iPXE
tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  */
19 
20 FILE_LICENCE ( GPL2_OR_LATER );
21 
22 /**
23  * @file
24  *
25  * Transport Layer Security Protocol
26  */
27 
28 #include <stdint.h>
29 #include <stdlib.h>
30 #include <stdarg.h>
31 #include <string.h>
32 #include <time.h>
33 #include <errno.h>
34 #include <byteswap.h>
35 #include <ipxe/pending.h>
36 #include <ipxe/hmac.h>
37 #include <ipxe/md5.h>
38 #include <ipxe/sha1.h>
39 #include <ipxe/sha256.h>
40 #include <ipxe/aes.h>
41 #include <ipxe/rsa.h>
42 #include <ipxe/iobuf.h>
43 #include <ipxe/xfer.h>
44 #include <ipxe/open.h>
45 #include <ipxe/x509.h>
46 #include <ipxe/privkey.h>
47 #include <ipxe/certstore.h>
48 #include <ipxe/rbg.h>
49 #include <ipxe/validator.h>
50 #include <ipxe/job.h>
51 #include <ipxe/tls.h>
52 
53 /* Disambiguate the various error causes */
54 #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
55 #define EINFO_EINVAL_CHANGE_CIPHER \
56  __einfo_uniqify ( EINFO_EINVAL, 0x01, \
57  "Invalid Change Cipher record" )
58 #define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
59 #define EINFO_EINVAL_ALERT \
60  __einfo_uniqify ( EINFO_EINVAL, 0x02, \
61  "Invalid Alert record" )
62 #define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
63 #define EINFO_EINVAL_HELLO \
64  __einfo_uniqify ( EINFO_EINVAL, 0x03, \
65  "Invalid Server Hello record" )
66 #define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
67 #define EINFO_EINVAL_CERTIFICATE \
68  __einfo_uniqify ( EINFO_EINVAL, 0x04, \
69  "Invalid Certificate" )
70 #define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
71 #define EINFO_EINVAL_CERTIFICATES \
72  __einfo_uniqify ( EINFO_EINVAL, 0x05, \
73  "Invalid Server Certificate record" )
74 #define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
75 #define EINFO_EINVAL_HELLO_DONE \
76  __einfo_uniqify ( EINFO_EINVAL, 0x06, \
77  "Invalid Server Hello Done record" )
78 #define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
79 #define EINFO_EINVAL_FINISHED \
80  __einfo_uniqify ( EINFO_EINVAL, 0x07, \
81  "Invalid Server Finished record" )
82 #define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
83 #define EINFO_EINVAL_HANDSHAKE \
84  __einfo_uniqify ( EINFO_EINVAL, 0x08, \
85  "Invalid Handshake record" )
86 #define EINVAL_STREAM __einfo_error ( EINFO_EINVAL_STREAM )
87 #define EINFO_EINVAL_STREAM \
88  __einfo_uniqify ( EINFO_EINVAL, 0x09, \
89  "Invalid stream-ciphered record" )
90 #define EINVAL_BLOCK __einfo_error ( EINFO_EINVAL_BLOCK )
91 #define EINFO_EINVAL_BLOCK \
92  __einfo_uniqify ( EINFO_EINVAL, 0x0a, \
93  "Invalid block-ciphered record" )
94 #define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
95 #define EINFO_EINVAL_PADDING \
96  __einfo_uniqify ( EINFO_EINVAL, 0x0b, \
97  "Invalid block padding" )
98 #define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
99 #define EINFO_EINVAL_RX_STATE \
100  __einfo_uniqify ( EINFO_EINVAL, 0x0c, \
101  "Invalid receive state" )
102 #define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
103 #define EINFO_EINVAL_MAC \
104  __einfo_uniqify ( EINFO_EINVAL, 0x0d, \
105  "Invalid MAC" )
106 #define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
107 #define EINFO_EINVAL_TICKET \
108  __einfo_uniqify ( EINFO_EINVAL, 0x0e, \
109  "Invalid New Session Ticket record")
110 #define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
111 #define EINFO_EIO_ALERT \
112  __einfo_uniqify ( EINFO_EIO, 0x01, \
113  "Unknown alert level" )
114 #define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
115 #define EINFO_ENOMEM_CONTEXT \
116  __einfo_uniqify ( EINFO_ENOMEM, 0x01, \
117  "Not enough space for crypto context" )
118 #define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
119 #define EINFO_ENOMEM_CERTIFICATE \
120  __einfo_uniqify ( EINFO_ENOMEM, 0x02, \
121  "Not enough space for certificate" )
122 #define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
123 #define EINFO_ENOMEM_CHAIN \
124  __einfo_uniqify ( EINFO_ENOMEM, 0x03, \
125  "Not enough space for certificate chain" )
126 #define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
127 #define EINFO_ENOMEM_TX_PLAINTEXT \
128  __einfo_uniqify ( EINFO_ENOMEM, 0x04, \
129  "Not enough space for transmitted plaintext" )
130 #define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
131 #define EINFO_ENOMEM_TX_CIPHERTEXT \
132  __einfo_uniqify ( EINFO_ENOMEM, 0x05, \
133  "Not enough space for transmitted ciphertext" )
134 #define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
135 #define EINFO_ENOMEM_RX_DATA \
136  __einfo_uniqify ( EINFO_ENOMEM, 0x07, \
137  "Not enough space for received data" )
138 #define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
139 #define EINFO_ENOMEM_RX_CONCAT \
140  __einfo_uniqify ( EINFO_ENOMEM, 0x08, \
141  "Not enough space to concatenate received data" )
142 #define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
143 #define EINFO_ENOTSUP_CIPHER \
144  __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
145  "Unsupported cipher" )
146 #define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
147 #define EINFO_ENOTSUP_NULL \
148  __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
149  "Refusing to use null cipher" )
150 #define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
151 #define EINFO_ENOTSUP_SIG_HASH \
152  __einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
153  "Unsupported signature and hash algorithm" )
154 #define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
155 #define EINFO_ENOTSUP_VERSION \
156  __einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
157  "Unsupported protocol version" )
158 #define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
159 #define EINFO_EPERM_ALERT \
160  __einfo_uniqify ( EINFO_EPERM, 0x01, \
161  "Received fatal alert" )
162 #define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
163 #define EINFO_EPERM_VERIFY \
164  __einfo_uniqify ( EINFO_EPERM, 0x02, \
165  "Handshake verification failed" )
166 #define EPERM_CLIENT_CERT __einfo_error ( EINFO_EPERM_CLIENT_CERT )
167 #define EINFO_EPERM_CLIENT_CERT \
168  __einfo_uniqify ( EINFO_EPERM, 0x03, \
169  "No suitable client certificate available" )
170 #define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
171 #define EINFO_EPERM_RENEG_INSECURE \
172  __einfo_uniqify ( EINFO_EPERM, 0x04, \
173  "Secure renegotiation not supported" )
174 #define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
175 #define EINFO_EPERM_RENEG_VERIFY \
176  __einfo_uniqify ( EINFO_EPERM, 0x05, \
177  "Secure renegotiation verification failed" )
178 #define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
179 #define EINFO_EPROTO_VERSION \
180  __einfo_uniqify ( EINFO_EPROTO, 0x01, \
181  "Illegal protocol version upgrade" )
182 
183 /** List of TLS session */
184 static LIST_HEAD ( tls_sessions );
185 
186 static void tls_tx_resume_all ( struct tls_session *session );
187 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
188  const void *data, size_t len );
189 static void tls_clear_cipher ( struct tls_connection *tls,
190  struct tls_cipherspec *cipherspec );
191 
192 /******************************************************************************
193  *
194  * Utility functions
195  *
196  ******************************************************************************
197  */
198 
199 /** A TLS 24-bit integer
200  *
201  * TLS uses 24-bit integers in several places, which are awkward to
202  * parse in C.
203  */
204 typedef struct {
205  /** High byte */
206  uint8_t high;
207  /** Low word */
208  uint16_t low;
209 } __attribute__ (( packed )) tls24_t;
210 
211 /**
212  * Extract 24-bit field value
213  *
214  * @v field24 24-bit field
215  * @ret value Field value
216  *
217  */
218 static inline __attribute__ (( always_inline )) unsigned long
219 tls_uint24 ( const tls24_t *field24 ) {
220 
221  return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
222 }
223 
224 /**
225  * Set 24-bit field value
226  *
227  * @v field24 24-bit field
228  * @v value Field value
229  */
230 static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
231 
232  field24->high = ( value >> 16 );
233  field24->low = cpu_to_be16 ( value );
234 }
235 
236 /**
237  * Determine if TLS connection is ready for application data
238  *
239  * @v tls TLS connection
240  * @ret is_ready TLS connection is ready
241  */
242 static int tls_ready ( struct tls_connection *tls ) {
243  return ( ( ! is_pending ( &tls->client_negotiation ) ) &&
244  ( ! is_pending ( &tls->server_negotiation ) ) );
245 }
246 
247 /******************************************************************************
248  *
249  * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
250  *
251  ******************************************************************************
252  */
253 
254 /**
255  * Initialise MD5+SHA1 algorithm
256  *
257  * @v ctx MD5+SHA1 context
258  */
259 static void md5_sha1_init ( void *ctx ) {
260  struct md5_sha1_context *context = ctx;
261 
262  digest_init ( &md5_algorithm, context->md5 );
263  digest_init ( &sha1_algorithm, context->sha1 );
264 }
265 
266 /**
267  * Accumulate data with MD5+SHA1 algorithm
268  *
269  * @v ctx MD5+SHA1 context
270  * @v data Data
271  * @v len Length of data
272  */
273 static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
274  struct md5_sha1_context *context = ctx;
275 
276  digest_update ( &md5_algorithm, context->md5, data, len );
277  digest_update ( &sha1_algorithm, context->sha1, data, len );
278 }
279 
280 /**
281  * Generate MD5+SHA1 digest
282  *
283  * @v ctx MD5+SHA1 context
284  * @v out Output buffer
285  */
286 static void md5_sha1_final ( void *ctx, void *out ) {
287  struct md5_sha1_context *context = ctx;
288  struct md5_sha1_digest *digest = out;
289 
290  digest_final ( &md5_algorithm, context->md5, digest->md5 );
291  digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
292 }
293 
294 /** Hybrid MD5+SHA1 digest algorithm */
295 static struct digest_algorithm md5_sha1_algorithm = {
296  .name = "md5+sha1",
297  .ctxsize = sizeof ( struct md5_sha1_context ),
298  .blocksize = 0, /* Not applicable */
299  .digestsize = sizeof ( struct md5_sha1_digest ),
300  .init = md5_sha1_init,
301  .update = md5_sha1_update,
302  .final = md5_sha1_final,
303 };
304 
305 /** RSA digestInfo prefix for MD5+SHA1 algorithm */
306 struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
307  .digest = &md5_sha1_algorithm,
308  .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
309  .len = 0,
310 };
311 
312 /******************************************************************************
313  *
314  * Cleanup functions
315  *
316  ******************************************************************************
317  */
318 
319 /**
320  * Free TLS session
321  *
322  * @v refcnt Reference counter
323  */
324 static void free_tls_session ( struct refcnt *refcnt ) {
325  struct tls_session *session =
326  container_of ( refcnt, struct tls_session, refcnt );
327 
328  /* Sanity check */
329  assert ( list_empty ( &session->conn ) );
330 
331  /* Remove from list of sessions */
332  list_del ( &session->list );
333 
334  /* Free session ticket */
335  free ( session->ticket );
336 
337  /* Free session */
338  free ( session );
339 }
340 
341 /**
342  * Free TLS connection
343  *
344  * @v refcnt Reference counter
345  */
346 static void free_tls ( struct refcnt *refcnt ) {
347  struct tls_connection *tls =
348  container_of ( refcnt, struct tls_connection, refcnt );
349  struct tls_session *session = tls->session;
350  struct io_buffer *iobuf;
351  struct io_buffer *tmp;
352 
353  /* Free dynamically-allocated resources */
354  free ( tls->new_session_ticket );
355  tls_clear_cipher ( tls, &tls->tx_cipherspec );
356  tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
357  tls_clear_cipher ( tls, &tls->rx_cipherspec );
358  tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
359  list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
360  list_del ( &iobuf->list );
361  free_iob ( iobuf );
362  }
363  x509_put ( tls->cert );
364  x509_chain_put ( tls->chain );
365 
366  /* Drop reference to session */
367  assert ( list_empty ( &tls->list ) );
368  ref_put ( &session->refcnt );
369 
370  /* Free TLS structure itself */
371  free ( tls );
372 }
373 
374 /**
375  * Finish with TLS connection
376  *
377  * @v tls TLS connection
378  * @v rc Status code
379  */
380 static void tls_close ( struct tls_connection *tls, int rc ) {
381 
382  /* Remove pending operations, if applicable */
383  pending_put ( &tls->client_negotiation );
384  pending_put ( &tls->server_negotiation );
385  pending_put ( &tls->validation );
386 
387  /* Remove process */
388  process_del ( &tls->process );
389 
390  /* Close all interfaces */
391  intf_shutdown ( &tls->cipherstream, rc );
392  intf_shutdown ( &tls->plainstream, rc );
393  intf_shutdown ( &tls->validator, rc );
394 
395  /* Remove from session */
396  list_del ( &tls->list );
397  INIT_LIST_HEAD ( &tls->list );
398 
399  /* Resume all other connections, in case we were the lead connection */
400  tls_tx_resume_all ( tls->session );
401 }
402 
403 /******************************************************************************
404  *
405  * Random number generation
406  *
407  ******************************************************************************
408  */
409 
410 /**
411  * Generate random data
412  *
413  * @v tls TLS connection
414  * @v data Buffer to fill
415  * @v len Length of buffer
416  * @ret rc Return status code
417  */
418 static int tls_generate_random ( struct tls_connection *tls,
419  void *data, size_t len ) {
420  int rc;
421 
422  /* Generate random bits with no additional input and without
423  * prediction resistance
424  */
425  if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
426  DBGC ( tls, "TLS %p could not generate random data: %s\n",
427  tls, strerror ( rc ) );
428  return rc;
429  }
430 
431  return 0;
432 }
433 
434 /**
435  * Update HMAC with a list of ( data, len ) pairs
436  *
437  * @v digest Hash function to use
438  * @v digest_ctx Digest context
439  * @v args ( data, len ) pairs of data, terminated by NULL
440  */
441 static void tls_hmac_update_va ( struct digest_algorithm *digest,
442  void *digest_ctx, va_list args ) {
443  void *data;
444  size_t len;
445 
446  while ( ( data = va_arg ( args, void * ) ) ) {
447  len = va_arg ( args, size_t );
448  hmac_update ( digest, digest_ctx, data, len );
449  }
450 }
451 
452 /**
453  * Generate secure pseudo-random data using a single hash function
454  *
455  * @v tls TLS connection
456  * @v digest Hash function to use
457  * @v secret Secret
458  * @v secret_len Length of secret
459  * @v out Output buffer
460  * @v out_len Length of output buffer
461  * @v seeds ( data, len ) pairs of seed data, terminated by NULL
462  */
463 static void tls_p_hash_va ( struct tls_connection *tls,
464  struct digest_algorithm *digest,
465  void *secret, size_t secret_len,
466  void *out, size_t out_len,
467  va_list seeds ) {
468  uint8_t secret_copy[secret_len];
469  uint8_t digest_ctx[digest->ctxsize];
470  uint8_t digest_ctx_partial[digest->ctxsize];
471  uint8_t a[digest->digestsize];
472  uint8_t out_tmp[digest->digestsize];
473  size_t frag_len = digest->digestsize;
474  va_list tmp;
475 
476  /* Copy the secret, in case HMAC modifies it */
477  memcpy ( secret_copy, secret, secret_len );
478  secret = secret_copy;
479  DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
480  DBGC2_HD ( tls, secret, secret_len );
481 
482  /* Calculate A(1) */
483  hmac_init ( digest, digest_ctx, secret, &secret_len );
484  va_copy ( tmp, seeds );
485  tls_hmac_update_va ( digest, digest_ctx, tmp );
486  va_end ( tmp );
487  hmac_final ( digest, digest_ctx, secret, &secret_len, a );
488  DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
489  DBGC2_HD ( tls, &a, sizeof ( a ) );
490 
491  /* Generate as much data as required */
492  while ( out_len ) {
493  /* Calculate output portion */
494  hmac_init ( digest, digest_ctx, secret, &secret_len );
495  hmac_update ( digest, digest_ctx, a, sizeof ( a ) );
496  memcpy ( digest_ctx_partial, digest_ctx, digest->ctxsize );
497  va_copy ( tmp, seeds );
498  tls_hmac_update_va ( digest, digest_ctx, tmp );
499  va_end ( tmp );
500  hmac_final ( digest, digest_ctx,
501  secret, &secret_len, out_tmp );
502 
503  /* Copy output */
504  if ( frag_len > out_len )
505  frag_len = out_len;
506  memcpy ( out, out_tmp, frag_len );
507  DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
508  DBGC2_HD ( tls, out, frag_len );
509 
510  /* Calculate A(i) */
511  hmac_final ( digest, digest_ctx_partial,
512  secret, &secret_len, a );
513  DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
514  DBGC2_HD ( tls, &a, sizeof ( a ) );
515 
516  out += frag_len;
517  out_len -= frag_len;
518  }
519 }
520 
521 /**
522  * Generate secure pseudo-random data
523  *
524  * @v tls TLS connection
525  * @v secret Secret
526  * @v secret_len Length of secret
527  * @v out Output buffer
528  * @v out_len Length of output buffer
529  * @v ... ( data, len ) pairs of seed data, terminated by NULL
530  */
531 static void tls_prf ( struct tls_connection *tls, void *secret,
532  size_t secret_len, void *out, size_t out_len, ... ) {
533  va_list seeds;
534  va_list tmp;
535  size_t subsecret_len;
536  void *md5_secret;
537  void *sha1_secret;
538  uint8_t buf[out_len];
539  unsigned int i;
540 
541  va_start ( seeds, out_len );
542 
543  if ( tls->version >= TLS_VERSION_TLS_1_2 ) {
544  /* Use P_SHA256 for TLSv1.2 and later */
545  tls_p_hash_va ( tls, &sha256_algorithm, secret, secret_len,
546  out, out_len, seeds );
547  } else {
548  /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
549  * and earlier
550  */
551 
552  /* Split secret into two, with an overlap of up to one byte */
553  subsecret_len = ( ( secret_len + 1 ) / 2 );
554  md5_secret = secret;
555  sha1_secret = ( secret + secret_len - subsecret_len );
556 
557  /* Calculate MD5 portion */
558  va_copy ( tmp, seeds );
559  tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
560  subsecret_len, out, out_len, seeds );
561  va_end ( tmp );
562 
563  /* Calculate SHA1 portion */
564  va_copy ( tmp, seeds );
565  tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
566  subsecret_len, buf, out_len, seeds );
567  va_end ( tmp );
568 
569  /* XOR the two portions together into the final output buffer */
570  for ( i = 0 ; i < out_len ; i++ )
571  *( ( uint8_t * ) out + i ) ^= buf[i];
572  }
573 
574  va_end ( seeds );
575 }
576 
577 /**
578  * Generate secure pseudo-random data
579  *
580  * @v secret Secret
581  * @v secret_len Length of secret
582  * @v out Output buffer
583  * @v out_len Length of output buffer
584  * @v label String literal label
585  * @v ... ( data, len ) pairs of seed data
586  */
587 #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
588  tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
589  label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
590 
591 /******************************************************************************
592  *
593  * Secret management
594  *
595  ******************************************************************************
596  */
597 
598 /**
599  * Generate master secret
600  *
601  * @v tls TLS connection
602  *
603  * The pre-master secret and the client and server random values must
604  * already be known.
