf_close(struct interface *intf, int rc)
Close an object interface.
Definition interface.c:250
intf_shutdown
void intf_shutdown(struct interface *intf, int rc)
Shut down an object interface.
Definition interface.c:279
intf_insert
void intf_insert(struct interface *intf, struct interface *upper, struct interface *lower)
Insert a filter interface.
Definition interface.c:402
intf_restart
void intf_restart(struct interface *intf, int rc)
Shut down and restart an object interface.
Definition interface.c:344
INTF_DESC
#define INTF_DESC(object_type, intf, operations)
Define an object interface descriptor.
Definition interface.h:81
INTF_DESC_PASSTHRU
#define INTF_DESC_PASSTHRU(object_type, intf, operations, passthru)
Define an object interface descriptor with pass-through interface.
Definition interface.h:98
intf_init
static void intf_init(struct interface *intf, struct interface_descriptor *desc, struct refcnt *refcnt)
Initialise an object interface.
Definition interface.h:204
INTF_OP
#define INTF_OP(op_type, object_type, op_func)
Define an object interface operation.
Definition interface.h:33
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition iobuf.c:153
alloc_iob_raw
struct io_buffer * alloc_iob_raw(size_t len, size_t align, size_t offset)
Allocate I/O buffer with specified alignment and offset.
Definition iobuf.c:49
iob_concatenate
struct io_buffer * iob_concatenate(struct list_head *list)
Concatenate I/O buffers into a single buffer.
Definition iobuf.c:250
iobuf.h
I/O buffers.
iob_push
#define iob_push(iobuf, len)
Definition iobuf.h:89
iob_populate
static void iob_populate(struct io_buffer *iobuf, void *data, size_t len, size_t max_len)
Create a temporary I/O buffer.
Definition iobuf.h:195
iob_put
#define iob_put(iobuf, len)
Definition iobuf.h:125
iob_disown
#define iob_disown(iobuf)
Disown an I/O buffer.
Definition iobuf.h:217
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition iobuf.h:160
iob_reserve
#define iob_reserve(iobuf, len)
Definition iobuf.h:72
iob_pull
#define iob_pull(iobuf, len)
Definition iobuf.h:107
iob_unput
#define iob_unput(iobuf, len)
Definition iobuf.h:140
iob_tailroom
static size_t iob_tailroom(struct io_buffer *iobuf)
Calculate available space at end of an I/O buffer.
Definition iobuf.h:180
job_progress
int job_progress(struct interface *intf, struct job_progress *progress)
Get job progress.
Definition job.c:44
job.h
Job control interfaces.
tmp
unsigned long tmp
Definition linux_pci.h:65
list_first_entry
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition list.h:334
list_last_entry
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition list.h:347
list_for_each_entry_safe
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition list.h:459
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition list.h:94
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition list.h:432
list_del
#define list_del(list)
Delete an entry from a list.
Definition list.h:120
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition list.h:46
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition list.h:137
LIST_HEAD
#define LIST_HEAD(list)
Declare a static list head.
Definition list.h:38
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition list.h:70
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition malloc.c:662
malloc
void * malloc(size_t size)
Allocate memory.
Definition malloc.c:621
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition md5.c:287
md5.h
MD5 algorithm.
alert
void alert(unsigned int row, const char *fmt,...)
Show alert message.
Definition message.c:104
open.h
Data transfer interface opening.
first
uint32_t first
First block in range.
Definition pccrr.h:1
pending_put
void pending_put(struct pending_operation *pending)
Mark an operation as no longer pending.
Definition pending.c:59
pending_get
void pending_get(struct pending_operation *pending)
Mark an operation as pending.
Definition pending.c:46
pending.h
Pending operations.
is_pending
static int is_pending(struct pending_operation *pending)
Check if an operation is pending.
Definition pending.h:25
privkey.h
Private key.
privkey_cursor
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition privkey.h:53
privkey_put
static void privkey_put(struct private_key *key)
Drop reference to private key.
Definition privkey.h:42
privkey_get
static struct private_key * privkey_get(struct private_key *key)
Get reference to private key.
Definition privkey.h:31
process_del
void process_del(struct process *process)
Remove process from process list.
Definition process.c:80
process_add
void process_add(struct process *process)
Add process to process list.
Definition process.c:60
PROC_DESC_ONCE
#define PROC_DESC_ONCE(object_type, process, _step)
Define a process descriptor for a process that runs only once.
Definition process.h:98
process_init_stopped
static void process_init_stopped(struct process *process, struct process_descriptor *desc, struct refcnt *refcnt)
Initialise process without adding to process list.
Definition process.h:146
random
long int random(void)
Generate a pseudo-random number between 0 and 2147483647L or 2147483562?
Definition random.c:32
rbg_generate
int rbg_generate(const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate bits using RBG.
Definition rbg.c:117
rbg.h
RBG mechanism.
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition refcnt.h:93
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition refcnt.h:107
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition refcnt.h:65
root_certificates
struct x509_root root_certificates
Root certificates.
Definition rootcert.c:79
rootcert.h
Root certificate store.
rsa.h
RSA public-key cryptography.
__rsa_digestinfo_prefix
#define __rsa_digestinfo_prefix
Declare an RSA digestInfo prefix.
Definition rsa.h:57
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition sha1.c:258
sha1.h
SHA-1 algorithm.
sha256.h
SHA-256 algorithm.
length
u16 length
Definition sky2.h:1
va_copy
#define va_copy(dest, src)
Definition stdarg.h:11
va_arg
#define va_arg(ap, type)
Definition stdarg.h:9
va_end
#define va_end(ap)
Definition stdarg.h:10
va_start
#define va_start(ap, last)
Definition stdarg.h:8
va_list
__builtin_va_list va_list
Definition stdarg.h:7
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition stddef.h:36
ENOTSUP_VERSION
#define ENOTSUP_VERSION
Definition stp.c:46
root
struct stp_switch root
Root switch.
Definition stp.h:15
hello
uint16_t hello
Hello time.
Definition stp.h:27
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
memswap
void * memswap(void *first, void *second, size_t len)
Swap memory regions.
Definition string.c:154
strcmp
int strcmp(const char *first, const char *second)
Compare strings.
Definition string.c:174
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition string.c:115
strcpy
char * strcpy(char *dest, const char *src)
Copy string.
Definition string.c:347
strlen
size_t strlen(const char *src)
Get length of string.
Definition string.c:244
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition asn1.h:414
asn1_builder
An ASN.1 object builder.
Definition asn1.h:29
asn1_builder::data
void * data
Data.
Definition asn1.h:36
asn1_builder::len
size_t len
Length of data.
Definition asn1.h:38
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
asn1_cursor::data
const void * data
Start of data.
Definition asn1.h:23
asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25
cipher_algorithm
A cipher algorithm.
Definition crypto.h:51
cipher_algorithm::name
const char * name
Algorithm name.
Definition crypto.h:53
cipher_algorithm::blocksize
size_t blocksize
Block size.
Definition crypto.h:61
cipher_algorithm::ctxsize
size_t ctxsize
Context size.
Definition crypto.h:55
cipher_algorithm::authsize
size_t authsize
Authentication tag size.
Definition crypto.h:75
cipher_algorithm::alignsize
size_t alignsize
Alignment size.
Definition crypto.h:73
digest_algorithm
A message digest algorithm.
Definition crypto.h:19
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition crypto.h:27
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition crypto.h:23
digest_algorithm::name
const char * name
Algorithm name.
Definition crypto.h:21
elliptic_curve::name
const char * name
Curve name.
Definition crypto.h:180
elliptic_curve::keysize
size_t keysize
Scalar (and private key) size.
Definition crypto.h:184
elliptic_curve::pointsize
size_t pointsize
Point (and public key) size.
Definition crypto.h:182
interface_descriptor
An object interface descriptor.
Definition interface.h:56
interface_operation
An object interface operation.
Definition interface.h:18
interface
An object interface.
Definition interface.h:125
io_buffer
A persistent I/O buffer.
Definition iobuf.h:38
io_buffer::data
void * data
Start of data.
Definition iobuf.h:53
io_buffer::tail
void * tail
End of data.
Definition iobuf.h:55
io_buffer::list
struct list_head list
List of which this buffer is a member.
Definition iobuf.h:45
job_progress
Job progress.
Definition job.h:16
list_head
A doubly-linked list entry (or list head)
Definition list.h:19
md5_sha1_context
An MD5+SHA1 context.
Definition tls.h:319
md5_sha1_context::sha1
uint8_t sha1[SHA1_CTX_SIZE]
SHA-1 context.
Definition tls.h:323
md5_sha1_context::md5
uint8_t md5[MD5_CTX_SIZE]
MD5 context.
Definition tls.h:321
md5_sha1_digest
An MD5+SHA1 digest.
Definition tls.h:330
md5_sha1_digest::md5
uint8_t md5[MD5_DIGEST_SIZE]
MD5 digest.
Definition tls.h:332
md5_sha1_digest::sha1
uint8_t sha1[SHA1_DIGEST_SIZE]
SHA-1 digest.
Definition tls.h:334
private_key
A private key.
Definition privkey.h:17
process_descriptor
A process descriptor.
Definition process.h:32
process
A process.
Definition process.h:18
pubkey_algorithm
A public key algorithm.
Definition crypto.h:122
pubkey_algorithm::name
const char * name
Algorithm name.
Definition crypto.h:124
refcnt
A reference counter.
Definition refcnt.h:27
rsa_digestinfo_prefix
An RSA digestInfo prefix.
Definition rsa.h:43
tls24_t
A TLS 24-bit integer.
Definition tls.c:222
tls24_t::high
uint8_t high
High byte.
Definition tls.c:224
tls24_t::low
uint16_t low
Low word.
Definition tls.c:226
tls_auth_header
TLS authentication header.
Definition tls.h:155
tls_auth_header::seq
uint64_t seq
Sequence number.
Definition tls.h:157
tls_auth_header::header
struct tls_header header
TLS header.
Definition tls.h:159
tls_cipher_suite
A TLS cipher suite.
Definition tls.h:200
tls_cipher_suite::fixed_iv_len
uint8_t fixed_iv_len
Fixed initialisation vector length.
Definition tls.h:216
tls_cipher_suite::cipher
struct cipher_algorithm * cipher
Bulk encryption cipher algorithm.
Definition tls.h:206
tls_cipher_suite::pubkey
struct pubkey_algorithm * pubkey
Public-key encryption algorithm.
Definition tls.h:204
tls_cipher_suite::key_len
uint8_t key_len
Key length.
Definition tls.h:214
tls_cipher_suite::mac_len
uint8_t mac_len
MAC length.
Definition tls.h:220
tls_cipher_suite::record_iv_len
uint8_t record_iv_len
Record initialisation vector length.
Definition tls.h:218
tls_cipher_suite::digest
struct digest_algorithm * digest
MAC digest algorithm.
Definition tls.h:208
tls_cipher_suite::exchange
struct tls_key_exchange_algorithm * exchange
Key exchange algorithm.