605  */
606 static void tls_generate_master_secret ( struct tls_connection *tls ) {
607  DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
608  DBGC_HD ( tls, &tls->pre_master_secret,
609  sizeof ( tls->pre_master_secret ) );
610  DBGC ( tls, "TLS %p client random bytes:\n", tls );
611  DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
612  DBGC ( tls, "TLS %p server random bytes:\n", tls );
613  DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );
614 
615  tls_prf_label ( tls, &tls->pre_master_secret,
616  sizeof ( tls->pre_master_secret ),
617  &tls->master_secret, sizeof ( tls->master_secret ),
618  "master secret",
619  &tls->client_random, sizeof ( tls->client_random ),
620  &tls->server_random, sizeof ( tls->server_random ) );
621 
622  DBGC ( tls, "TLS %p generated master secret:\n", tls );
623  DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
624 }
625 
626 /**
627  * Generate key material
628  *
629  * @v tls TLS connection
630  *
631  * The master secret must already be known.
632  */
633 static int tls_generate_keys ( struct tls_connection *tls ) {
634  struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
635  struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
636  size_t hash_size = tx_cipherspec->suite->digest->digestsize;
637  size_t key_size = tx_cipherspec->suite->key_len;
638  size_t iv_size = tx_cipherspec->suite->cipher->blocksize;
639  size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
640  uint8_t key_block[total];
641  uint8_t *key;
642  int rc;
643 
644  /* Generate key block */
645  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
646  key_block, sizeof ( key_block ), "key expansion",
647  &tls->server_random, sizeof ( tls->server_random ),
648  &tls->client_random, sizeof ( tls->client_random ) );
649 
650  /* Split key block into portions */
651  key = key_block;
652 
653  /* TX MAC secret */
654  memcpy ( tx_cipherspec->mac_secret, key, hash_size );
655  DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
656  DBGC_HD ( tls, key, hash_size );
657  key += hash_size;
658 
659  /* RX MAC secret */
660  memcpy ( rx_cipherspec->mac_secret, key, hash_size );
661  DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
662  DBGC_HD ( tls, key, hash_size );
663  key += hash_size;
664 
665  /* TX key */
666  if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
667  tx_cipherspec->cipher_ctx,
668  key, key_size ) ) != 0 ) {
669  DBGC ( tls, "TLS %p could not set TX key: %s\n",
670  tls, strerror ( rc ) );
671  return rc;
672  }
673  DBGC ( tls, "TLS %p TX key:\n", tls );
674  DBGC_HD ( tls, key, key_size );
675  key += key_size;
676 
677  /* RX key */
678  if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
679  rx_cipherspec->cipher_ctx,
680  key, key_size ) ) != 0 ) {
681  DBGC ( tls, "TLS %p could not set TX key: %s\n",
682  tls, strerror ( rc ) );
683  return rc;
684  }
685  DBGC ( tls, "TLS %p RX key:\n", tls );
686  DBGC_HD ( tls, key, key_size );
687  key += key_size;
688 
689  /* TX initialisation vector */
690  cipher_setiv ( tx_cipherspec->suite->cipher,
691  tx_cipherspec->cipher_ctx, key );
692  DBGC ( tls, "TLS %p TX IV:\n", tls );
693  DBGC_HD ( tls, key, iv_size );
694  key += iv_size;
695 
696  /* RX initialisation vector */
697  cipher_setiv ( rx_cipherspec->suite->cipher,
698  rx_cipherspec->cipher_ctx, key );
699  DBGC ( tls, "TLS %p RX IV:\n", tls );
700  DBGC_HD ( tls, key, iv_size );
701  key += iv_size;
702 
703  assert ( ( key_block + total ) == key );
704 
705  return 0;
706 }
707 
708 /******************************************************************************
709  *
710  * Cipher suite management
711  *
712  ******************************************************************************
713  */
714 
715 /** Null cipher suite */
716 struct tls_cipher_suite tls_cipher_suite_null = {
717  .pubkey = &pubkey_null,
718  .cipher = &cipher_null,
719  .digest = &digest_null,
720 };
721 
722 /** Number of supported cipher suites */
723 #define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
724 
725 /**
726  * Identify cipher suite
727  *
728  * @v cipher_suite Cipher suite specification
729  * @ret suite Cipher suite, or NULL
730  */
731 static struct tls_cipher_suite *
732 tls_find_cipher_suite ( unsigned int cipher_suite ) {
733  struct tls_cipher_suite *suite;
734 
735  /* Identify cipher suite */
736  for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
737  if ( suite->code == cipher_suite )
738  return suite;
739  }
740 
741  return NULL;
742 }
743 
744 /**
745  * Clear cipher suite
746  *
747  * @v cipherspec TLS cipher specification
748  */
749 static void tls_clear_cipher ( struct tls_connection *tls __unused,
750  struct tls_cipherspec *cipherspec ) {
751 
752  if ( cipherspec->suite ) {
753  pubkey_final ( cipherspec->suite->pubkey,
754  cipherspec->pubkey_ctx );
755  }
756  free ( cipherspec->dynamic );
757  memset ( cipherspec, 0, sizeof ( *cipherspec ) );
758  cipherspec->suite = &tls_cipher_suite_null;
759 }
760 
761 /**
762  * Set cipher suite
763  *
764  * @v tls TLS connection
765  * @v cipherspec TLS cipher specification
766  * @v suite Cipher suite
767  * @ret rc Return status code
768  */
769 static int tls_set_cipher ( struct tls_connection *tls,
770  struct tls_cipherspec *cipherspec,
771  struct tls_cipher_suite *suite ) {
772  struct pubkey_algorithm *pubkey = suite->pubkey;
773  struct cipher_algorithm *cipher = suite->cipher;
774  struct digest_algorithm *digest = suite->digest;
775  size_t total;
776  void *dynamic;
777 
778  /* Clear out old cipher contents, if any */
779  tls_clear_cipher ( tls, cipherspec );
780 
781  /* Allocate dynamic storage */
782  total = ( pubkey->ctxsize + 2 * cipher->ctxsize + digest->digestsize );
783  dynamic = zalloc ( total );
784  if ( ! dynamic ) {
785  DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
786  "context\n", tls, total );
787  return -ENOMEM_CONTEXT;
788  }
789 
790  /* Assign storage */
791  cipherspec->dynamic = dynamic;
792  cipherspec->pubkey_ctx = dynamic; dynamic += pubkey->ctxsize;
793  cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
794  cipherspec->cipher_next_ctx = dynamic; dynamic += cipher->ctxsize;
795  cipherspec->mac_secret = dynamic; dynamic += digest->digestsize;
796  assert ( ( cipherspec->dynamic + total ) == dynamic );
797 
798  /* Store parameters */
799  cipherspec->suite = suite;
800 
801  return 0;
802 }
803 
804 /**
805  * Select next cipher suite
806  *
807  * @v tls TLS connection
808  * @v cipher_suite Cipher suite specification
809  * @ret rc Return status code
810  */
811 static int tls_select_cipher ( struct tls_connection *tls,
812  unsigned int cipher_suite ) {
813  struct tls_cipher_suite *suite;
814  int rc;
815 
816  /* Identify cipher suite */
817  suite = tls_find_cipher_suite ( cipher_suite );
818  if ( ! suite ) {
819  DBGC ( tls, "TLS %p does not support cipher %04x\n",
820  tls, ntohs ( cipher_suite ) );
821  return -ENOTSUP_CIPHER;
822  }
823 
824  /* Set ciphers */
825  if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending,
826  suite ) ) != 0 )
827  return rc;
828  if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending,
829  suite ) ) != 0 )
830  return rc;
831 
832  DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls, suite->pubkey->name,
833  suite->cipher->name, ( suite->key_len * 8 ),
834  suite->digest->name );
835 
836  return 0;
837 }
838 
839 /**
840  * Activate next cipher suite
841  *
842  * @v tls TLS connection
843  * @v pending Pending cipher specification
844  * @v active Active cipher specification to replace
845  * @ret rc Return status code
846  */
847 static int tls_change_cipher ( struct tls_connection *tls,
848  struct tls_cipherspec *pending,
849  struct tls_cipherspec *active ) {
850 
851  /* Sanity check */
852  if ( pending->suite == &tls_cipher_suite_null ) {
853  DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
854  return -ENOTSUP_NULL;
855  }
856 
857  tls_clear_cipher ( tls, active );
858  memswap ( active, pending, sizeof ( *active ) );
859  return 0;
860 }
861 
862 /******************************************************************************
863  *
864  * Signature and hash algorithms
865  *
866  ******************************************************************************
867  */
868 
869 /** Number of supported signature and hash algorithms */
870 #define TLS_NUM_SIG_HASH_ALGORITHMS \
871  table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
872 
873 /**
874  * Find TLS signature and hash algorithm
875  *
876  * @v pubkey Public-key algorithm
877  * @v digest Digest algorithm
878  * @ret sig_hash Signature and hash algorithm, or NULL
879  */
880 static struct tls_signature_hash_algorithm *
881 tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
882  struct digest_algorithm *digest ) {
883  struct tls_signature_hash_algorithm *sig_hash;
884 
885  /* Identify signature and hash algorithm */
886  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
887  if ( ( sig_hash->pubkey == pubkey ) &&
888  ( sig_hash->digest == digest ) ) {
889  return sig_hash;
890  }
891  }
892 
893  return NULL;
894 }
895 
896 /******************************************************************************
897  *
898  * Handshake verification
899  *
900  ******************************************************************************
901  */
902 
903 /**
904  * Add handshake record to verification hash
905  *
906  * @v tls TLS connection
907  * @v data Handshake record
908  * @v len Length of handshake record
909  */
910 static void tls_add_handshake ( struct tls_connection *tls,
911  const void *data, size_t len ) {
912 
913  digest_update ( &md5_sha1_algorithm, tls->handshake_md5_sha1_ctx,
914  data, len );
915  digest_update ( &sha256_algorithm, tls->handshake_sha256_ctx,
916  data, len );
917 }
918 
919 /**
920  * Calculate handshake verification hash
921  *
922  * @v tls TLS connection
923  * @v out Output buffer
924  *
925  * Calculates the MD5+SHA1 or SHA256 digest over all handshake
926  * messages seen so far.
927  */
928 static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
929  struct digest_algorithm *digest = tls->handshake_digest;
930  uint8_t ctx[ digest->ctxsize ];
931 
932  memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
933  digest_final ( digest, ctx, out );
934 }
935 
936 /******************************************************************************
937  *
938  * Record handling
939  *
940  ******************************************************************************
941  */
942 
943 /**
944  * Resume TX state machine
945  *
946  * @v tls TLS connection
947  */
948 static void tls_tx_resume ( struct tls_connection *tls ) {
949  process_add ( &tls->process );
950 }
951 
952 /**
953  * Resume TX state machine for all connections within a session
954  *
955  * @v session TLS session
956  */
957 static void tls_tx_resume_all ( struct tls_session *session ) {
958  struct tls_connection *tls;
959 
960  list_for_each_entry ( tls, &session->conn, list )
961  tls_tx_resume ( tls );
962 }
963 
964 /**
965  * Restart negotiation
966  *
967  * @v tls TLS connection
968  */
969 static void tls_restart ( struct tls_connection *tls ) {
970 
971  /* Sanity check */
972  assert ( ! tls->tx_pending );
973  assert ( ! is_pending ( &tls->client_negotiation ) );
974  assert ( ! is_pending ( &tls->server_negotiation ) );
975  assert ( ! is_pending ( &tls->validation ) );
976 
977  /* (Re)initialise handshake context */
978  digest_init ( &md5_sha1_algorithm, tls->handshake_md5_sha1_ctx );
979  digest_init ( &sha256_algorithm, tls->handshake_sha256_ctx );
980  tls->handshake_digest = &sha256_algorithm;
981  tls->handshake_ctx = tls->handshake_sha256_ctx;
982 
983  /* (Re)start negotiation */
984  tls->tx_pending = TLS_TX_CLIENT_HELLO;
985  tls_tx_resume ( tls );
986  pending_get ( &tls->client_negotiation );
987  pending_get ( &tls->server_negotiation );
988 }
989 
990 /**
991  * Transmit Handshake record
992  *
993  * @v tls TLS connection
994  * @v data Plaintext record
995  * @v len Length of plaintext record
996  * @ret rc Return status code
997  */
998 static int tls_send_handshake ( struct tls_connection *tls,
999  void *data, size_t len ) {
1000 
1001  /* Add to handshake digest */
1002  tls_add_handshake ( tls, data, len );
1003 
1004  /* Send record */
1005  return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
1006 }
1007 
1008 /**
1009  * Transmit Client Hello record
1010  *
1011  * @v tls TLS connection
1012  * @ret rc Return status code
1013  */
1014 static int tls_send_client_hello ( struct tls_connection *tls ) {
1015  struct tls_session *session = tls->session;
1016  size_t name_len = strlen ( session->name );
1017  struct {
1018  uint32_t type_length;
1019  uint16_t version;
1020  uint8_t random[32];
1021  uint8_t session_id_len;
1022  uint8_t session_id[tls->session_id_len];
1023  uint16_t cipher_suite_len;
1024  uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
1025  uint8_t compression_methods_len;
1026  uint8_t compression_methods[1];
1027  uint16_t extensions_len;
1028  struct {
1029  uint16_t server_name_type;
1030  uint16_t server_name_len;
1031  struct {
1032  uint16_t len;
1033  struct {
1034  uint8_t type;
1035  uint16_t len;
1036  uint8_t name[name_len];
1037  } __attribute__ (( packed )) list[1];
1038  } __attribute__ (( packed )) server_name;
1039  uint16_t max_fragment_length_type;
1040  uint16_t max_fragment_length_len;
1041  struct {
1042  uint8_t max;
1043  } __attribute__ (( packed )) max_fragment_length;
1044  uint16_t signature_algorithms_type;
1045  uint16_t signature_algorithms_len;
1046  struct {
1047  uint16_t len;
1048  struct tls_signature_hash_id
1049  code[TLS_NUM_SIG_HASH_ALGORITHMS];
1050  } __attribute__ (( packed )) signature_algorithms;
1051  uint16_t renegotiation_info_type;
1052  uint16_t renegotiation_info_len;
1053  struct {
1054  uint8_t len;
1055  uint8_t data[ tls->secure_renegotiation ?
1056  sizeof ( tls->verify.client ) :0];
1057  } __attribute__ (( packed )) renegotiation_info;
1058  uint16_t session_ticket_type;
1059  uint16_t session_ticket_len;
1060  struct {
1061  uint8_t data[session->ticket_len];
1062  } __attribute__ (( packed )) session_ticket;
1063  } __attribute__ (( packed )) extensions;
1064  } __attribute__ (( packed )) hello;
1065  struct tls_cipher_suite *suite;
1066  struct tls_signature_hash_algorithm *sighash;
1067  unsigned int i;
1068 
1069  /* Construct record */
1070  memset ( &hello, 0, sizeof ( hello ) );
1071  hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
1072  htonl ( sizeof ( hello ) -
1073  sizeof ( hello.type_length ) ) );
1074  hello.version = htons ( tls->version );
1075  memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
1076  hello.session_id_len = tls->session_id_len;
1077  memcpy ( hello.session_id, tls->session_id,
1078  sizeof ( hello.session_id ) );
1079  hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1080  i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
1081  hello.cipher_suites[i++] = suite->code;
1082  hello.compression_methods_len = sizeof ( hello.compression_methods );
1083  hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1084  hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
1085  hello.extensions.server_name_len
1086  = htons ( sizeof ( hello.extensions.server_name ) );
1087  hello.extensions.server_name.len
1088  = htons ( sizeof ( hello.extensions.server_name.list ) );
1089  hello.extensions.server_name.list[0].type = TLS_SERVER_NAME_HOST_NAME;
1090  hello.extensions.server_name.list[0].len
1091  = htons ( sizeof ( hello.extensions.server_name.list[0].name ));
1092  memcpy ( hello.extensions.server_name.list[0].name, session->name,
1093  sizeof ( hello.extensions.server_name.list[0].name ) );
1094  hello.extensions.max_fragment_length_type
1095  = htons ( TLS_MAX_FRAGMENT_LENGTH );
1096  hello.extensions.max_fragment_length_len
1097  = htons ( sizeof ( hello.extensions.max_fragment_length ) );
1098  hello.extensions.max_fragment_length.max
1099  = TLS_MAX_FRAGMENT_LENGTH_4096;
1100  hello.extensions.signature_algorithms_type
1101  = htons ( TLS_SIGNATURE_ALGORITHMS );
1102  hello.extensions.signature_algorithms_len
1103  = htons ( sizeof ( hello.extensions.signature_algorithms ) );
1104  hello.extensions.signature_algorithms.len
1105  = htons ( sizeof ( hello.extensions.signature_algorithms.code));
1106  i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
1107  hello.extensions.signature_algorithms.code[i++] = sighash->code;
1108  hello.extensions.renegotiation_info_type
1109  = htons ( TLS_RENEGOTIATION_INFO );
1110  hello.extensions.renegotiation_info_len
1111  = htons ( sizeof ( hello.extensions.renegotiation_info ) );
1112  hello.extensions.renegotiation_info.len
1113  = sizeof ( hello.extensions.renegotiation_info.data );
1114  memcpy ( hello.extensions.renegotiation_info.data, tls->verify.client,
1115  sizeof ( hello.extensions.renegotiation_info.data ) );
1116  hello.extensions.session_ticket_type = htons ( TLS_SESSION_TICKET );
1117  hello.extensions.session_ticket_len
1118  = htons ( sizeof ( hello.extensions.session_ticket ) );
1119  memcpy ( hello.extensions.session_ticket.data, session->ticket,
1120  sizeof ( hello.extensions.session_ticket.data ) );
1121 
1122  return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
1123 }
1124 
1125 /**
1126  * Transmit Certificate record
1127  *
1128  * @v tls TLS connection
1129  * @ret rc Return status code
1130  */
1131 static int tls_send_certificate ( struct tls_connection *tls ) {
1132  struct {
1133  uint32_t type_length;
1134  tls24_t length;
1135  struct {
1136  tls24_t length;
1137  uint8_t data[ tls->cert->raw.len ];
1138  } __attribute__ (( packed )) certificates[1];
1139  } __attribute__ (( packed )) *certificate;
1140  int rc;
1141 
1142  /* Allocate storage for Certificate record (which may be too
1143  * large for the stack).
1144  */
1145  certificate = zalloc ( sizeof ( *certificate ) );
1146  if ( ! certificate )
1147  return -ENOMEM_CERTIFICATE;
1148 
1149  /* Populate record */
1150  certificate->type_length =
1151  ( cpu_to_le32 ( TLS_CERTIFICATE ) |
1152  htonl ( sizeof ( *certificate ) -
1153  sizeof ( certificate->type_length ) ) );
1154  tls_set_uint24 ( &certificate->length,
1155  sizeof ( certificate->certificates ) );
1156  tls_set_uint24 ( &certificate->certificates[0].length,
1157  sizeof ( certificate->certificates[0].data ) );
1158  memcpy ( certificate->certificates[0].data,
1159  tls->cert->raw.data,
1160  sizeof ( certificate->certificates[0].data ) );
1161 
1162  /* Transmit record */
1163  rc = tls_send_handshake ( tls, certificate, sizeof ( *certificate ) );
1164 
1165  /* Free record */
1166  free ( certificate );
1167 
1168  return rc;
1169 }
1170 
1171 /**
1172  * Transmit Client Key Exchange record
1173  *
1174  * @v tls TLS connection
1175  * @ret rc Return status code
1176  */
1177 static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
1178  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1179  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
1180  size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
1181  struct {
1182  uint32_t type_length;
1183  uint16_t encrypted_pre_master_secret_len;
1184  uint8_t encrypted_pre_master_secret[max_len];
1185  } __attribute__ (( packed )) key_xchg;
1186  size_t unused;
1187  int len;
1188  int rc;
1189 
1190  /* Encrypt pre-master secret using server's public key */
1191  memset ( &key_xchg, 0, sizeof ( key_xchg ) );
1192  len = pubkey_encrypt ( pubkey, cipherspec->pubkey_ctx,
1193  &tls->pre_master_secret,
1194  sizeof ( tls->pre_master_secret ),
1195  key_xchg.encrypted_pre_master_secret );
1196  if ( len < 0 ) {
1197  rc = len;
1198  DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
1199  tls, strerror ( rc ) );
1200  return rc;
1201  }
1202  unused = ( max_len - len );
1203  key_xchg.type_length =
1204  ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1205  htonl ( sizeof ( key_xchg ) -
1206  sizeof ( key_xchg.type_length ) - unused ) );
1207  key_xchg.encrypted_pre_master_secret_len =
1208  htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) -
1209  unused );
1210 
1211  return tls_send_handshake ( tls, &key_xchg,
1212  ( sizeof ( key_xchg ) - unused ) );
1213 }
1214 
1215 /**
1216  * Transmit Certificate Verify record
1217  *
1218  * @v tls TLS connection
1219  * @ret rc Return status code
1220  */
1221 static int tls_send_certificate_verify ( struct tls_connection *tls ) {
1222  struct digest_algorithm *digest = tls->handshake_digest;
1223  struct x509_certificate *cert = tls->cert;
1224  struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
1225  uint8_t digest_out[ digest->digestsize ];
1226  uint8_t ctx[ pubkey->ctxsize ];
1227  struct tls_signature_hash_algorithm *sig_hash = NULL;
1228  int rc;
1229 
1230  /* Generate digest to be signed */
1231  tls_verify_handshake ( tls, digest_out );
1232 
1233  /* Initialise public-key algorithm */
1234  if ( ( rc = pubkey_init ( pubkey, ctx, private_key.data,
1235  private_key.len ) ) != 0 ) {
1236  DBGC ( tls, "TLS %p could not initialise %s client private "
1237  "key: %s\n", tls, pubkey->name, strerror ( rc ) );
1238  goto err_pubkey_init;
1239  }
1240 
1241  /* TLSv1.2 and later use explicit algorithm identifiers */
1242  if ( tls->version >= TLS_VERSION_TLS_1_2 ) {
1243  sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
1244  if ( ! sig_hash ) {
1245  DBGC ( tls, "TLS %p could not identify (%s,%s) "
1246  "signature and hash algorithm\n", tls,
1247  pubkey->name, digest->name );
1248  rc = -ENOTSUP_SIG_HASH;
1249  goto err_sig_hash;
1250  }
1251  }
1252 
1253  /* Generate and transmit record */
1254  {
1255  size_t max_len = pubkey_max_len ( pubkey, ctx );
1256  int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
1257  struct {
1258  uint32_t type_length;
1259  struct tls_signature_hash_id sig_hash[use_sig_hash];
1260  uint16_t signature_len;
1261  uint8_t signature[max_len];
1262  } __attribute__ (( packed )) certificate_verify;
1263  size_t unused;
1264  int len;
1265 
1266  /* Sign digest */
1267  len = pubkey_sign ( pubkey, ctx, digest, digest_out,
1268  certificate_verify.signature );
1269  if ( len < 0 ) {
1270  rc = len;
1271  DBGC ( tls, "TLS %p could not sign %s digest using %s "
1272  "client private key: %s\n", tls, digest->name,
1273  pubkey->name, strerror ( rc ) );
1274  goto err_pubkey_sign;
1275  }
1276  unused = ( max_len - len );
1277 
1278  /* Construct Certificate Verify record */
1279  certificate_verify.type_length =
1280  ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
1281  htonl ( sizeof ( certificate_verify ) -
1282  sizeof ( certificate_verify.type_length ) -
1283  unused ) );
1284  if ( use_sig_hash ) {
1285  memcpy ( &certificate_verify.sig_hash[0],
1286  &sig_hash->code,
1287  sizeof ( certificate_verify.sig_hash[0] ) );
1288  }
1289  certificate_verify.signature_len =
1290  htons ( sizeof ( certificate_verify.signature ) -
1291  unused );
1292 
1293  /* Transmit record */
1294  rc = tls_send_handshake ( tls, &certificate_verify,
1295  ( sizeof ( certificate_verify ) - unused ) );
1296  }
1297 
1298  err_pubkey_sign:
1299  err_sig_hash:
1300  pubkey_final ( pubkey, ctx );
1301  err_pubkey_init:
1302  return rc;
1303 }
1304 
1305 /**
1306  * Transmit Change Cipher record
1307  *
1308  * @v tls TLS connection
1309  * @ret rc Return status code
1310  */
1311 static int tls_send_change_cipher ( struct tls_connection *tls ) {
1312  static const uint8_t change_cipher[1] = { 1 };
1313  return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
1314  change_cipher, sizeof ( change_cipher ) );
1315 }
1316 
1317 /**
1318  * Transmit Finished record
1319  *
1320  * @v tls TLS connection
1321  * @ret rc Return status code
1322  */
1323 static int tls_send_finished ( struct tls_connection *tls ) {
1324  struct digest_algorithm *digest = tls->handshake_digest;
1325  struct {
1326  uint32_t type_length;
1327  uint8_t verify_data[ sizeof ( tls->verify.client ) ];
1328  } __attribute__ (( packed )) finished;
1329  uint8_t digest_out[ digest->digestsize ];
1330  int rc;
1331 
1332  /* Construct client verification data */
1333  tls_verify_handshake ( tls, digest_out );
1334  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1335  tls->verify.client, sizeof ( tls->verify.client ),
1336  "client finished", digest_out, sizeof ( digest_out ) );
1337 
1338  /* Construct record */
1339  memset ( &finished, 0, sizeof ( finished ) );
1340  finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
1341  htonl ( sizeof ( finished ) -
1342  sizeof ( finished.type_length ) ) );
1343  memcpy ( finished.verify_data, tls->verify.client,
1344  sizeof ( finished.verify_data ) );
1345 
1346  /* Transmit record */
1347  if ( ( rc = tls_send_handshake ( tls, &finished,
1348  sizeof ( finished ) ) ) != 0 )
1349  return rc;
1350 
1351  /* Mark client as finished */
1352  pending_put ( &tls->client_negotiation );
1353 
1354  return 0;
1355 }
1356 
1357 /**
1358  * Receive new Change Cipher record
1359  *
1360  * @v tls TLS connection
1361  * @v data Plaintext record
1362  * @v len Length of plaintext record
1363  * @ret rc Return status code
1364  */
1365 static int tls_new_change_cipher ( struct tls_connection *tls,
1366  const void *data, size_t len ) {
1367  int rc;
1368 
1369  if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
1370  DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
1371  DBGC_HD ( tls, data, len );
1372  return -EINVAL_CHANGE_CIPHER;
1373  }
1374 
1375  if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
1376  &tls->rx_cipherspec ) ) != 0 ) {
1377  DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
1378  tls, strerror ( rc ) );
1379  return rc;
1380  }
1381  tls->rx_seq = ~( ( uint64_t ) 0 );
1382 
1383  return 0;
1384 }
1385 
1386 /**
1387  * Receive new Alert record
1388  *
1389  * @v tls TLS connection
1390  * @v data Plaintext record
1391  * @v len Length of plaintext record
1392  * @ret rc Return status code
1393  */
1394 static int tls_new_alert ( struct tls_connection *tls, const void *data,
1395  size_t len ) {
1396  const struct {
1397  uint8_t level;
1398  uint8_t description;
1399  char next[0];
1400  } __attribute__ (( packed )) *alert = data;
1401 
1402  /* Sanity check */
1403  if ( sizeof ( *alert ) != len ) {
1404  DBGC ( tls, "TLS %p received overlength Alert\n", tls );
1405  DBGC_HD ( tls, data, len );
1406  return -EINVAL_ALERT;
1407  }
1408 
1409  switch ( alert->level ) {
1410  case TLS_ALERT_WARNING:
1411  DBGC ( tls, "TLS %p received warning alert %d\n",
1412  tls, alert->description );
1413  return 0;
1414  case TLS_ALERT_FATAL:
1415  DBGC ( tls, "TLS %p received fatal alert %d\n",
1416  tls, alert->description );
1417  return -EPERM_ALERT;
1418  default:
1419  DBGC ( tls, "TLS %p received unknown alert level %d"
1420  "(alert %d)\n", tls, alert->level, alert->description );
1421  return -EIO_ALERT;
1422  }
1423 }
1424 
1425 /**
1426  * Receive new Hello Request handshake record
1427  *
1428  * @v tls TLS connection
1429  * @v data Plaintext handshake record
1430  * @v len Length of plaintext handshake record
1431  * @ret rc Return status code
1432  */
1433 static int tls_new_hello_request ( struct tls_connection *tls,
1434  const void *data __unused,
1435  size_t len __unused ) {
1436 
1437  /* Ignore if a handshake is in progress */
1438  if ( ! tls_ready ( tls ) ) {
1439  DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
1440  return 0;
1441  }
1442 
1443  /* Fail unless server supports secure renegotiation */
1444  if ( ! tls->secure_renegotiation ) {
1445  DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
1446  tls );
1447  return -EPERM_RENEG_INSECURE;
1448  }
1449 
1450  /* Restart negotiation */
1451  tls_restart ( tls );
1452 
1453  return 0;
1454 }
1455 
1456 /**
1457  * Receive new Server Hello handshake record
1458  *
1459  * @v tls TLS connection
1460  * @v data Plaintext handshake record
1461  * @v len Length of plaintext handshake record
1462  * @ret rc Return status code
1463  */
1464 static int tls_new_server_hello ( struct tls_connection *tls,
1465  const void *data, size_t len ) {
1466  const struct {
1467  uint16_t version;
1468  uint8_t random[32];
1469  uint8_t session_id_len;
1470  uint8_t session_id[0];
1471  } __attribute__ (( packed )) *hello_a = data;
1472  const uint8_t *session_id;
1473  const struct {
1474  uint16_t cipher_suite;
1475  uint8_t compression_method;
1476  char next[0];
1477  } __attribute__ (( packed )) *hello_b;
1478  const struct {
1479  uint16_t len;
1480  uint8_t data[0];
1481  } __attribute__ (( packed )) *exts;
1482  const struct {
1483  uint16_t type;
1484  uint16_t len;
1485  uint8_t data[0];
1486  } __attribute__ (( packed )) *ext;
1487  const struct {
1488  uint8_t len;
1489  uint8_t data[0];
1490  } __attribute__ (( packed )) *reneg = NULL;
1491  uint16_t version;
1492  size_t exts_len;
1493  size_t ext_len;
1494  size_t remaining;
1495  int rc;
1496 
1497  /* Parse header */
1498  if ( ( sizeof ( *hello_a ) > len ) ||
1499  ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
1500  ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
1501  hello_a->session_id_len ) ) ) {
1502  DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
1503  DBGC_HD ( tls, data, len );
1504  return -EINVAL_HELLO;
1505  }
1506  session_id = hello_a->session_id;
1507  hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
1508 
1509  /* Parse extensions, if present */
1510  remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
1511  sizeof ( *hello_b ) );
1512  if ( remaining ) {
1513 
1514  /* Parse extensions length */
1515  exts = ( ( void * ) hello_b->next );
1516  if ( ( sizeof ( *exts ) > remaining ) ||
1517  ( ( exts_len = ntohs ( exts->len ) ) >
1518  ( remaining - sizeof ( *exts ) ) ) ) {
1519  DBGC ( tls, "TLS %p received underlength extensions\n",
1520  tls );
1521  DBGC_HD ( tls, data, len );
1522  return -EINVAL_HELLO;
1523  }
1524 
1525  /* Parse extensions */
1526  for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
1527  remaining ;
1528  ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
1529  remaining -= ( sizeof ( *ext ) + ext_len ) ) {
1530 
1531  /* Parse extension length */
1532  if ( ( sizeof ( *ext ) > remaining ) ||
1533  ( ( ext_len = ntohs ( ext->len ) ) >
1534  ( remaining - sizeof ( *ext ) ) ) ) {
1535  DBGC ( tls, "TLS %p received underlength "
1536  "extension\n", tls );
1537  DBGC_HD ( tls, data, len );
1538  return -EINVAL_HELLO;
1539  }
1540 
1541  /* Record known extensions */
1542  switch ( ext->type ) {
1543  case htons ( TLS_RENEGOTIATION_INFO ) :
1544  reneg = ( ( void * ) ext->data );
1545  if ( ( sizeof ( *reneg ) > ext_len ) ||
1546  ( reneg->len >
1547  ( ext_len - sizeof ( *reneg ) ) ) ) {
1548  DBGC ( tls, "TLS %p received "
1549  "underlength renegotiation "
1550  "info\n", tls );
1551  DBGC_HD ( tls, data, len );
1552  return -EINVAL_HELLO;
1553  }
1554  break;
1555  }
1556  }
1557  }
1558 
1559  /* Check and store protocol version */
1560  version = ntohs ( hello_a->version );
1561  if ( version < TLS_VERSION_TLS_1_0 ) {
1562  DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
1563  tls, ( version >> 8 ), ( version & 0xff ) );
1564  return -ENOTSUP_VERSION;
1565  }
1566  if ( version > tls->version ) {
1567  DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
1568  "protocol version %d.%d\n",
1569  tls, ( version >> 8 ), ( version & 0xff ) );
1570  return -EPROTO_VERSION;
1571  }
1572  tls->version = version;
1573  DBGC ( tls, "TLS %p using protocol version %d.%d\n",
1574  tls, ( version >> 8 ), ( version & 0xff ) );
1575 
1576  /* Use MD5+SHA1 digest algorithm for handshake verification
1577  * for versions earlier than TLSv1.2.