Definition tls.h:202
tls_cipher_suite::code
uint16_t code
Numeric code (in network-endian order)
Definition tls.h:212
tls_cipher_suite::handshake
struct digest_algorithm * handshake
Handshake digest algorithm (for TLSv1.2 and above)
Definition tls.h:210
tls_cipherspec_pair
A TLS cipher specification pair.
Definition tls.h:272
tls_cipherspec_pair::pending
struct tls_cipherspec pending
Next cipher specification.
Definition tls.h:276
tls_cipherspec_pair::active
struct tls_cipherspec active
Current cipher specification.
Definition tls.h:274
tls_cipherspec
A TLS cipher specification.
Definition tls.h:258
tls_cipherspec::fixed_iv
void * fixed_iv
Fixed initialisation vector.
Definition tls.h:268
tls_cipherspec::suite
struct tls_cipher_suite * suite
Cipher suite.
Definition tls.h:260
tls_cipherspec::cipher_ctx
void * cipher_ctx
Bulk encryption cipher context.
Definition tls.h:264
tls_cipherspec::dynamic
void * dynamic
Dynamically-allocated storage.
Definition tls.h:262
tls_cipherspec::mac_secret
void * mac_secret
MAC secret.
Definition tls.h:266
tls_client_random::gmt_unix_time
uint32_t gmt_unix_time
GMT Unix time.
Definition tls.h:313
tls_client_random::random
uint8_t random[28]
Random data.
Definition tls.h:315
tls_client::random
struct tls_client_random random
Random bytes.
Definition tls.h:404
tls_client::key
struct private_key * key
Private key (if used)
Definition tls.h:406
tls_client::chain
struct x509_chain * chain
Certificate chain (if used)
Definition tls.h:408
tls_client::negotiation
struct pending_operation negotiation
Security negotiation pending operation.
Definition tls.h:410
tls_connection
A TLS connection.
Definition tls.h:436
tls_connection::cipherstream
struct interface cipherstream
Ciphertext stream.
Definition tls.h:456
tls_connection::session
struct tls_session * session
Session.
Definition tls.h:441
tls_connection::master_secret
uint8_t master_secret[48]
Master secret.
Definition tls.h:461
tls_connection::server
struct tls_server server
Server state.
Definition tls.h:480
tls_connection::rx
struct tls_rx rx
Receive state.
Definition tls.h:476
tls_connection::handshake_ctx
uint8_t * handshake_ctx
Digest algorithm context used for handshake verification.
Definition tls.h:465
tls_connection::new_session_ticket
void * new_session_ticket
New session ticket.
Definition tls.h:449
tls_connection::verify
struct tls_verify_data verify
Verification data.
Definition tls.h:471
tls_connection::session_id_len
size_t session_id_len
Length of session ID.
Definition tls.h:447
tls_connection::plainstream
struct interface plainstream
Plaintext stream.
Definition tls.h:454
tls_connection::tx
struct tls_tx tx
Transmit state.
Definition tls.h:474
tls_connection::session_id
uint8_t session_id[32]
Session ID.
Definition tls.h:445
tls_connection::extended_master_secret
int extended_master_secret
Extended master secret flag.
Definition tls.h:469
tls_connection::list
struct list_head list
List of connections within the same session.
Definition tls.h:443
tls_connection::client
struct tls_client client
Client state.
Definition tls.h:478
tls_connection::handshake_digest
struct digest_algorithm * handshake_digest
Digest algorithm used for handshake verification.
Definition tls.h:463
tls_connection::version
uint16_t version
Protocol version.
Definition tls.h:459
tls_connection::new_session_ticket_len
size_t new_session_ticket_len
Length of new session ticket.
Definition tls.h:451
tls_connection::refcnt
struct refcnt refcnt
Reference counter.
Definition tls.h:438
tls_connection::secure_renegotiation
int secure_renegotiation
Secure renegotiation flag.
Definition tls.h:467
tls_header
A TLS header.
Definition tls.h:29
tls_header::version
uint16_t version
Protocol version.
Definition tls.h:39
tls_header::length
uint16_t length
Length of payload.
Definition tls.h:41
tls_header::type
uint8_t type
Content type.
Definition tls.h:34
tls_key_exchange_algorithm
A TLS key exchange algorithm.
Definition tls.h:187
tls_key_exchange_algorithm::name
const char * name
Algorithm name.
Definition tls.h:189
tls_key_exchange_algorithm::exchange
int(* exchange)(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition tls.h:196
tls_named_curve
A TLS named curve.
Definition tls.h:238
tls_named_curve::pre_master_secret_len
uint8_t pre_master_secret_len
Pre-master secret length.
Definition tls.h:246
tls_named_curve::format
uint8_t format
Curve point format byte (if any)
Definition tls.h:244
tls_named_curve::curve
struct elliptic_curve * curve
Elliptic curve.
Definition tls.h:240
tls_rx::cipherspec
struct tls_cipherspec_pair cipherspec
Cipher specifications.
Definition tls.h:386
tls_rx::data
struct list_head data
List of received data buffers.
Definition tls.h:396
tls_rx::iobuf
struct io_buffer iobuf
Current received record header (static I/O buffer)
Definition tls.h:394
tls_rx::handshake
struct io_buffer * handshake
Received handshake fragment.
Definition tls.h:398
tls_rx::state
enum tls_rx_state state
State machine current state.
Definition tls.h:390
tls_rx::header
struct tls_header header
Current received record header.
Definition tls.h:392
tls_rx::seq
uint64_t seq
Sequence number.
Definition tls.h:388
tls_server::key
struct asn1_cursor key
Public key (within server certificate)
Definition tls.h:426
tls_server::validation
struct pending_operation validation
Certificate validation pending operation.
Definition tls.h:430
tls_server::validator
struct interface validator
Certificate validator.
Definition tls.h:428
tls_server::root
struct x509_root * root
Root of trust.
Definition tls.h:422
tls_server::exchange
void * exchange
Server Key Exchange record (if any)
Definition tls.h:418
tls_server::negotiation
struct pending_operation negotiation
Security negotiation pending operation.
Definition tls.h:432
tls_server::chain
struct x509_chain * chain
Certificate chain.
Definition tls.h:424
tls_server::exchange_len
size_t exchange_len
Server Key Exchange record length.
Definition tls.h:420
tls_server::random
uint8_t random[32]
Random bytes.
Definition tls.h:416
tls_session
A TLS session.
Definition tls.h:341
tls_session::key
struct private_key * key
Private key.
Definition tls.h:352
tls_session::id
uint8_t id[32]
Session ID.
Definition tls.h:355
tls_session::extended_master_secret
int extended_master_secret
Extended master secret flag.
Definition tls.h:365
tls_session::name
const char * name
Server name.
Definition tls.h:348
tls_session::id_len
size_t id_len
Length of session ID.
Definition tls.h:357
tls_session::ticket_len
size_t ticket_len
Length of session ticket.
Definition tls.h:361
tls_session::master_secret
uint8_t master_secret[48]
Master secret.
Definition tls.h:363
tls_session::root
struct x509_root * root
Root of trust.
Definition tls.h:350
tls_session::conn
struct list_head conn
List of connections.
Definition tls.h:368
tls_session::refcnt
struct refcnt refcnt
Reference counter.
Definition tls.h:343
tls_session::ticket
void * ticket
Session ticket.
Definition tls.h:359
tls_session::list
struct list_head list
List of sessions.
Definition tls.h:345
tls_signature_hash_algorithm
A TLS signature algorithm.
Definition tls.h:288
tls_signature_hash_algorithm::code
struct tls_signature_hash_id code
Numeric code.
Definition tls.h:294
tls_signature_hash_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm.
Definition tls.h:292
tls_signature_hash_algorithm::digest
struct digest_algorithm * digest
Digest algorithm.
Definition tls.h:290
tls_signature_hash_id
A TLS signature and hash algorithm identifier.
Definition tls.h:280
tls_signature_hash_id::hash
uint8_t hash
Hash algorithm.
Definition tls.h:282
tls_signature_hash_id::signature
uint8_t signature
Signature algorithm.
Definition tls.h:284
tls_tx::seq
uint64_t seq
Sequence number.
Definition tls.h:376
tls_tx::pending
unsigned int pending
Pending transmissions.
Definition tls.h:378
tls_tx::cipherspec
struct tls_cipherspec_pair cipherspec
Cipher specifications.
Definition tls.h:374
tls_tx::process
struct process process
Transmit process.
Definition tls.h:380
tls_verify_data::client
uint8_t client[12]
Client verification data.
Definition tls.h:165
tls_verify_data::server
uint8_t server[12]
Server verification data.
Definition tls.h:167
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_certificate::subject
struct x509_subject subject
Subject.
Definition x509.h:245
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition x509.h:231
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition x509.h:239
x509_chain::links
struct list_head links
List of links.
Definition x509.h:205
x509_link
A link in an X.509 certificate chain.
Definition x509.h:171
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition x509.h:52
x509_root
An X.509 root certificate list.
Definition x509.h:375
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition x509.h:66
xfer_metadata
Data transfer metadata.
Definition xfer.h:23
for_each_table_entry
#define for_each_table_entry(pointer, table)
Iterate through all entries within a linker table.
Definition tables.h:386
tls_alloc_iob
static struct io_buffer * tls_alloc_iob(struct tls_connection *tls, size_t len)
Allocate I/O buffer for transmitted record(s)
Definition tls.c:3026
EINVAL_CHANGE_CIPHER
#define EINVAL_CHANGE_CIPHER
Definition tls.c:59
tls_cipherstream_desc
static struct interface_descriptor tls_cipherstream_desc
TLS ciphertext stream interface descriptor.
Definition tls.c:3686
tls_hmac_init
static void tls_hmac_init(struct tls_cipherspec *cipherspec, void *ctx, struct tls_auth_header *authhdr)
Initialise HMAC.
Definition tls.c:2911
tls_new_ciphertext
static int tls_new_ciphertext(struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
Receive new ciphertext record.
Definition tls.c:3257
tls_prf_label
#define tls_prf_label(tls, secret, secret_len, out, out_len, label,...)
Generate secure pseudo-random data.
Definition tls.c:623
EINVAL_ALERT
#define EINVAL_ALERT
Definition tls.c:63
tls_send_handshake
static int tls_send_handshake(struct tls_connection *tls, const void *data, size_t len)
Transmit Handshake record.
Definition tls.c:1154
ENOTSUP_CIPHER
#define ENOTSUP_CIPHER
Definition tls.c:147
tls_new_finished
static int tls_new_finished(struct tls_connection *tls, const void *data, size_t len)
Receive new Finished handshake record.
Definition tls.c:2618
tls_progress
static int tls_progress(struct tls_connection *tls, struct job_progress *progress)
Report job progress.
Definition tls.c:3448
ENOTSUP_NULL
#define ENOTSUP_NULL
Definition tls.c:151
tls_signature_hash_pubkey
static struct pubkey_algorithm * tls_signature_hash_pubkey(struct tls_signature_hash_id code)
Find TLS signature algorithm.
Definition tls.c:1038
tls_validator_done
static void tls_validator_done(struct tls_connection *tls, int rc)
Handle certificate validation completion.
Definition tls.c:3703
md5_sha1_init
static void md5_sha1_init(void *ctx)
Initialise MD5+SHA1 algorithm.