1578  */
1579  if ( tls->version < TLS_VERSION_TLS_1_2 ) {
1580  tls->handshake_digest = &md5_sha1_algorithm;
1581  tls->handshake_ctx = tls->handshake_md5_sha1_ctx;
1582  }
1583 
1584  /* Copy out server random bytes */
1585  memcpy ( &tls->server_random, &hello_a->random,
1586  sizeof ( tls->server_random ) );
1587 
1588  /* Select cipher suite */
1589  if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
1590  return rc;
1591 
1592  /* Reuse or generate master secret */
1593  if ( hello_a->session_id_len &&
1594  ( hello_a->session_id_len == tls->session_id_len ) &&
1595  ( memcmp ( session_id, tls->session_id,
1596  tls->session_id_len ) == 0 ) ) {
1597 
1598  /* Session ID match: reuse master secret */
1599  DBGC ( tls, "TLS %p resuming session ID:\n", tls );
1600  DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
1601 
1602  } else {
1603 
1604  /* Generate new master secret */
1605  tls_generate_master_secret ( tls );
1606 
1607  /* Record new session ID, if present */
1608  if ( hello_a->session_id_len &&
1609  ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
1610  tls->session_id_len = hello_a->session_id_len;
1611  memcpy ( tls->session_id, session_id,
1612  tls->session_id_len );
1613  DBGC ( tls, "TLS %p new session ID:\n", tls );
1614  DBGC_HDA ( tls, 0, tls->session_id,
1615  tls->session_id_len );
1616  }
1617  }
1618 
1619  /* Generate keys */
1620  if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
1621  return rc;
1622 
1623  /* Handle secure renegotiation */
1624  if ( tls->secure_renegotiation ) {
1625 
1626  /* Secure renegotiation is expected; verify data */
1627  if ( ( reneg == NULL ) ||
1628  ( reneg->len != sizeof ( tls->verify ) ) ||
1629  ( memcmp ( reneg->data, &tls->verify,
1630  sizeof ( tls->verify ) ) != 0 ) ) {
1631  DBGC ( tls, "TLS %p server failed secure "
1632  "renegotiation\n", tls );
1633  return -EPERM_RENEG_VERIFY;
1634  }
1635 
1636  } else if ( reneg != NULL ) {
1637 
1638  /* Secure renegotiation is being enabled */
1639  if ( reneg->len != 0 ) {
1640  DBGC ( tls, "TLS %p server provided non-empty initial "
1641  "renegotiation\n", tls );
1642  return -EPERM_RENEG_VERIFY;
1643  }
1644  tls->secure_renegotiation = 1;
1645  }
1646 
1647  return 0;
1648 }
1649 
1650 /**
1651  * Receive New Session Ticket handshake record
1652  *
1653  * @v tls TLS connection
1654  * @v data Plaintext handshake record
1655  * @v len Length of plaintext handshake record
1656  * @ret rc Return status code
1657  */
1658 static int tls_new_session_ticket ( struct tls_connection *tls,
1659  const void *data, size_t len ) {
1660  const struct {
1661  uint32_t lifetime;
1662  uint16_t len;
1663  uint8_t ticket[0];
1664  } __attribute__ (( packed )) *new_session_ticket = data;
1665  size_t ticket_len;
1666 
1667  /* Parse header */
1668  if ( sizeof ( *new_session_ticket ) > len ) {
1669  DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
1670  tls );
1671  DBGC_HD ( tls, data, len );
1672  return -EINVAL_TICKET;
1673  }
1674  ticket_len = ntohs ( new_session_ticket->len );
1675  if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
1676  DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
1677  tls );
1678  DBGC_HD ( tls, data, len );
1679  return -EINVAL_TICKET;
1680  }
1681 
1682  /* Free any unapplied new session ticket */
1683  free ( tls->new_session_ticket );
1684  tls->new_session_ticket = NULL;
1685  tls->new_session_ticket_len = 0;
1686 
1687  /* Record ticket */
1688  tls->new_session_ticket = malloc ( ticket_len );
1689  if ( ! tls->new_session_ticket )
1690  return -ENOMEM;
1691  memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
1692  ticket_len );
1693  tls->new_session_ticket_len = ticket_len;
1694  DBGC ( tls, "TLS %p new session ticket:\n", tls );
1695  DBGC_HDA ( tls, 0, tls->new_session_ticket,
1696  tls->new_session_ticket_len );
1697 
1698  return 0;
1699 }
1700 
1701 /**
1702  * Parse certificate chain
1703  *
1704  * @v tls TLS connection
1705  * @v data Certificate chain
1706  * @v len Length of certificate chain
1707  * @ret rc Return status code
1708  */
1709 static int tls_parse_chain ( struct tls_connection *tls,
1710  const void *data, size_t len ) {
1711  size_t remaining = len;
1712  int rc;
1713 
1714  /* Free any existing certificate chain */
1715  x509_chain_put ( tls->chain );
1716  tls->chain = NULL;
1717 
1718  /* Create certificate chain */
1719  tls->chain = x509_alloc_chain();
1720  if ( ! tls->chain ) {
1721  rc = -ENOMEM_CHAIN;
1722  goto err_alloc_chain;
1723  }
1724 
1725  /* Add certificates to chain */
1726  while ( remaining ) {
1727  const struct {
1728  tls24_t length;
1729  uint8_t data[0];
1730  } __attribute__ (( packed )) *certificate = data;
1731  size_t certificate_len;
1732  size_t record_len;
1733  struct x509_certificate *cert;
1734 
1735  /* Parse header */
1736  if ( sizeof ( *certificate ) > remaining ) {
1737  DBGC ( tls, "TLS %p underlength certificate:\n", tls );
1738  DBGC_HDA ( tls, 0, data, remaining );
1739  rc = -EINVAL_CERTIFICATE;
1740  goto err_underlength;
1741  }
1742  certificate_len = tls_uint24 ( &certificate->length );
1743  if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
1744  DBGC ( tls, "TLS %p overlength certificate:\n", tls );
1745  DBGC_HDA ( tls, 0, data, remaining );
1746  rc = -EINVAL_CERTIFICATE;
1747  goto err_overlength;
1748  }
1749  record_len = ( sizeof ( *certificate ) + certificate_len );
1750 
1751  /* Add certificate to chain */
1752  if ( ( rc = x509_append_raw ( tls->chain, certificate->data,
1753  certificate_len ) ) != 0 ) {
1754  DBGC ( tls, "TLS %p could not append certificate: %s\n",
1755  tls, strerror ( rc ) );
1756  DBGC_HDA ( tls, 0, data, remaining );
1757  goto err_parse;
1758  }
1759  cert = x509_last ( tls->chain );
1760  DBGC ( tls, "TLS %p found certificate %s\n",
1761  tls, x509_name ( cert ) );
1762 
1763  /* Move to next certificate in list */
1764  data += record_len;
1765  remaining -= record_len;
1766  }
1767 
1768  return 0;
1769 
1770  err_parse:
1771  err_overlength:
1772  err_underlength:
1773  x509_chain_put ( tls->chain );
1774  tls->chain = NULL;
1775  err_alloc_chain:
1776  return rc;
1777 }
1778 
1779 /**
1780  * Receive new Certificate handshake record
1781  *
1782  * @v tls TLS connection
1783  * @v data Plaintext handshake record
1784  * @v len Length of plaintext handshake record
1785  * @ret rc Return status code
1786  */
1787 static int tls_new_certificate ( struct tls_connection *tls,
1788  const void *data, size_t len ) {
1789  const struct {
1790  tls24_t length;
1791  uint8_t certificates[0];
1792  } __attribute__ (( packed )) *certificate = data;
1793  size_t certificates_len;
1794  int rc;
1795 
1796  /* Parse header */
1797  if ( sizeof ( *certificate ) > len ) {
1798  DBGC ( tls, "TLS %p received underlength Server Certificate\n",
1799  tls );
1800  DBGC_HD ( tls, data, len );
1801  return -EINVAL_CERTIFICATES;
1802  }
1803  certificates_len = tls_uint24 ( &certificate->length );
1804  if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
1805  DBGC ( tls, "TLS %p received overlength Server Certificate\n",
1806  tls );
1807  DBGC_HD ( tls, data, len );
1808  return -EINVAL_CERTIFICATES;
1809  }
1810 
1811  /* Parse certificate chain */
1812  if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
1813  certificates_len ) ) != 0 )
1814  return rc;
1815 
1816  return 0;
1817 }
1818 
1819 /**
1820  * Receive new Certificate Request handshake record
1821  *
1822  * @v tls TLS connection
1823  * @v data Plaintext handshake record
1824  * @v len Length of plaintext handshake record
1825  * @ret rc Return status code
1826  */
1827 static int tls_new_certificate_request ( struct tls_connection *tls,
1828  const void *data __unused,
1829  size_t len __unused ) {
1830 
1831  /* We can only send a single certificate, so there is no point
1832  * in parsing the Certificate Request.
1833  */
1834 
1835  /* Free any existing client certificate */
1836  x509_put ( tls->cert );
1837 
1838  /* Determine client certificate to be sent */
1839  tls->cert = certstore_find_key ( &private_key );
1840  if ( ! tls->cert ) {
1841  DBGC ( tls, "TLS %p could not find certificate corresponding "
1842  "to private key\n", tls );
1843  return -EPERM_CLIENT_CERT;
1844  }
1845  x509_get ( tls->cert );
1846  DBGC ( tls, "TLS %p sending client certificate %s\n",
1847  tls, x509_name ( tls->cert ) );
1848 
1849  return 0;
1850 }
1851 
1852 /**
1853  * Receive new Server Hello Done handshake record
1854  *
1855  * @v tls TLS connection
1856  * @v data Plaintext handshake record
1857  * @v len Length of plaintext handshake record
1858  * @ret rc Return status code
1859  */
1860 static int tls_new_server_hello_done ( struct tls_connection *tls,
1861  const void *data, size_t len ) {
1862  const struct {
1863  char next[0];
1864  } __attribute__ (( packed )) *hello_done = data;
1865  int rc;
1866 
1867  /* Sanity check */
1868  if ( sizeof ( *hello_done ) != len ) {
1869  DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
1870  tls );
1871  DBGC_HD ( tls, data, len );
1872  return -EINVAL_HELLO_DONE;
1873  }
1874 
1875  /* Begin certificate validation */
1876  if ( ( rc = create_validator ( &tls->validator, tls->chain ) ) != 0 ) {
1877  DBGC ( tls, "TLS %p could not start certificate validation: "
1878  "%s\n", tls, strerror ( rc ) );
1879  return rc;
1880  }
1881  pending_get ( &tls->validation );
1882 
1883  return 0;
1884 }
1885 
1886 /**
1887  * Receive new Finished handshake record
1888  *
1889  * @v tls TLS connection
1890  * @v data Plaintext handshake record
1891  * @v len Length of plaintext handshake record
1892  * @ret rc Return status code
1893  */
1894 static int tls_new_finished ( struct tls_connection *tls,
1895  const void *data, size_t len ) {
1896  struct tls_session *session = tls->session;
1897  struct digest_algorithm *digest = tls->handshake_digest;
1898  const struct {
1899  uint8_t verify_data[ sizeof ( tls->verify.server ) ];
1900  char next[0];
1901  } __attribute__ (( packed )) *finished = data;
1902  uint8_t digest_out[ digest->digestsize ];
1903 
1904  /* Sanity check */
1905  if ( sizeof ( *finished ) != len ) {
1906  DBGC ( tls, "TLS %p received overlength Finished\n", tls );
1907  DBGC_HD ( tls, data, len );
1908  return -EINVAL_FINISHED;
1909  }
1910 
1911  /* Verify data */
1912  tls_verify_handshake ( tls, digest_out );
1913  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1914  tls->verify.server, sizeof ( tls->verify.server ),
1915  "server finished", digest_out, sizeof ( digest_out ) );
1916  if ( memcmp ( tls->verify.server, finished->verify_data,
1917  sizeof ( tls->verify.server ) ) != 0 ) {
1918  DBGC ( tls, "TLS %p verification failed\n", tls );
1919  return -EPERM_VERIFY;
1920  }
1921 
1922  /* Mark server as finished */
1923  pending_put ( &tls->server_negotiation );
1924 
1925  /* If we are resuming a session (i.e. if the server Finished
1926  * arrives before the client Finished is sent), then schedule
1927  * transmission of Change Cipher and Finished.