Definition tls.c:294
EINVAL_KEY_EXCHANGE
#define EINVAL_KEY_EXCHANGE
Definition tls.c:111
tls_generate_random
static int tls_generate_random(struct tls_connection *tls, void *data, size_t len)
Generate random data.
Definition tls.c:460
tls_select_handshake
static int tls_select_handshake(struct tls_connection *tls, struct digest_algorithm *digest)
Select handshake digest algorithm.
Definition tls.c:795
ENOMEM_CHAIN
#define ENOMEM_CHAIN
Definition tls.c:127
tls_p_hash_va
static void tls_p_hash_va(struct tls_connection *tls, struct digest_algorithm *digest, const void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
Generate secure pseudo-random data using a single hash function.
Definition tls.c:505
tls_send_certificate
static int tls_send_certificate(struct tls_connection *tls)
Transmit Certificate record.
Definition tls.c:1360
tls_tx_resume
static void tls_tx_resume(struct tls_connection *tls)
Resume TX state machine.
Definition tls.c:1110
EPERM_EMS
#define EPERM_EMS
Definition tls.c:187
tls_validator_ops
static struct interface_operation tls_validator_ops[]
TLS certificate validator interface operations.
Definition tls.c:3755
free_tls_session
static void free_tls_session(struct refcnt *refcnt)
Free TLS session.
Definition tls.c:359
tls_verify_dh_params
static int tls_verify_dh_params(struct tls_connection *tls, size_t param_len)
Verify Diffie-Hellman parameter signature.
Definition tls.c:1498
tls_new_change_cipher
static int tls_new_change_cipher(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Change Cipher record.
Definition tls.c:2009
tls_generate_master_secret
static void tls_generate_master_secret(struct tls_connection *tls, const void *pre_master_secret, size_t pre_master_secret_len)
Generate master secret.
Definition tls.c:643
ENOTSUP_CURVE
#define ENOTSUP_CURVE
Definition tls.c:163
EINVAL_RX_STATE
#define EINVAL_RX_STATE
Definition tls.c:99
tls_tx_step
static void tls_tx_step(struct tls_connection *tls)
TLS TX state machine.
Definition tls.c:3776
EINVAL_CERTIFICATES
#define EINVAL_CERTIFICATES
Definition tls.c:75
tls_newdata_process_data
static int tls_newdata_process_data(struct tls_connection *tls)
Handle received TLS data payload.
Definition tls.c:3571
EPERM_KEY_EXCHANGE
#define EPERM_KEY_EXCHANGE
Definition tls.c:183
tls_send_finished
static int tls_send_finished(struct tls_connection *tls)
Transmit Finished record.
Definition tls.c:1968
EINVAL_TICKET
#define EINVAL_TICKET
Definition tls.c:107
tls_cipherstream_ops
static struct interface_operation tls_cipherstream_ops[]
TLS ciphertext stream interface operations.
Definition tls.c:3675
EINVAL_CERTIFICATE
#define EINVAL_CERTIFICATE
Definition tls.c:71
tls_send_record
static int tls_send_record(struct tls_connection *tls, unsigned int type, struct io_buffer *iobuf)
Send plaintext record(s)
Definition tls.c:3053
ENOMEM_RX_DATA
#define ENOMEM_RX_DATA
Definition tls.c:139
tls_set_cipher
static int tls_set_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
Set cipher suite.
Definition tls.c:901
ENOMEM_CERTIFICATE
#define ENOMEM_CERTIFICATE
Definition tls.c:123
tls_send_client_hello
static int tls_send_client_hello(struct tls_connection *tls)
Transmit Client Hello record.
Definition tls.c:1349
tls_client_hello
static int tls_client_hello(struct tls_connection *tls, int(*action)(struct tls_connection *tls, const void *data, size_t len))
Digest or transmit Client Hello record.
Definition tls.c:1168
tls_find_cipher_suite
static struct tls_cipher_suite * tls_find_cipher_suite(unsigned int cipher_suite)
Identify cipher suite.
Definition tls.c:868
tls_validator_desc
static struct interface_descriptor tls_validator_desc
TLS certificate validator interface descriptor.
Definition tls.c:3760
tls_set_uint24
static void tls_set_uint24(tls24_t *field24, unsigned long value)
Set 24-bit field value.
Definition tls.c:248
tls_hmac_update_va
static void tls_hmac_update_va(struct digest_algorithm *digest, void *ctx, va_list args)
Update HMAC with a list of ( data, len ) pairs.
Definition tls.c:483
tls_cipherstream_deliver
static int tls_cipherstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
Receive new ciphertext.
Definition tls.c:3624
md5_sha1_final
static void md5_sha1_final(void *ctx, void *out)
Generate MD5+SHA1 digest.
Definition tls.c:321
tls_hmac_final
static void tls_hmac_final(struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
Finalise HMAC.
Definition tls.c:2942
EPERM_ALERT
#define EPERM_ALERT
Definition tls.c:167
EINVAL_IV
#define EINVAL_IV
Definition tls.c:91
ENOMEM_TX_PLAINTEXT
#define ENOMEM_TX_PLAINTEXT
Definition tls.c:131
EINVAL_HELLO_DONE
#define EINVAL_HELLO_DONE
Definition tls.c:79
tls_signature_hash_digest
static struct digest_algorithm * tls_signature_hash_digest(struct tls_signature_hash_id code)
Find TLS hash algorithm.
Definition tls.c:1057
TLS_NUM_CIPHER_SUITES
#define TLS_NUM_CIPHER_SUITES
Number of supported cipher suites.
Definition tls.c:859
tls_newdata_process_header
static int tls_newdata_process_header(struct tls_connection *tls)
Handle received TLS header.
Definition tls.c:3488
tls_find_named_curve
static struct tls_named_curve * tls_find_named_curve(unsigned int named_curve)
Identify named curve.
Definition tls.c:1086
tls_send_client_key_exchange
static int tls_send_client_key_exchange(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition tls.c:1842
tls_version
static int tls_version(struct tls_connection *tls, unsigned int version)
Check for TLS version.
Definition tls.c:277
tls_ready
static int tls_ready(struct tls_connection *tls)
Determine if TLS connection is ready for application data.
Definition tls.c:260
tls_plainstream_desc
static struct interface_descriptor tls_plainstream_desc
TLS plaintext stream interface descriptor.
Definition tls.c:3471
tls_change_cipher
static int tls_change_cipher(struct tls_connection *tls, struct tls_cipherspec_pair *pair)
Activate next cipher suite.
Definition tls.c:983
md5_sha1_update
static void md5_sha1_update(void *ctx, const void *data, size_t len)
Accumulate data with MD5+SHA1 algorithm.
Definition tls.c:308
tls_plainstream_deliver
static int tls_plainstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
Deliver datagram as raw data.
Definition tls.c:3420
tls_session
static int tls_session(struct tls_connection *tls, const char *name)
Find or create session for TLS connection.
Definition tls.c:3902
free_tls
static void free_tls(struct refcnt *refcnt)
Free TLS connection.
Definition tls.c:383
tls_send_client_key_exchange_dhe
static int tls_send_client_key_exchange_dhe(struct tls_connection *tls)
Transmit Client Key Exchange record using DHE key exchange.
Definition tls.c:1587
EIO_ALERT
#define EIO_ALERT
Definition tls.c:115
EINVAL_HELLO
#define EINVAL_HELLO
Definition tls.c:67
tls_restart
static void tls_restart(struct tls_connection *tls)
Restart negotiation.
Definition tls.c:1131
tls_cipher_suite_null
struct tls_cipher_suite tls_cipher_suite_null
Null cipher suite.
Definition tls.c:851
tls_pubkey_exchange_algorithm
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm
Public key exchange algorithm.
Definition tls.c:1486
tls_plainstream_window
static size_t tls_plainstream_window(struct tls_connection *tls)
Check flow control window.
Definition tls.c:3403
tls_hmac_list
static void tls_hmac_list(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, struct list_head *list, void *hmac)
Calculate HMAC over list of I/O buffers.
Definition tls.c:2977
tls_send_change_cipher
static int tls_send_change_cipher(struct tls_connection *tls)
Transmit Change Cipher record.
Definition tls.c:1951
tls_ecdhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm
Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm.
Definition tls.c:1831
tls_send_client_key_exchange_pubkey
static int tls_send_client_key_exchange_pubkey(struct tls_connection *tls)
Transmit Client Key Exchange record using public key exchange.
Definition tls.c:1417
EINVAL_FINISHED
#define EINVAL_FINISHED
Definition tls.c:83
tls_cipherstream_window
static size_t tls_cipherstream_window(struct tls_connection *tls)
Check flow control window.
Definition tls.c:3607
tls_send_plaintext
static int tls_send_plaintext(struct tls_connection *tls, unsigned int type, const void *data, size_t len)
Send plaintext record.
Definition tls.c:3196
tls_hmac
static void tls_hmac(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, const void *data, size_t len, void *hmac)
Calculate HMAC.
Definition tls.c:2958
EINVAL_MAC
#define EINVAL_MAC
Definition tls.c:103
tls_prf
static void tls_prf(struct tls_connection *tls, const void *secret, size_t secret_len, void *out, size_t out_len,...)
Generate secure pseudo-random data.
Definition tls.c:567
tls_hmac_update
static void tls_hmac_update(struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
Update HMAC.
Definition tls.c:2928
EPERM_RENEG_INSECURE
#define EPERM_RENEG_INSECURE
Definition tls.c:175
tls_new_server_hello
static int tls_new_server_hello(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello handshake record.
Definition tls.c:2117
tls_send_certificate_verify
static int tls_send_certificate_verify(struct tls_connection *tls)
Transmit Certificate Verify record.
Definition tls.c:1870
ENOMEM_RX_CONCAT
#define ENOMEM_RX_CONCAT
Definition tls.c:143
tls_close
static void tls_close(struct tls_connection *tls, int rc)
Finish with TLS connection.
Definition tls.c:422
tls_select_cipher
static int tls_select_cipher(struct tls_connection *tls, unsigned int cipher_suite)
Select next cipher suite.
Definition tls.c:940
EINVAL_PADDING
#define EINVAL_PADDING
Definition tls.c:95
tls_new_certificate_request
static int tls_new_certificate_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Certificate Request handshake record.
Definition tls.c:2522
tls_verify_padding
static int tls_verify_padding(struct tls_connection *tls, struct io_buffer *iobuf)
Verify block padding.
Definition tls.c:3222
EPROTO_VERSION
#define EPROTO_VERSION
Definition tls.c:191
tls_process_desc
static struct process_descriptor tls_process_desc
TLS TX process descriptor.
Definition tls.c:3885
tls_new_session_ticket
static int tls_new_session_ticket(struct tls_connection *tls, const void *data, size_t len)
Receive New Session Ticket handshake record.
Definition tls.c:2319
EPERM_VERIFY
#define EPERM_VERIFY
Definition tls.c:171
EPERM_RENEG_VERIFY
#define EPERM_RENEG_VERIFY
Definition tls.c:179
ENOTSUP_SIG_HASH
#define ENOTSUP_SIG_HASH
Definition tls.c:155
TLS_NUM_NAMED_CURVES
#define TLS_NUM_NAMED_CURVES
Number of supported named curves.