1928  */
1929  if ( is_pending ( &tls->client_negotiation ) ) {
1930  tls->tx_pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
1931  tls_tx_resume ( tls );
1932  }
1933 
1934  /* Record session ID, ticket, and master secret, if applicable */
1935  if ( tls->session_id_len || tls->new_session_ticket_len ) {
1936  memcpy ( session->master_secret, tls->master_secret,
1937  sizeof ( session->master_secret ) );
1938  }
1939  if ( tls->session_id_len ) {
1940  session->id_len = tls->session_id_len;
1941  memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
1942  }
1943  if ( tls->new_session_ticket_len ) {
1944  free ( session->ticket );
1945  session->ticket = tls->new_session_ticket;
1946  session->ticket_len = tls->new_session_ticket_len;
1947  tls->new_session_ticket = NULL;
1948  tls->new_session_ticket_len = 0;
1949  }
1950 
1951  /* Move to end of session's connection list and allow other
1952  * connections to start making progress.
1953  */
1954  list_del ( &tls->list );
1955  list_add_tail ( &tls->list, &session->conn );
1956  tls_tx_resume_all ( session );
1957 
1958  /* Send notification of a window change */
1959  xfer_window_changed ( &tls->plainstream );
1960 
1961  return 0;
1962 }
1963 
1964 /**
1965  * Receive new Handshake record
1966  *
1967  * @v tls TLS connection
1968  * @v data Plaintext record
1969  * @v len Length of plaintext record
1970  * @ret rc Return status code
1971  */
1972 static int tls_new_handshake ( struct tls_connection *tls,
1973  const void *data, size_t len ) {
1974  size_t remaining = len;
1975  int rc;
1976 
1977  while ( remaining ) {
1978  const struct {
1979  uint8_t type;
1980  tls24_t length;
1981  uint8_t payload[0];
1982  } __attribute__ (( packed )) *handshake = data;
1983  const void *payload;
1984  size_t payload_len;
1985  size_t record_len;
1986 
1987  /* Parse header */
1988  if ( sizeof ( *handshake ) > remaining ) {
1989  DBGC ( tls, "TLS %p received underlength Handshake\n",
1990  tls );
1991  DBGC_HD ( tls, data, remaining );
1992  return -EINVAL_HANDSHAKE;
1993  }
1994  payload_len = tls_uint24 ( &handshake->length );
1995  if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
1996  DBGC ( tls, "TLS %p received overlength Handshake\n",
1997  tls );
1998  DBGC_HD ( tls, data, len );
1999  return -EINVAL_HANDSHAKE;
2000  }
2001  payload = &handshake->payload;
2002  record_len = ( sizeof ( *handshake ) + payload_len );
2003 
2004  /* Handle payload */
2005  switch ( handshake->type ) {
2006  case TLS_HELLO_REQUEST:
2007  rc = tls_new_hello_request ( tls, payload,
2008  payload_len );
2009  break;
2010  case TLS_SERVER_HELLO:
2011  rc = tls_new_server_hello ( tls, payload, payload_len );
2012  break;
2013  case TLS_NEW_SESSION_TICKET:
2014  rc = tls_new_session_ticket ( tls, payload,
2015  payload_len );
2016  break;
2017  case TLS_CERTIFICATE:
2018  rc = tls_new_certificate ( tls, payload, payload_len );
2019  break;
2020  case TLS_CERTIFICATE_REQUEST:
2021  rc = tls_new_certificate_request ( tls, payload,
2022  payload_len );
2023  break;
2024  case TLS_SERVER_HELLO_DONE:
2025  rc = tls_new_server_hello_done ( tls, payload,
2026  payload_len );
2027  break;
2028  case TLS_FINISHED:
2029  rc = tls_new_finished ( tls, payload, payload_len );
2030  break;
2031  default:
2032  DBGC ( tls, "TLS %p ignoring handshake type %d\n",
2033  tls, handshake->type );
2034  rc = 0;
2035  break;
2036  }
2037 
2038  /* Add to handshake digest (except for Hello Requests,
2039  * which are explicitly excluded).
2040  */
2041  if ( handshake->type != TLS_HELLO_REQUEST )
2042  tls_add_handshake ( tls, data, record_len );
2043 
2044  /* Abort on failure */
2045  if ( rc != 0 )
2046  return rc;
2047 
2048  /* Move to next handshake record */
2049  data += record_len;
2050  remaining -= record_len;
2051  }
2052 
2053  return 0;
2054 }
2055 
2056 /**
2057  * Receive new record
2058  *
2059  * @v tls TLS connection
2060  * @v type Record type
2061  * @v rx_data List of received data buffers
2062  * @ret rc Return status code
2063  */
2064 static int tls_new_record ( struct tls_connection *tls, unsigned int type,
2065  struct list_head *rx_data ) {
2066  struct io_buffer *iobuf;
2067  int ( * handler ) ( struct tls_connection *tls, const void *data,
2068  size_t len );
2069  int rc;
2070 
2071  /* Deliver data records to the plainstream interface */
2072  if ( type == TLS_TYPE_DATA ) {
2073 
2074  /* Fail unless we are ready to receive data */
2075  if ( ! tls_ready ( tls ) )
2076  return -ENOTCONN;
2077 
2078  /* Deliver each I/O buffer in turn */
2079  while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
2080  list ) ) ) {
2081  list_del ( &iobuf->list );
2082  if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
2083  iobuf ) ) != 0 ) {
2084  DBGC ( tls, "TLS %p could not deliver data: "
2085  "%s\n", tls, strerror ( rc ) );
2086  return rc;
2087  }
2088  }
2089  return 0;
2090  }
2091 
2092  /* For all other records, merge into a single I/O buffer */
2093  iobuf = iob_concatenate ( rx_data );
2094  if ( ! iobuf ) {
2095  DBGC ( tls, "TLS %p could not concatenate non-data record "
2096  "type %d\n", tls, type );
2097  return -ENOMEM_RX_CONCAT;
2098  }
2099 
2100  /* Determine handler */
2101  switch ( type ) {
2102  case TLS_TYPE_CHANGE_CIPHER:
2103  handler = tls_new_change_cipher;
2104  break;
2105  case TLS_TYPE_ALERT:
2106  handler = tls_new_alert;
2107  break;
2108  case TLS_TYPE_HANDSHAKE:
2109  handler = tls_new_handshake;
2110  break;
2111  default:
2112  /* RFC4346 says that we should just ignore unknown
2113  * record types.
2114  */
2115  handler = NULL;
2116  DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type );
2117  break;
2118  }
2119 
2120  /* Handle record and free I/O buffer */
2121  rc = ( handler ? handler ( tls, iobuf->data, iob_len ( iobuf ) ) : 0 );
2122  free_iob ( iobuf );
2123  return rc;
2124 }
2125 
2126 /******************************************************************************
2127  *
2128  * Record encryption/decryption
2129  *
2130  ******************************************************************************
2131  */
2132 
2133 /**
2134  * Initialise HMAC
2135  *
2136  * @v cipherspec Cipher specification
2137  * @v ctx Context
2138  * @v seq Sequence number
2139  * @v tlshdr TLS header
2140  */
2141 static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
2142  uint64_t seq, struct tls_header *tlshdr ) {
2143  struct digest_algorithm *digest = cipherspec->suite->digest;
2144 
2145  hmac_init ( digest, ctx, cipherspec->mac_secret, &digest->digestsize );
2146  seq = cpu_to_be64 ( seq );
2147  hmac_update ( digest, ctx, &seq, sizeof ( seq ) );
2148  hmac_update ( digest, ctx, tlshdr, sizeof ( *tlshdr ) );
2149 }
2150 
2151 /**
2152  * Update HMAC
2153  *
2154  * @v cipherspec Cipher specification
2155  * @v ctx Context
2156  * @v data Data
2157  * @v len Length of data
2158  */
2159 static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
2160  const void *data, size_t len ) {
2161  struct digest_algorithm *digest = cipherspec->suite->digest;
2162 
2163  hmac_update ( digest, ctx, data, len );
2164 }
2165 
2166 /**
2167  * Finalise HMAC
2168  *
2169  * @v cipherspec Cipher specification
2170  * @v ctx Context
2171  * @v mac HMAC to fill in
2172  */
2173 static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
2174  void *hmac ) {
2175  struct digest_algorithm *digest = cipherspec->suite->digest;
2176 
2177  hmac_final ( digest, ctx, cipherspec->mac_secret,
2178  &digest->digestsize, hmac );
2179 }
2180 
2181 /**
2182  * Calculate HMAC
2183  *
2184  * @v cipherspec Cipher specification
2185  * @v seq Sequence number
2186  * @v tlshdr TLS header
2187  * @v data Data
2188  * @v len Length of data
2189  * @v mac HMAC to fill in
2190  */
2191 static void tls_hmac ( struct tls_cipherspec *cipherspec,
2192  uint64_t seq, struct tls_header *tlshdr,
2193  const void *data, size_t len, void *hmac ) {
2194  struct digest_algorithm *digest = cipherspec->suite->digest;
2195  uint8_t ctx[digest->ctxsize];
2196 
2197  tls_hmac_init ( cipherspec, ctx, seq, tlshdr );
2198  tls_hmac_update ( cipherspec, ctx, data, len );
2199  tls_hmac_final ( cipherspec, ctx, hmac );
2200 }
2201 
2202 /**
2203  * Allocate and assemble stream-ciphered record from data and MAC portions
2204  *
2205  * @v tls TLS connection
2206  * @ret data Data
2207  * @ret len Length of data
2208  * @ret digest MAC digest
2209  * @ret plaintext_len Length of plaintext record
2210  * @ret plaintext Allocated plaintext record
2211  */
2212 static void * __malloc
2213 tls_assemble_stream ( struct tls_connection *tls, const void *data, size_t len,
2214  void *digest, size_t *plaintext_len ) {
2215  size_t mac_len = tls->tx_cipherspec.suite->digest->digestsize;
2216  void *plaintext;
2217  void *content;
2218  void *mac;
2219 
2220  /* Calculate stream-ciphered struct length */
2221  *plaintext_len = ( len + mac_len );
2222 
2223  /* Allocate stream-ciphered struct */
2224  plaintext = malloc ( *plaintext_len );
2225  if ( ! plaintext )
2226  return NULL;
2227  content = plaintext;
2228  mac = ( content + len );
2229 
2230  /* Fill in stream-ciphered struct */
2231  memcpy ( content, data, len );
2232  memcpy ( mac, digest, mac_len );
2233 
2234  return plaintext;
2235 }
2236 
2237 /**
2238  * Allocate and assemble block-ciphered record from data and MAC portions
2239  *
2240  * @v tls TLS connection
2241  * @ret data Data
2242  * @ret len Length of data
2243  * @ret digest MAC digest
2244  * @ret plaintext_len Length of plaintext record
2245  * @ret plaintext Allocated plaintext record
2246  */
2247 static void * tls_assemble_block ( struct tls_connection *tls,
2248  const void *data, size_t len,
2249  void *digest, size_t *plaintext_len ) {
2250  size_t blocksize = tls->tx_cipherspec.suite->cipher->blocksize;
2251  size_t mac_len = tls->tx_cipherspec.suite->digest->digestsize;
2252  size_t iv_len;
2253  size_t padding_len;
2254  void *plaintext;
2255  void *iv;
2256  void *content;
2257  void *mac;
2258  void *padding;
2259 
2260  /* TLSv1.1 and later use an explicit IV */
2261  iv_len = ( ( tls->version >= TLS_VERSION_TLS_1_1 ) ? blocksize : 0 );
2262 
2263  /* Calculate block-ciphered struct length */
2264  padding_len = ( ( blocksize - 1 ) & -( iv_len + len + mac_len + 1 ) );
2265  *plaintext_len = ( iv_len + len + mac_len + padding_len + 1 );
2266 
2267  /* Allocate block-ciphered struct */
2268  plaintext = malloc ( *plaintext_len );
2269  if ( ! plaintext )
2270  return NULL;
2271  iv = plaintext;
2272  content = ( iv + iv_len );
2273  mac = ( content + len );
2274  padding = ( mac + mac_len );
2275 
2276  /* Fill in block-ciphered struct */
2277  tls_generate_random ( tls, iv, iv_len );
2278  memcpy ( content, data, len );
2279  memcpy ( mac, digest, mac_len );
2280  memset ( padding, padding_len, ( padding_len + 1 ) );
2281 
2282  return plaintext;
2283 }
2284 
2285 /**
2286  * Send plaintext record
2287  *
2288  * @v tls TLS connection
2289  * @v type Record type
2290  * @v data Plaintext record
2291  * @v len Length of plaintext record
2292  * @ret rc Return status code
2293  */
2294 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
2295  const void *data, size_t len ) {
2296  struct tls_header plaintext_tlshdr;
2297  struct tls_header *tlshdr;
2298  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
2299  struct cipher_algorithm *cipher = cipherspec->suite->cipher;
2300  void *plaintext = NULL;
2301  size_t plaintext_len;
2302  struct io_buffer *ciphertext = NULL;
2303  size_t ciphertext_len;
2304  size_t mac_len = cipherspec->suite->digest->digestsize;
2305  uint8_t mac[mac_len];
2306  int rc;
2307 
2308  /* Construct header */
2309  plaintext_tlshdr.type = type;
2310  plaintext_tlshdr.version = htons ( tls->version );
2311  plaintext_tlshdr.length = htons ( len );
2312 
2313  /* Calculate MAC */
2314  tls_hmac ( cipherspec, tls->tx_seq, &plaintext_tlshdr, data, len, mac );
2315 
2316  /* Allocate and assemble plaintext struct */
2317  if ( is_stream_cipher ( cipher ) ) {
2318  plaintext = tls_assemble_stream ( tls, data, len, mac,
2319  &plaintext_len );
2320  } else {
2321  plaintext = tls_assemble_block ( tls, data, len, mac,
2322  &plaintext_len );
2323  }
2324  if ( ! plaintext ) {
2325  DBGC ( tls, "TLS %p could not allocate %zd bytes for "
2326  "plaintext\n", tls, plaintext_len );
2327  rc = -ENOMEM_TX_PLAINTEXT;
2328  goto done;
2329  }
2330 
2331  DBGC2 ( tls, "Sending plaintext data:\n" );
2332  DBGC2_HD ( tls, plaintext, plaintext_len );
2333 
2334  /* Allocate ciphertext */
2335  ciphertext_len = ( sizeof ( *tlshdr ) + plaintext_len );
2336  ciphertext = xfer_alloc_iob ( &tls->cipherstream, ciphertext_len );
2337  if ( ! ciphertext ) {
2338  DBGC ( tls, "TLS %p could not allocate %zd bytes for "
2339  "ciphertext\n", tls, ciphertext_len );
2340  rc = -ENOMEM_TX_CIPHERTEXT;
2341  goto done;
2342  }
2343 
2344  /* Assemble ciphertext */
2345  tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
2346  tlshdr->type = type;
2347  tlshdr->version = htons ( tls->version );
2348  tlshdr->length = htons ( plaintext_len );
2349  memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx,
2350  cipher->ctxsize );
2351  cipher_encrypt ( cipher, cipherspec->cipher_next_ctx, plaintext,
2352  iob_put ( ciphertext, plaintext_len ), plaintext_len );
2353 
2354  /* Free plaintext as soon as possible to conserve memory */
2355  free ( plaintext );
2356  plaintext = NULL;
2357 
2358  /* Send ciphertext */
2359  if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
2360  iob_disown ( ciphertext ) ) ) != 0 ) {
2361  DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
2362  tls, strerror ( rc ) );
2363  goto done;
2364  }
2365 
2366  /* Update TX state machine to next record */
2367  tls->tx_seq += 1;
2368  memcpy ( tls->tx_cipherspec.cipher_ctx,
2369  tls->tx_cipherspec.cipher_next_ctx, cipher->ctxsize );
2370 
2371  done:
2372  free ( plaintext );
2373  free_iob ( ciphertext );
2374  return rc;
2375 }
2376 
2377 /**
2378  * Split stream-ciphered record into data and MAC portions
2379  *
2380  * @v tls TLS connection
2381  * @v rx_data List of received data buffers
2382  * @v mac MAC to fill in
2383  * @ret rc Return status code
2384  */
2385 static int tls_split_stream ( struct tls_connection *tls,
2386  struct list_head *rx_data, void **mac ) {
2387  size_t mac_len = tls->rx_cipherspec.suite->digest->digestsize;
2388  struct io_buffer *iobuf;
2389 
2390  /* Extract MAC */
2391  iobuf = list_last_entry ( rx_data, struct io_buffer, list );
2392  assert ( iobuf != NULL );
2393  if ( iob_len ( iobuf ) < mac_len ) {
2394  DBGC ( tls, "TLS %p received underlength MAC\n", tls );
2395  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2396  return -EINVAL_STREAM;
2397  }
2398  iob_unput ( iobuf, mac_len );
2399  *mac = iobuf->tail;
2400 
2401  return 0;
2402 }
2403 
2404 /**
2405  * Split block-ciphered record into data and MAC portions
2406  *
2407  * @v tls TLS connection
2408  * @v rx_data List of received data buffers
2409  * @v mac MAC to fill in
2410  * @ret rc Return status code
2411  */
2412 static int tls_split_block ( struct tls_connection *tls,
2413  struct list_head *rx_data, void **mac ) {
2414  size_t mac_len = tls->rx_cipherspec.suite->digest->digestsize;
2415  struct io_buffer *iobuf;
2416  size_t iv_len;
2417  uint8_t *padding_final;
2418  uint8_t *padding;
2419  size_t padding_len;
2420 
2421  /* TLSv1.1 and later use an explicit IV */
2422  iobuf = list_first_entry ( rx_data, struct io_buffer, list );
2423  iv_len = ( ( tls->version >= TLS_VERSION_TLS_1_1 ) ?