Definition tls.c:1077
tls_new_unknown
static int tls_new_unknown(struct tls_connection *tls __unused, struct io_buffer *iobuf)
Receive new unknown record.
Definition tls.c:2786
tls_dhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm
Ephemeral Diffie-Hellman key exchange algorithm.
Definition tls.c:1701
tls_new_data
static int tls_new_data(struct tls_connection *tls, struct list_head *rx_data)
Receive new data record.
Definition tls.c:2801
TLS_NUM_SIG_HASH_ALGORITHMS
#define TLS_NUM_SIG_HASH_ALGORITHMS
Number of supported signature and hash algorithms.
Definition tls.c:1005
tls_new_hello_request
static int tls_new_hello_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Hello Request handshake record.
Definition tls.c:2086
tls_new_handshake
static int tls_new_handshake(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Handshake record.
Definition tls.c:2696
tls_iob_reserved
static size_t tls_iob_reserved(struct tls_connection *tls, size_t len)
Calculate maximum additional length required for transmitted record(s)
Definition tls.c:2999
tls_signature_hash_algorithm
static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm(struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
Find TLS signature and hash algorithm.
Definition tls.c:1016
tls_plainstream_ops
static struct interface_operation tls_plainstream_ops[]
TLS plaintext stream interface operations.
Definition tls.c:3460
md5_sha1_algorithm
static struct digest_algorithm md5_sha1_algorithm
Hybrid MD5+SHA1 digest algorithm.
Definition tls.c:330
tls_parse_chain
static int tls_parse_chain(struct tls_connection *tls, const void *data, size_t len)
Parse certificate chain.
Definition tls.c:2370
tls_clear_handshake
static void tls_clear_handshake(struct tls_connection *tls)
Clear handshake digest algorithm.
Definition tls.c:778
tls_new_certificate
static int tls_new_certificate(struct tls_connection *tls, const void *data, size_t len)
Receive new Certificate handshake record.
Definition tls.c:2451
tls_new_server_hello_done
static int tls_new_server_hello_done(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello Done handshake record.
Definition tls.c:2582
tls_verify_handshake
static void tls_verify_handshake(struct tls_connection *tls, void *out)
Calculate handshake verification hash.
Definition tls.c:835
ENOMEM_CONTEXT
#define ENOMEM_CONTEXT
Definition tls.c:119
tls_add_handshake
static int tls_add_handshake(struct tls_connection *tls, const void *data, size_t len)
Add handshake record to verification hash.
Definition tls.c:819
tls_generate_keys
static int tls_generate_keys(struct tls_connection *tls)
Generate key material.
Definition tls.c:693
tls_new_record
static int tls_new_record(struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
Receive new record.
Definition tls.c:2833
tls_uint24
static unsigned long tls_uint24(const tls24_t *field24)
Extract 24-bit field value.
Definition tls.c:237
tls_clear_cipher
static void tls_clear_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec)
tls_new_server_key_exchange
static int tls_new_server_key_exchange(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Key Exchange handshake record.
Definition tls.c:2491
tls_send_client_key_exchange_ecdhe
static int tls_send_client_key_exchange_ecdhe(struct tls_connection *tls)
Transmit Client Key Exchange record using ECDHE key exchange.
Definition tls.c:1712
tls_new_alert
static int tls_new_alert(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Alert record.
Definition tls.c:2044
tls_tx_resume_all
static void tls_tx_resume_all(struct tls_session *session)
Resume TX state machine for all connections within a session.
Definition tls.c:1119
add_tls
int add_tls(struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key)
Add TLS on an interface.
Definition tls.c:3962
tls.h
Transport Layer Security Protocol.
TLS_SERVER_HELLO
#define TLS_SERVER_HELLO
Definition tls.h:71
TLS_SERVER_KEY_EXCHANGE
#define TLS_SERVER_KEY_EXCHANGE
Definition tls.h:74
TLS_TYPE_ALERT
#define TLS_TYPE_ALERT
Alert content type.
Definition tls.h:60
TLS_TX_BUFSIZE
#define TLS_TX_BUFSIZE
TX maximum fragment length.
Definition tls.h:492
TLS_NEW_SESSION_TICKET
#define TLS_NEW_SESSION_TICKET
Definition tls.h:72
TLS_CLIENT_KEY_EXCHANGE
#define TLS_CLIENT_KEY_EXCHANGE
Definition tls.h:78
TLS_VERSION_TLS_1_2
#define TLS_VERSION_TLS_1_2
TLS version 1.2.
Definition tls.h:48
TLS_CHANGE_CIPHER_SPEC
#define TLS_CHANGE_CIPHER_SPEC
Change cipher spec magic byte.
Definition tls.h:57
TLS_CIPHER_SUITES
#define TLS_CIPHER_SUITES
TLS cipher suite table.
Definition tls.h:224
TLS_EXTENDED_MASTER_SECRET
#define TLS_EXTENDED_MASTER_SECRET
Definition tls.h:146
TLS_VERSION_MAX
#define TLS_VERSION_MAX
Maximum supported TLS version.
Definition tls.h:51
TLS_RENEGOTIATION_INFO
#define TLS_RENEGOTIATION_INFO
Definition tls.h:152
TLS_RX_MIN_BUFSIZE
#define TLS_RX_MIN_BUFSIZE
Minimum RX I/O buffer size.
Definition tls.h:510
TLS_MAX_FRAGMENT_LENGTH_VALUE
#define TLS_MAX_FRAGMENT_LENGTH_VALUE
Advertised maximum fragment length.