2424  tls->rx_cipherspec.suite->cipher->blocksize : 0 );
2425  if ( iob_len ( iobuf ) < iv_len ) {
2426  DBGC ( tls, "TLS %p received underlength IV\n", tls );
2427  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2428  return -EINVAL_BLOCK;
2429  }
2430  iob_pull ( iobuf, iv_len );
2431 
2432  /* Extract and verify padding */
2433  iobuf = list_last_entry ( rx_data, struct io_buffer, list );
2434  padding_final = ( iobuf->tail - 1 );
2435  padding_len = *padding_final;
2436  if ( ( padding_len + 1 ) > iob_len ( iobuf ) ) {
2437  DBGC ( tls, "TLS %p received underlength padding\n", tls );
2438  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2439  return -EINVAL_BLOCK;
2440  }
2441  iob_unput ( iobuf, ( padding_len + 1 ) );
2442  for ( padding = iobuf->tail ; padding < padding_final ; padding++ ) {
2443  if ( *padding != padding_len ) {
2444  DBGC ( tls, "TLS %p received bad padding\n", tls );
2445  DBGC_HD ( tls, padding, padding_len );
2446  return -EINVAL_PADDING;
2447  }
2448  }
2449 
2450  /* Extract MAC */
2451  if ( iob_len ( iobuf ) < mac_len ) {
2452  DBGC ( tls, "TLS %p received underlength MAC\n", tls );
2453  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2454  return -EINVAL_BLOCK;
2455  }
2456  iob_unput ( iobuf, mac_len );
2457  *mac = iobuf->tail;
2458 
2459  return 0;
2460 }
2461 
2462 /**
2463  * Receive new ciphertext record
2464  *
2465  * @v tls TLS connection
2466  * @v tlshdr Record header
2467  * @v rx_data List of received data buffers
2468  * @ret rc Return status code
2469  */
2470 static int tls_new_ciphertext ( struct tls_connection *tls,
2471  struct tls_header *tlshdr,
2472  struct list_head *rx_data ) {
2473  struct tls_header plaintext_tlshdr;
2474  struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
2475  struct cipher_algorithm *cipher = cipherspec->suite->cipher;
2476  struct digest_algorithm *digest = cipherspec->suite->digest;
2477  uint8_t ctx[digest->ctxsize];
2478  uint8_t verify_mac[digest->digestsize];
2479  struct io_buffer *iobuf;
2480  void *mac;
2481  size_t len = 0;
2482  int rc;
2483 
2484  /* Decrypt the received data */
2485  list_for_each_entry ( iobuf, &tls->rx_data, list ) {
2486  cipher_decrypt ( cipher, cipherspec->cipher_ctx,
2487  iobuf->data, iobuf->data, iob_len ( iobuf ) );
2488  }
2489 
2490  /* Split record into content and MAC */
2491  if ( is_stream_cipher ( cipher ) ) {
2492  if ( ( rc = tls_split_stream ( tls, rx_data, &mac ) ) != 0 )
2493  return rc;
2494  } else {
2495  if ( ( rc = tls_split_block ( tls, rx_data, &mac ) ) != 0 )
2496  return rc;
2497  }
2498 
2499  /* Calculate total length */
2500  DBGC2 ( tls, "Received plaintext data:\n" );
2501  list_for_each_entry ( iobuf, rx_data, list ) {
2502  DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2503  len += iob_len ( iobuf );
2504  }
2505 
2506  /* Verify MAC */
2507  plaintext_tlshdr.type = tlshdr->type;
2508  plaintext_tlshdr.version = tlshdr->version;
2509  plaintext_tlshdr.length = htons ( len );
2510  tls_hmac_init ( cipherspec, ctx, tls->rx_seq, &plaintext_tlshdr );
2511  list_for_each_entry ( iobuf, rx_data, list ) {
2512  tls_hmac_update ( cipherspec, ctx, iobuf->data,
2513  iob_len ( iobuf ) );
2514  }
2515  tls_hmac_final ( cipherspec, ctx, verify_mac );
2516  if ( memcmp ( mac, verify_mac, sizeof ( verify_mac ) ) != 0 ) {
2517  DBGC ( tls, "TLS %p failed MAC verification\n", tls );
2518  return -EINVAL_MAC;
2519  }
2520 
2521  /* Process plaintext record */
2522  if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
2523  return rc;
2524 
2525  return 0;
2526 }
2527 
2528 /******************************************************************************
2529  *
2530  * Plaintext stream operations
2531  *
2532  ******************************************************************************
2533  */
2534 
2535 /**
2536  * Check flow control window
2537  *
2538  * @v tls TLS connection
2539  * @ret len Length of window
2540  */
2541 static size_t tls_plainstream_window ( struct tls_connection *tls ) {
2542 
2543  /* Block window unless we are ready to accept data */
2544  if ( ! tls_ready ( tls ) )
2545  return 0;
2546 
2547  return xfer_window ( &tls->cipherstream );
2548 }
2549 
2550 /**
2551  * Deliver datagram as raw data
2552  *
2553  * @v tls TLS connection
2554  * @v iobuf I/O buffer
2555  * @v meta Data transfer metadata
2556  * @ret rc Return status code
2557  */
2558 static int tls_plainstream_deliver ( struct tls_connection *tls,
2559  struct io_buffer *iobuf,
2560  struct xfer_metadata *meta __unused ) {
2561  int rc;
2562 
2563  /* Refuse unless we are ready to accept data */
2564  if ( ! tls_ready ( tls ) ) {
2565  rc = -ENOTCONN;
2566  goto done;
2567  }
2568 
2569  if ( ( rc = tls_send_plaintext ( tls, TLS_TYPE_DATA, iobuf->data,
2570  iob_len ( iobuf ) ) ) != 0 )
2571  goto done;
2572 
2573  done:
2574  free_iob ( iobuf );
2575  return rc;
2576 }
2577 
2578 /**
2579  * Report job progress
2580  *
2581  * @v tls TLS connection
2582  * @v progress Progress report to fill in
2583  * @ret ongoing_rc Ongoing job status code (if known)
2584  */
2585 static int tls_progress ( struct tls_connection *tls,
2586  struct job_progress *progress ) {
2587 
2588  /* Return cipherstream or validator progress as applicable */
2589  if ( is_pending ( &tls->validation ) ) {
2590  return job_progress ( &tls->validator, progress );
2591  } else {
2592  return job_progress ( &tls->cipherstream, progress );
2593  }
2594 }
2595 
2596 /** TLS plaintext stream interface operations */
2597 static struct interface_operation tls_plainstream_ops[] = {
2598  INTF_OP ( xfer_deliver, struct tls_connection *,
2599  tls_plainstream_deliver ),
2600  INTF_OP ( xfer_window, struct tls_connection *,
2601  tls_plainstream_window ),
2602  INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
2603  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
2604 };
2605 
2606 /** TLS plaintext stream interface descriptor */
2607 static struct interface_descriptor tls_plainstream_desc =
2608  INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
2609  tls_plainstream_ops, cipherstream );
2610 
2611 /******************************************************************************
2612  *
2613  * Ciphertext stream operations
2614  *
2615  ******************************************************************************
2616  */
2617 
2618 /**
2619  * Handle received TLS header
2620  *
2621  * @v tls TLS connection
2622  * @ret rc Returned status code
2623  */
2624 static int tls_newdata_process_header ( struct tls_connection *tls ) {
2625  size_t data_len = ntohs ( tls->rx_header.length );
2626  size_t remaining = data_len;
2627  size_t frag_len;
2628  struct io_buffer *iobuf;
2629  struct io_buffer *tmp;
2630  int rc;
2631 
2632  /* Allocate data buffers now that we know the length */
2633  assert ( list_empty ( &tls->rx_data ) );
2634  while ( remaining ) {
2635 
2636  /* Calculate fragment length. Ensure that no block is
2637  * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
2638  * allocation length if necessary).
2639  */
2640  frag_len = remaining;
2641  if ( frag_len > TLS_RX_BUFSIZE )
2642  frag_len = TLS_RX_BUFSIZE;
2643  remaining -= frag_len;
2644  if ( remaining < TLS_RX_MIN_BUFSIZE ) {
2645  frag_len += remaining;
2646  remaining = 0;
2647  }
2648 
2649  /* Allocate buffer */
2650  iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
2651  if ( ! iobuf ) {
2652  DBGC ( tls, "TLS %p could not allocate %zd of %zd "
2653  "bytes for receive buffer\n", tls,
2654  remaining, data_len );
2655  rc = -ENOMEM_RX_DATA;
2656  goto err;
2657  }
2658 
2659  /* Ensure tailroom is exactly what we asked for. This
2660  * will result in unaligned I/O buffers when the
2661  * fragment length is unaligned, which can happen only
2662  * before we switch to using a block cipher.
2663  */
2664  iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
2665 
2666  /* Add I/O buffer to list */
2667  list_add_tail ( &iobuf->list, &tls->rx_data );
2668  }
2669 
2670  /* Move to data state */
2671  tls->rx_state = TLS_RX_DATA;
2672 
2673  return 0;
2674 
2675  err:
2676  list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
2677  list_del ( &iobuf->list );
2678  free_iob ( iobuf );
2679  }
2680  return rc;
2681 }
2682 
2683 /**
2684  * Handle received TLS data payload
2685  *
2686  * @v tls TLS connection
2687  * @ret rc Returned status code
2688  */
2689 static int tls_newdata_process_data ( struct tls_connection *tls ) {
2690  struct io_buffer *iobuf;
2691  int rc;
2692 
2693  /* Move current buffer to end of list */
2694  iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
2695  list_del ( &iobuf->list );
2696  list_add_tail ( &iobuf->list, &tls->rx_data );
2697 
2698  /* Continue receiving data if any space remains */
2699  iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
2700  if ( iob_tailroom ( iobuf ) )
2701  return 0;
2702 
2703  /* Process record */
2704  if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
2705  &tls->rx_data ) ) != 0 )
2706  return rc;
2707 
2708  /* Increment RX sequence number */
2709  tls->rx_seq += 1;
2710 
2711  /* Return to header state */
2712  assert ( list_empty ( &tls->rx_data ) );
2713  tls->rx_state = TLS_RX_HEADER;
2714  iob_unput ( &tls->rx_header_iobuf, sizeof ( tls->rx_header ) );
2715 
2716  return 0;
2717 }
2718 
2719 /**
2720  * Check flow control window
2721  *
2722  * @v tls TLS connection
2723  * @ret len Length of window
2724  */
2725 static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
2726 
2727  /* Open window until we are ready to accept data */
2728  if ( ! tls_ready ( tls ) )
2729  return -1UL;
2730 
2731  return xfer_window ( &tls->plainstream );
2732 }
2733 
2734 /**
2735  * Receive new ciphertext
2736  *
2737  * @v tls TLS connection
2738  * @v iobuf I/O buffer
2739  * @v meta Data transfer metadat
2740  * @ret rc Return status code
2741  */
2742 static int tls_cipherstream_deliver ( struct tls_connection *tls,
2743  struct io_buffer *iobuf,
2744  struct xfer_metadata *xfer __unused ) {
2745  size_t frag_len;
2746  int ( * process ) ( struct tls_connection *tls );
2747  struct io_buffer *dest;
2748  int rc;
2749 
2750  while ( iob_len ( iobuf ) ) {
2751 
2752  /* Select buffer according to current state */
2753  switch ( tls->rx_state ) {
2754  case TLS_RX_HEADER:
2755  dest = &tls->rx_header_iobuf;
2756  process = tls_newdata_process_header;
2757  break;
2758  case TLS_RX_DATA:
2759  dest = list_first_entry ( &tls->rx_data,
2760  struct io_buffer, list );
2761  assert ( dest != NULL );
2762  process = tls_newdata_process_data;
2763  break;
2764  default:
2765  assert ( 0 );
2766  rc = -EINVAL_RX_STATE;
2767  goto done;
2768  }
2769 
2770  /* Copy data portion to buffer */
2771  frag_len = iob_len ( iobuf );
2772  if ( frag_len > iob_tailroom ( dest ) )
2773  frag_len = iob_tailroom ( dest );
2774  memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
2775  iob_pull ( iobuf, frag_len );
2776 
2777  /* Process data if buffer is now full */
2778  if ( iob_tailroom ( dest ) == 0 ) {
2779  if ( ( rc = process ( tls ) ) != 0 ) {
2780  tls_close ( tls, rc );
2781  goto done;
2782  }
2783  }
2784  }
2785  rc = 0;
2786 
2787  done:
2788  free_iob ( iobuf );
2789  return rc;
2790 }
2791 
2792 /** TLS ciphertext stream interface operations */
2793 static struct interface_operation tls_cipherstream_ops[] = {
2794  INTF_OP ( xfer_deliver, struct tls_connection *,
2795  tls_cipherstream_deliver ),
2796  INTF_OP ( xfer_window, struct tls_connection *,
2797  tls_cipherstream_window ),
2798  INTF_OP ( xfer_window_changed, struct tls_connection *,
2799  tls_tx_resume ),
2800  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
2801 };
2802 
2803 /** TLS ciphertext stream interface descriptor */
2804 static struct interface_descriptor tls_cipherstream_desc =
2805  INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
2806  tls_cipherstream_ops, plainstream );
2807 
2808 /******************************************************************************
2809  *
2810  * Certificate validator
2811  *
2812  ******************************************************************************
2813  */
2814 
2815 /**
2816  * Handle certificate validation completion
2817  *
2818  * @v tls TLS connection
2819  * @v rc Reason for completion
2820  */
2821 static void tls_validator_done ( struct tls_connection *tls, int rc ) {
2822  struct tls_session *session = tls->session;
2823  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
2824  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
2825  struct x509_certificate *cert;
2826 
2827  /* Mark validation as complete */
2828  pending_put ( &tls->validation );
2829 
2830  /* Close validator interface */
2831  intf_restart ( &tls->validator, rc );
2832 
2833  /* Check for validation failure */
2834  if ( rc != 0 ) {
2835  DBGC ( tls, "TLS %p certificate validation failed: %s\n",
2836  tls, strerror ( rc ) );
2837  goto err;
2838  }
2839  DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
2840 
2841  /* Extract first certificate */
2842  cert = x509_first ( tls->chain );
2843  assert ( cert != NULL );
2844 
2845  /* Verify server name */
2846  if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
2847  DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
2848  tls, session->name, strerror ( rc ) );
2849  goto err;
2850  }
2851 
2852  /* Initialise public key algorithm */
2853  if ( ( rc = pubkey_init ( pubkey, cipherspec->pubkey_ctx,
2854  cert->subject.public_key.raw.data,
2855  cert->subject.public_key.raw.len ) ) != 0 ) {
2856  DBGC ( tls, "TLS %p cannot initialise public key: %s\n",
2857  tls, strerror ( rc ) );
2858  goto err;
2859  }
2860 
2861  /* Schedule Client Key Exchange, Change Cipher, and Finished */
2862  tls->tx_pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
2863  TLS_TX_CHANGE_CIPHER |
2864  TLS_TX_FINISHED );
2865  if ( tls->cert ) {
2866  tls->tx_pending |= ( TLS_TX_CERTIFICATE |
2867  TLS_TX_CERTIFICATE_VERIFY );
2868  }
2869  tls_tx_resume ( tls );
2870 
2871  return;
2872 
2873  err:
2874  tls_close ( tls, rc );
2875  return;
2876 }
2877 
2878 /** TLS certificate validator interface operations */
2879 static struct interface_operation tls_validator_ops[] = {
2880  INTF_OP ( intf_close, struct tls_connection *, tls_validator_done ),
2881 };
2882 
2883 /** TLS certificate validator interface descriptor */
2884 static struct interface_descriptor tls_validator_desc =
2885  INTF_DESC ( struct tls_connection, validator, tls_validator_ops );
2886 
2887 /******************************************************************************
2888  *
2889  * Controlling process
2890  *
2891  ******************************************************************************
2892  */
2893 
2894 /**
2895  * TLS TX state machine
2896  *
2897  * @v tls TLS connection
2898  */
2899 static void tls_tx_step ( struct tls_connection *tls ) {
2900  struct tls_session *session = tls->session;
2901  struct tls_connection *conn;
2902  int rc;
2903 
2904  /* Wait for cipherstream to become ready */
2905  if ( ! xfer_window ( &tls->cipherstream ) )
2906  return;
2907 
2908  /* Send first pending transmission */
2909  if ( tls->tx_pending & TLS_TX_CLIENT_HELLO ) {
2910  /* Serialise server negotiations within a session, to
2911  * provide a consistent view of session IDs and
2912  * session tickets.