Definition tls.h:484
TLS_FINISHED
#define TLS_FINISHED
Definition tls.h:79
TLS_CERTIFICATE_VERIFY
#define TLS_CERTIFICATE_VERIFY
Definition tls.h:77
TLS_ALERT_FATAL
#define TLS_ALERT_FATAL
Definition tls.h:83
TLS_HELLO_REQUEST
#define TLS_HELLO_REQUEST
Definition tls.h:69
TLS_RX_ALIGN
#define TLS_RX_ALIGN
RX I/O buffer alignment.
Definition tls.h:513
TLS_CLIENT_HELLO
#define TLS_CLIENT_HELLO
Definition tls.h:70
TLS_NAMED_CURVES
#define TLS_NAMED_CURVES
TLS named curve table.
Definition tls.h:250
TLS_TYPE_HANDSHAKE
#define TLS_TYPE_HANDSHAKE
Handshake content type.
Definition tls.h:63
TLS_SERVER_NAME
#define TLS_SERVER_NAME
Definition tls.h:126
TLS_RX_HEADER
@ TLS_RX_HEADER
Definition tls.h:172
TLS_RX_DATA
@ TLS_RX_DATA
Definition tls.h:173
TLS_TYPE_DATA
#define TLS_TYPE_DATA
Application data content type.
Definition tls.h:66
TLS_ALERT_WARNING
#define TLS_ALERT_WARNING
Definition tls.h:82
TLS_CERTIFICATE_REQUEST
#define TLS_CERTIFICATE_REQUEST
Definition tls.h:75
TLS_TX_FINISHED
@ TLS_TX_FINISHED
Definition tls.h:183
TLS_TX_CLIENT_KEY_EXCHANGE
@ TLS_TX_CLIENT_KEY_EXCHANGE
Definition tls.h:180
TLS_TX_CLIENT_HELLO
@ TLS_TX_CLIENT_HELLO
Definition tls.h:178
TLS_TX_CHANGE_CIPHER
@ TLS_TX_CHANGE_CIPHER
Definition tls.h:182
TLS_TX_CERTIFICATE_VERIFY
@ TLS_TX_CERTIFICATE_VERIFY
Definition tls.h:181
TLS_TX_CERTIFICATE
@ TLS_TX_CERTIFICATE
Definition tls.h:179
TLS_CERTIFICATE
#define TLS_CERTIFICATE
Definition tls.h:73
TLS_TYPE_CHANGE_CIPHER
#define TLS_TYPE_CHANGE_CIPHER
Change cipher content type.
Definition tls.h:54
TLS_SERVER_NAME_HOST_NAME
#define TLS_SERVER_NAME_HOST_NAME
Definition tls.h:127
TLS_SIG_HASH_ALGORITHMS
#define TLS_SIG_HASH_ALGORITHMS
TLS signature hash algorithm table.
Definition tls.h:302
TLS_SERVER_HELLO_DONE
#define TLS_SERVER_HELLO_DONE
Definition tls.h:76
TLS_MAX_FRAGMENT_LENGTH
#define TLS_MAX_FRAGMENT_LENGTH
Definition tls.h:130
TLS_RX_BUFSIZE
#define TLS_RX_BUFSIZE
RX I/O buffer size.
Definition tls.h:502
TLS_NAMED_CURVE_TYPE
#define TLS_NAMED_CURVE_TYPE
TLS named curved type.
Definition tls.h:232
TLS_NAMED_CURVE
#define TLS_NAMED_CURVE
Definition tls.h:137
TLS_SESSION_TICKET
#define TLS_SESSION_TICKET
Definition tls.h:149
TLS_SIGNATURE_ALGORITHMS
#define TLS_SIGNATURE_ALGORITHMS
Definition tls.h:143
data_len
uint32_t data_len
Microcode data size (or 0 to indicate 2000 bytes)
Definition ucode.h:15
create_validator
int create_validator(struct interface *job, struct x509_chain *chain, struct x509_root *root)
Instantiate a certificate validator.
Definition validator.c:760
validator.h
Certificate validator.
lifetime
u32 lifetime
For Lifetime-type KDEs, the lifetime in seconds.
Definition wpa.h:27
keysize
u16 keysize
Length of encryption key to be used, network byte order.
Definition wpa.h:10
iv
u8 iv[16]
Initialization vector.
Definition wpa.h:33
tx
u8 tx[WPA_TKIP_MIC_KEY_LEN]
MIC key for packets to the AP.
Definition wpa.h:4
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
Definition x509.c:1868
x509_check_name
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition x509.c:1564
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition x509.c:1615
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147
x509_find_key
struct x509_certificate * x509_find_key(struct x509_chain *store, struct private_key *key)
Identify X.509 certificate by corresponding public key.
Definition x509.c:1835
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1674
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1638
x509.h
X.509 certificates.
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition x509.h:311
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition x509.h:393
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition x509.h:325
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition x509.h:404
x509_chain_put
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition x509.h:300
xfer_window
size_t xfer_window(struct interface *intf)
Check flow control window.
Definition xfer.c:117
xfer_deliver
int xfer_deliver(struct interface *intf, struct io_buffer *iobuf, struct xfer_metadata *meta)
Deliver datagram.
Definition xfer.c:195
xfer_alloc_iob
struct io_buffer * xfer_alloc_iob(struct interface *intf, size_t len)
Allocate I/O buffer.
Definition xfer.c:159
xfer_window_changed
void xfer_window_changed(struct interface *intf)
Report change of flow control window.
Definition xfer.c:147
xfer_deliver_iob
int xfer_deliver_iob(struct interface *intf, struct io_buffer *iobuf)
Deliver datagram as I/O buffer without metadata.
Definition xfer.c:256
xfer.h
Data transfer interfaces.
Generated by doxygen 1.14.0