2913  */
2914  list_for_each_entry ( conn, &session->conn, list ) {
2915  if ( conn == tls )
2916  break;
2917  if ( is_pending ( &conn->server_negotiation ) )
2918  return;
2919  }
2920  /* Record or generate session ID and associated master secret */
2921  if ( session->id_len ) {
2922  /* Attempt to resume an existing session */
2923  memcpy ( tls->session_id, session->id,
2924  sizeof ( tls->session_id ) );
2925  tls->session_id_len = session->id_len;
2926  memcpy ( tls->master_secret, session->master_secret,
2927  sizeof ( tls->master_secret ) );
2928  } else {
2929  /* No existing session: use a random session ID */
2930  assert ( sizeof ( tls->session_id ) ==
2931  sizeof ( tls->client_random ) );
2932  memcpy ( tls->session_id, &tls->client_random,
2933  sizeof ( tls->session_id ) );
2934  tls->session_id_len = sizeof ( tls->session_id );
2935  }
2936  /* Send Client Hello */
2937  if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
2938  DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
2939  tls, strerror ( rc ) );
2940  goto err;
2941  }
2942  tls->tx_pending &= ~TLS_TX_CLIENT_HELLO;
2943  } else if ( tls->tx_pending & TLS_TX_CERTIFICATE ) {
2944  /* Send Certificate */
2945  if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
2946  DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
2947  tls, strerror ( rc ) );
2948  goto err;
2949  }
2950  tls->tx_pending &= ~TLS_TX_CERTIFICATE;
2951  } else if ( tls->tx_pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
2952  /* Send Client Key Exchange */
2953  if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
2954  DBGC ( tls, "TLS %p could not send Client Key "
2955  "Exchange: %s\n", tls, strerror ( rc ) );
2956  goto err;
2957  }
2958  tls->tx_pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
2959  } else if ( tls->tx_pending & TLS_TX_CERTIFICATE_VERIFY ) {
2960  /* Send Certificate Verify */
2961  if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
2962  DBGC ( tls, "TLS %p could not send Certificate "
2963  "Verify: %s\n", tls, strerror ( rc ) );
2964  goto err;
2965  }
2966  tls->tx_pending &= ~TLS_TX_CERTIFICATE_VERIFY;
2967  } else if ( tls->tx_pending & TLS_TX_CHANGE_CIPHER ) {
2968  /* Send Change Cipher, and then change the cipher in use */
2969  if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
2970  DBGC ( tls, "TLS %p could not send Change Cipher: "
2971  "%s\n", tls, strerror ( rc ) );
2972  goto err;
2973  }
2974  if ( ( rc = tls_change_cipher ( tls,
2975  &tls->tx_cipherspec_pending,
2976  &tls->tx_cipherspec )) != 0 ){
2977  DBGC ( tls, "TLS %p could not activate TX cipher: "
2978  "%s\n", tls, strerror ( rc ) );
2979  goto err;
2980  }
2981  tls->tx_seq = 0;
2982  tls->tx_pending &= ~TLS_TX_CHANGE_CIPHER;
2983  } else if ( tls->tx_pending & TLS_TX_FINISHED ) {
2984  /* Send Finished */
2985  if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
2986  DBGC ( tls, "TLS %p could not send Finished: %s\n",
2987  tls, strerror ( rc ) );
2988  goto err;
2989  }
2990  tls->tx_pending &= ~TLS_TX_FINISHED;
2991  }
2992 
2993  /* Reschedule process if pending transmissions remain,
2994  * otherwise send notification of a window change.
2995  */
2996  if ( tls->tx_pending ) {
2997  tls_tx_resume ( tls );
2998  } else {
2999  xfer_window_changed ( &tls->plainstream );
3000  }
3001 
3002  return;
3003 
3004  err:
3005  tls_close ( tls, rc );
3006 }
3007 
3008 /** TLS TX process descriptor */
3009 static struct process_descriptor tls_process_desc =
3010  PROC_DESC_ONCE ( struct tls_connection, process, tls_tx_step );
3011 
3012 /******************************************************************************
3013  *
3014  * Session management
3015  *
3016  ******************************************************************************
3017  */
3018 
3019 /**
3020  * Find or create session for TLS connection
3021  *
3022  * @v tls TLS connection
3023  * @v name Server name
3024  * @ret rc Return status code
3025  */
3026 static int tls_session ( struct tls_connection *tls, const char *name ) {
3027  struct tls_session *session;
3028  char *name_copy;
3029  int rc;
3030 
3031  /* Find existing matching session, if any */
3032  list_for_each_entry ( session, &tls_sessions, list ) {
3033  if ( strcmp ( name, session->name ) == 0 ) {
3034  ref_get ( &session->refcnt );
3035  tls->session = session;
3036  DBGC ( tls, "TLS %p joining session %s\n", tls, name );
3037  return 0;
3038  }
3039  }
3040 
3041  /* Create new session */
3042  session = zalloc ( sizeof ( *session ) + strlen ( name )
3043  + 1 /* NUL */ );
3044  if ( ! session ) {
3045  rc = -ENOMEM;
3046  goto err_alloc;
3047  }
3048  ref_init ( &session->refcnt, free_tls_session );
3049  name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
3050  strcpy ( name_copy, name );
3051  session->name = name_copy;
3052  INIT_LIST_HEAD ( &session->conn );
3053  list_add ( &session->list, &tls_sessions );
3054 
3055  /* Record session */
3056  tls->session = session;
3057 
3058  DBGC ( tls, "TLS %p created session %s\n", tls, name );
3059  return 0;
3060 
3061  ref_put ( &session->refcnt );
3062  err_alloc:
3063  return rc;
3064 }
3065 
3066 /******************************************************************************
3067  *
3068  * Instantiator
3069  *
3070  ******************************************************************************
3071  */
3072 
3073 int add_tls ( struct interface *xfer, const char *name,
3074  struct interface **next ) {
3075  struct tls_connection *tls;
3076  int rc;
3077 
3078  /* Allocate and initialise TLS structure */
3079  tls = malloc ( sizeof ( *tls ) );
3080  if ( ! tls ) {
3081  rc = -ENOMEM;
3082  goto err_alloc;
3083  }
3084  memset ( tls, 0, sizeof ( *tls ) );
3085  ref_init ( &tls->refcnt, free_tls );
3086  INIT_LIST_HEAD ( &tls->list );
3087  intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
3088  intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
3089  intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt );
3090  process_init_stopped ( &tls->process, &tls_process_desc,
3091  &tls->refcnt );
3092  tls->version = TLS_VERSION_TLS_1_2;
3093  tls_clear_cipher ( tls, &tls->tx_cipherspec );
3094  tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
3095  tls_clear_cipher ( tls, &tls->rx_cipherspec );
3096  tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
3097  tls->client_random.gmt_unix_time = time ( NULL );
3098  iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
3099  sizeof ( tls->rx_header ) );
3100  INIT_LIST_HEAD ( &tls->rx_data );
3101  if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
3102  ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
3103  goto err_random;
3104  }
3105  tls->pre_master_secret.version = htons ( tls->version );
3106  if ( ( rc = tls_generate_random ( tls, &tls->pre_master_secret.random,
3107  ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
3108  goto err_random;
3109  }
3110  if ( ( rc = tls_session ( tls, name ) ) != 0 )
3111  goto err_session;
3112  list_add_tail ( &tls->list, &tls->session->conn );
3113 
3114  /* Start negotiation */
3115  tls_restart ( tls );
3116 
3117  /* Attach to parent interface, mortalise self, and return */
3118  intf_plug_plug ( &tls->plainstream, xfer );
3119  *next = &tls->cipherstream;
3120  ref_put ( &tls->refcnt );
3121  return 0;
3122 
3123  err_session:
3124  err_random:
3125  ref_put ( &tls->refcnt );
3126  err_alloc:
3127  return rc;
3128 }
3129 
3130 /* Drag in objects via add_tls() */
3131 REQUIRING_SYMBOL ( add_tls );
3132 
3133 /* Drag in crypto configuration */
3134 REQUIRE_OBJECT ( config_crypto );
tls.h
Transport Layer Security Protocol.
cpu_to_be16
#define cpu_to_be16(value)
Definition: byteswap.h:109
tls_connection::verify
struct tls_verify_data verify
Verification data.
Definition: tls.h:327
memswap
void * memswap(void *first, void *second, size_t len)
Swap memory regions.
Definition: string.c:137
free_tls
static void free_tls(struct refcnt *refcnt)
Free TLS connection.
Definition: tls.c:346
x509_chain_put
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition: x509.h:269
process
A process.
Definition: process.h:17
iob_pull
#define iob_pull(iobuf, len)
Definition: iobuf.h:98
tls_send_certificate
static int tls_send_certificate(struct tls_connection *tls)
Transmit Certificate record.
Definition: tls.c:1131
__attribute__
#define __attribute__(x)
Definition: compiler.h:10
length
uint16_t length
Length.
Definition: intel.h:14
interface_operation
An object interface operation.
Definition: interface.h:17
EPERM_CLIENT_CERT
#define EPERM_CLIENT_CERT
Definition: tls.c:166
cipher_algorithm::blocksize
size_t blocksize
Block size.
Definition: crypto.h:54
tls_signature_hash_algorithm::digest
struct digest_algorithm * digest
Digest algorithm.
Definition: tls.h:191
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:50
EINVAL_PADDING
#define EINVAL_PADDING
Definition: tls.c:94
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
tls_tx_resume_all
static void tls_tx_resume_all(struct tls_session *session)
Resume TX state machine for all connections within a session.
Definition: tls.c:957
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition: crypto.h:177
name
const char * name
Definition: ath9k_hw.c:1984
xfer_window_changed
void xfer_window_changed(struct interface *intf)
Report change of flow control window.
Definition: xfer.c:145
uint16_t
unsigned short uint16_t
Definition: stdint.h:11
intf_close
void intf_close(struct interface *intf, int rc)
Close an object interface.
Definition: interface.c:244
tls_connection::chain
struct x509_chain * chain
Server certificate chain.
Definition: tls.h:330
md5_sha1_context
An MD5+SHA1 context.
Definition: tls.h:228
tls_validator_done
static void tls_validator_done(struct tls_connection *tls, int rc)
Handle certificate validation completion.
Definition: tls.c:2821
intf_restart
void intf_restart(struct interface *intf, int rc)
Shut down and restart an object interface.
Definition: interface.c:337
tls_cipher_suite_null
struct tls_cipher_suite tls_cipher_suite_null
Null cipher suite.
Definition: tls.c:716
tls_select_cipher
static int tls_select_cipher(struct tls_connection *tls, unsigned int cipher_suite)
Select next cipher suite.
Definition: tls.c:811
tls_connection::client_negotiation
struct pending_operation client_negotiation
Client security negotiation pending operation.
Definition: tls.h:335
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:116
va_end
#define va_end(ap)
Definition: stdarg.h:9
tls_connection::process
struct process process
TX process.
Definition: tls.h:346
TLS_NUM_CIPHER_SUITES
#define TLS_NUM_CIPHER_SUITES
Number of supported cipher suites.
Definition: tls.c:723
xfer_metadata
Data transfer metadata.
Definition: xfer.h:22
intf_shutdown
void intf_shutdown(struct interface *intf, int rc)
Shut down an object interface.
Definition: interface.c:273
tls_tx_resume
static void tls_tx_resume(struct tls_connection *tls)
Resume TX state machine.
Definition: tls.c:948
tls_new_ciphertext
static int tls_new_ciphertext(struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
Receive new ciphertext record.
Definition: tls.c:2470
tls_newdata_process_header
static int tls_newdata_process_header(struct tls_connection *tls)
Handle received TLS header.
Definition: tls.c:2624
TLS_RENEGOTIATION_INFO
#define TLS_RENEGOTIATION_INFO
Definition: tls.h:116
xfer_deliver_iob
int xfer_deliver_iob(struct interface *intf, struct io_buffer *iobuf)
Deliver datagram as I/O buffer without metadata.
Definition: xfer.c:254
max
#define max(x, y)
Definition: ath.h:39
tls_connection::session
struct tls_session * session
Session.
Definition: tls.h:279
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
tls_connection::rx_header_iobuf
struct io_buffer rx_header_iobuf
Current received record header (static I/O buffer)
Definition: tls.h:355
tls_uint24
static unsigned long tls_uint24(const tls24_t *field24)
Extract 24-bit field value.
Definition: tls.c:219
tls_restart
static void tls_restart(struct tls_connection *tls)
Restart negotiation.
Definition: tls.c:969
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
next
uint32_t next
Next descriptor address.
Definition: myson.h:18
max_len
static void size_t size_t max_len
Definition: entropy.h:153
tls_find_cipher_suite
static struct tls_cipher_suite * tls_find_cipher_suite(unsigned int cipher_suite)
Identify cipher suite.
Definition: tls.c:732
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
errno.h
Error codes.
tls_connection::refcnt
struct refcnt refcnt
Reference counter.
Definition: tls.h:276
EINVAL_HELLO
#define EINVAL_HELLO
Definition: tls.c:62
tls_connection::rx_seq
uint64_t rx_seq
RX sequence number.
Definition: tls.h:349
hmac_final
void hmac_final(struct digest_algorithm *digest, void *digest_ctx, void *key, size_t *key_len, void *hmac)
Finalise HMAC.
Definition: hmac.c:115
tls_header::type
uint8_t type
Content type.
Definition: tls.h:31
tls_verify_handshake
static void tls_verify_handshake(struct tls_connection *tls, void *out)
Calculate handshake verification hash.
Definition: tls.c:928
x509_check_name
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition: x509.c:1519
rbg_generate
static int rbg_generate(const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate bits using RBG.
Definition: rbg.h:36
iobuf.h
I/O buffers.
tls_cipherstream_deliver
static int tls_cipherstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
Receive new ciphertext.
Definition: tls.c:2742
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:145
alloc_iob_raw
struct io_buffer * alloc_iob_raw(size_t len, size_t align, size_t offset)
Allocate I/O buffer with specified alignment and offset.
Definition: iobuf.c:48
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition: crypto.h:182
type
uint8_t type
Type.
Definition: ena.h:16
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1625
LIST_HEAD
static LIST_HEAD(tls_sessions)
List of TLS session.
ENOTSUP_VERSION
#define ENOTSUP_VERSION
Definition: tls.c:154
tls_plainstream_ops
static struct interface_operation tls_plainstream_ops[]
TLS plaintext stream interface operations.
Definition: tls.c:2597
tls_connection::handshake_md5_sha1_ctx
uint8_t handshake_md5_sha1_ctx[MD5_SHA1_CTX_SIZE]
MD5+SHA1 context for handshake verification.
Definition: tls.h:315
pending_put
void pending_put(struct pending_operation *pending)
Mark an operation as no longer pending.
Definition: pending.c:58
TLS_CLIENT_HELLO
#define TLS_CLIENT_HELLO
Definition: tls.h:64
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:206
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:21
DBGC
#define DBGC(...)
Definition: compiler.h:505
tls_connection::new_session_ticket_len
size_t new_session_ticket_len
Length of new session ticket.
Definition: tls.h:289
ENOMEM_RX_CONCAT
#define ENOMEM_RX_CONCAT
Definition: tls.c:138
process_descriptor
A process descriptor.
Definition: process.h:31
TLS_VERSION_TLS_1_2
#define TLS_VERSION_TLS_1_2
TLS version 1.2.
Definition: tls.h:48
TLS_CERTIFICATE
#define TLS_CERTIFICATE
Definition: tls.h:67
tls_connection::server_random
uint8_t server_random[32]
Server random bytes.
Definition: tls.h:311
tls_connection::session_id
uint8_t session_id[32]
Session ID.
Definition: tls.h:283
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER)
tls_connection::rx_header
struct tls_header rx_header
Current received record header.
Definition: tls.h:353
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition: x509.c:1577
intf_plug_plug
void intf_plug_plug(struct interface *a, struct interface *b)
Plug two object interfaces together.
Definition: interface.c:102
EINVAL_HELLO_DONE
#define EINVAL_HELLO_DONE
Definition: tls.c:74
tls_header::length
uint16_t length
Length of payload.
Definition: tls.h:38
EINVAL_BLOCK
#define EINVAL_BLOCK
Definition: tls.c:90
uint64_t
unsigned long long uint64_t
Definition: stdint.h:13
xfer_alloc_iob
struct io_buffer * xfer_alloc_iob(struct interface *intf, size_t len)
Allocate I/O buffer.
Definition: xfer.c:157
pubkey_null
struct pubkey_algorithm pubkey_null
Definition: crypto_null.c:131
tls_hmac_update_va
static void tls_hmac_update_va(struct digest_algorithm *digest, void *digest_ctx, va_list args)
Update HMAC with a list of ( data, len ) pairs.
Definition: tls.c:441
EINVAL_HANDSHAKE
#define EINVAL_HANDSHAKE
Definition: tls.c:82
EPROTO_VERSION
#define EPROTO_VERSION
Definition: tls.c:178
EIO_ALERT
#define EIO_ALERT
Definition: tls.c:110
tls_validator_ops
static struct interface_operation tls_validator_ops[]
TLS certificate validator interface operations.
Definition: tls.c:2879
ENOMEM_CHAIN
#define ENOMEM_CHAIN
Definition: tls.c:122
va_copy
#define va_copy(dest, src)
Definition: stdarg.h:10
ntohs
#define ntohs(value)
Definition: byteswap.h:136
TLS_SERVER_HELLO_DONE
#define TLS_SERVER_HELLO_DONE
Definition: tls.h:70
PROC_DESC_ONCE
#define PROC_DESC_ONCE(object_type, process, _step)
Define a process descriptor for a process that runs only once.
Definition: process.h:97
tls_close
static void tls_close(struct tls_connection *tls, int rc)
Finish with TLS connection.
Definition: tls.c:380
TLS_CERTIFICATE_REQUEST
#define TLS_CERTIFICATE_REQUEST
Definition: tls.h:69
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
md5_sha1_final
static void md5_sha1_final(void *ctx, void *out)
Generate MD5+SHA1 digest.
Definition: tls.c:286
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tls_cipherspec
A TLS cipher specification.
Definition: tls.h:165
iob_populate
static void iob_populate(struct io_buffer *iobuf, void *data, size_t len, size_t max_len)
Create a temporary I/O buffer.
Definition: iobuf.h:186
EINVAL_CERTIFICATE
#define EINVAL_CERTIFICATE
Definition: tls.c:66
free_tls_session
static void free_tls_session(struct refcnt *refcnt)
Free TLS session.
Definition: tls.c:324
tls_cipher_suite::pubkey
struct pubkey_algorithm * pubkey
Public-key encryption algorithm.
Definition: tls.h:145
md5_sha1_init
static void md5_sha1_init(void *ctx)
Initialise MD5+SHA1 algorithm.
Definition: tls.c:259
list_last_entry
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition: list.h:346
process_del
void process_del(struct process *process)
Remove process from process list.
Definition: process.c:79
TLS_VERSION_TLS_1_1
#define TLS_VERSION_TLS_1_1
TLS version 1.1.
Definition: tls.h:45
digest
struct md4_digest digest
Digest of data already processed.
Definition: md4.h:12
htonl
#define htonl(value)
Definition: byteswap.h:133
xfer_window
size_t xfer_window(struct interface *intf)
Check flow control window.
Definition: xfer.c:115
iv
u8 iv[16]
Initialization vector.
Definition: wpa.h:60
pubkey_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:98
tls_hmac_final
static void tls_hmac_final(struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
Finalise HMAC.
Definition: tls.c:2173
tls_cipherstream_desc
static struct interface_descriptor tls_cipherstream_desc
TLS ciphertext stream interface descriptor.
Definition: tls.c:2804
seq
u16 seq
802.11 Sequence Control field
Definition: ieee80211.h:19
list_head
A doubly-linked list entry (or list head)
Definition: list.h:18
TLS_MAX_FRAGMENT_LENGTH
#define TLS_MAX_FRAGMENT_LENGTH
Definition: tls.h:103
xfer.h
Data transfer interfaces.
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:23
refcnt
A reference counter.
Definition: refcnt.h:26
validator
A certificate validator.
Definition: validator.c:65
pending
uint32_t pending
Pending events.
Definition: hyperv.h:12
tls_validator_desc
static struct interface_descriptor tls_validator_desc
TLS certificate validator interface descriptor.
Definition: tls.c:2884
EINVAL_CHANGE_CIPHER
#define EINVAL_CHANGE_CIPHER
Definition: tls.c:54
privkey.h
Private key.
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
ENOMEM_CONTEXT
#define ENOMEM_CONTEXT
Definition: tls.c:114
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:304
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:202
list_first_entry
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition: list.h:333
tls_connection::rx_state
enum tls_rx_state rx_state
RX state.
Definition: tls.h:351
pubkey_max_len
static size_t pubkey_max_len(struct pubkey_algorithm *pubkey, void *ctx)
Definition: crypto.h:226
signature
u8 signature
Definition: CIB_PRM.h:35
EINVAL_MAC
#define EINVAL_MAC
Definition: tls.c:102
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
io_buffer::tail
void * tail
End of data.
Definition: iobuf.h:46
digest_algorithm::blocksize
size_t blocksize
Block size.
Definition: crypto.h:22
tls_new_hello_request
static int tls_new_hello_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Hello Request handshake record.
Definition: tls.c:1433
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
ENOTSUP_NULL
#define ENOTSUP_NULL
Definition: tls.c:146
iob_disown
#define iob_disown(iobuf)
Disown an I/O buffer.
Definition: iobuf.h:208
tls_connection::handshake_ctx
uint8_t * handshake_ctx
Digest algorithm context used for handshake verification.
Definition: tls.h:321
tls_connection::tx_cipherspec
struct tls_cipherspec tx_cipherspec
Current TX cipher specification.
Definition: tls.h:299
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
certstore.h
Certificate store.
va_arg
#define va_arg(ap, type)
Definition: stdarg.h:8
version
u32 version
Version number.
Definition: ath9k_hw.c:1983
REQUIRE_OBJECT
REQUIRE_OBJECT(config_crypto)
tls_newdata_process_data
static int tls_newdata_process_data(struct tls_connection *tls)
Handle received TLS data payload.
Definition: tls.c:2689
TLS_TYPE_CHANGE_CIPHER
#define TLS_TYPE_CHANGE_CIPHER
Change cipher content type.
Definition: tls.h:51
ENOTSUP_CIPHER
#define ENOTSUP_CIPHER
Definition: tls.c:142
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
validator.h
Certificate validator.
tls_signature_hash_algorithm
static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm(struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
Find TLS signature and hash algorithm.
Definition: tls.c:881
interface
An object interface.
Definition: interface.h:109
hmac.h
Keyed-Hashing for Message Authentication.
ENOMEM_RX_DATA
#define ENOMEM_RX_DATA
Definition: tls.c:134
session
struct ntlm_data session
Session key.
Definition: ntlm.h:24
TLS_RX_ALIGN
#define TLS_RX_ALIGN
RX I/O buffer alignment.
Definition: tls.h:379
tls_connection::new_session_ticket
void * new_session_ticket
New session ticket.
Definition: tls.h:287
tls_progress
static int tls_progress(struct tls_connection *tls, struct job_progress *progress)
Report job progress.
Definition: tls.c:2585
tls_send_change_cipher
static int tls_send_change_cipher(struct tls_connection *tls)
Transmit Change Cipher record.
Definition: tls.c:1311
tls_cipherspec::cipher_ctx
void * cipher_ctx
Bulk encryption cipher context.
Definition: tls.h:173
tls_tx_step
static void tls_tx_step(struct tls_connection *tls)
TLS TX state machine.
Definition: tls.c:2899
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
TLS_SESSION_TICKET
#define TLS_SESSION_TICKET
Definition: tls.h:113
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
tls_new_session_ticket
static int tls_new_session_ticket(struct tls_connection *tls, const void *data, size_t len)
Receive New Session Ticket handshake record.
Definition: tls.c:1658
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
tls_cipherspec::suite
struct tls_cipher_suite * suite
Cipher suite.
Definition: tls.h:167
tls_hmac_update
static void tls_hmac_update(struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: tls.c:2159
EINVAL_FINISHED
#define EINVAL_FINISHED
Definition: tls.c:78
tls_cipher_suite::digest
struct digest_algorithm * digest
MAC digest algorithm.
Definition: tls.h:149
tls_connection::validation
struct pending_operation validation
Certificate validation pending operation.
Definition: tls.h:339
tls_connection::list
struct list_head list
List of connections within the same session.
Definition: tls.h:281
tls_client_random::gmt_unix_time
uint32_t gmt_unix_time
GMT Unix time.
Definition: tls.h:222
be16_to_cpu
#define be16_to_cpu(value)
Definition: byteswap.h:115
out
__be32 out[4]
Definition: CIB_PRM.h:36
TLS_VERSION_TLS_1_0
#define TLS_VERSION_TLS_1_0
TLS version 1.0.
Definition: tls.h:42
tls_cipher_suite
A TLS cipher suite.
Definition: tls.h:143
strcpy
char * strcpy(char *dest, const char *src)
Copy string.
Definition: string.c:296
TLS_SERVER_NAME
#define TLS_SERVER_NAME
Definition: tls.h:99
tls_signature_hash_algorithm
A TLS signature algorithm.
Definition: tls.h:189
is_pending
static int is_pending(struct pending_operation *pending)
Check if an operation is pending.
Definition: pending.h:24
EPERM_VERIFY
#define EPERM_VERIFY
Definition: tls.c:162
tls_connection::master_secret
uint8_t master_secret[48]
Master secret.
Definition: tls.h:309
tls_session::list
struct list_head list
List of sessions.
Definition: tls.h:254
TLS_ALERT_WARNING
#define TLS_ALERT_WARNING
Definition: tls.h:76
ENOMEM_TX_CIPHERTEXT
#define ENOMEM_TX_CIPHERTEXT
Definition: tls.c:130
tls_send_client_key_exchange
static int tls_send_client_key_exchange(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.c:1177
EINVAL_RX_STATE
#define EINVAL_RX_STATE
Definition: tls.c:98
TLS_RX_BUFSIZE
#define TLS_RX_BUFSIZE
RX I/O buffer size.
Definition: tls.h:368
dest
static void * dest
Definition: strings.h:176
list_for_each_entry_safe
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition: list.h:447
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:107
md5_sha1_algorithm
static struct digest_algorithm md5_sha1_algorithm
Hybrid MD5+SHA1 digest algorithm.
Definition: tls.c:295
rbg.h
RBG mechanism.
value
pseudo_bit_t value[0x00020]
Definition: arbel.h:13
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
process_add
void process_add(struct process *process)
Add process to process list.
Definition: process.c:59
certstore_find_key
struct x509_certificate * certstore_find_key(struct asn1_cursor *key)
Find certificate in store corresponding to a private key.
Definition: certstore.c:119
meta
int meta(WINDOW *, bool)
ENOTCONN
#define ENOTCONN
The socket is not connected.
Definition: errno.h:569
aes.h
AES algorithm.
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition: crypto.h:172
iob_concatenate
struct io_buffer * iob_concatenate(struct list_head *list)
Concatenate I/O buffers into a single buffer.
Definition: iobuf.c:198
interface_descriptor
An object interface descriptor.
Definition: interface.h:40
TLS_NUM_SIG_HASH_ALGORITHMS
#define TLS_NUM_SIG_HASH_ALGORITHMS
Number of supported signature and hash algorithms.
Definition: tls.c:870
TLS_HELLO_REQUEST
#define TLS_HELLO_REQUEST
Definition: tls.h:63
iob_unput
#define iob_unput(iobuf, len)
Definition: iobuf.h:131
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:294
tls_send_plaintext
static int tls_send_plaintext(struct tls_connection *tls, unsigned int type, const void *data, size_t len)
Send plaintext record.
Definition: tls.c:2294
tls_connection::client_random
struct tls_client_random client_random
Client random bytes.
Definition: tls.h:313
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:185
tls_cipher_suite::key_len
uint16_t key_len
Key length.
Definition: tls.h:151
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
tls_connection::cipherstream
struct interface cipherstream
Ciphertext stream.
Definition: tls.h:294
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
DBGC2_HD
#define DBGC2_HD(...)
Definition: compiler.h:524
tls_new_finished
static int tls_new_finished(struct tls_connection *tls, const void *data, size_t len)
Receive new Finished handshake record.
Definition: tls.c:1894
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:212
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92
digest_null
struct digest_algorithm digest_null
Definition: crypto_null.c:48
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:151
tls_cipherstream_ops
static struct interface_operation tls_cipherstream_ops[]
TLS ciphertext stream interface operations.
Definition: tls.c:2793
job_progress
Job progress.
Definition: job.h:15
tmp
uint8_t * tmp
Definition: entropy.h:156
INTF_OP
#define INTF_OP(op_type, object_type, op_func)
Define an object interface operation.
Definition: interface.h:32
tls_new_server_hello
static int tls_new_server_hello(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello handshake record.
Definition: tls.c:1464
EINVAL_ALERT
#define EINVAL_ALERT
Definition: tls.c:58
DBGC_HD
#define DBGC_HD(...)
Definition: compiler.h:507
for_each_table_entry
#define for_each_table_entry(pointer, table)
Iterate through all entries within a linker table.
Definition: tables.h:358
random
long int random(void)
Generate a pseudo-random number between 0 and 2147483647L or 2147483562?
Definition: random.c:30
tls_cipherspec::pubkey_ctx
void * pubkey_ctx
Public key encryption context.
Definition: tls.h:171
iob_tailroom
static size_t iob_tailroom(struct io_buffer *iobuf)
Calculate available space at end of an I/O buffer.
Definition: iobuf.h:171
xfer_deliver
int xfer_deliver(struct interface *intf, struct io_buffer *iobuf, struct xfer_metadata *meta)
Deliver datagram.
Definition: xfer.c:193
strlen
size_t strlen(const char *src)
Get length of string.
Definition: string.c:213
rsa_digestinfo_prefix
An RSA digestInfo prefix.
Definition: rsa.h:42
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
open.h
Data transfer interface opening.
TLS_ALERT_FATAL
#define TLS_ALERT_FATAL
Definition: tls.h:77
EPERM_RENEG_VERIFY
#define EPERM_RENEG_VERIFY
Definition: tls.c:174
pubkey_algorithm::max_len
size_t(* max_len)(void *ctx)
Calculate maximum output length.
Definition: crypto.h:112
TLS_SIG_HASH_ALGORITHMS
#define TLS_SIG_HASH_ALGORITHMS
TLS signature hash algorithm table.
Definition: tls.h:203
REQUIRING_SYMBOL
REQUIRING_SYMBOL(add_tls)
hello
uint16_t hello
Hello time.
Definition: stp.h:38
tls_change_cipher
static int tls_change_cipher(struct tls_connection *tls, struct tls_cipherspec *pending, struct tls_cipherspec *active)
Activate next cipher suite.
Definition: tls.c:847
process_init_stopped
static void process_init_stopped(struct process *process, struct process_descriptor *desc, struct refcnt *refcnt)
Initialise process without adding to process list.
Definition: process.h:145
x509.h
X.509 certificates.
lifetime
u32 lifetime
For Lifetime-type KDEs, the lifetime in seconds.
Definition: wpa.h:54
is_stream_cipher
static int is_stream_cipher(struct cipher_algorithm *cipher)
Definition: crypto.h:217
cipher_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:52
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:212
uint32_t
unsigned int uint32_t
Definition: stdint.h:12
tls_connection::rx_cipherspec
struct tls_cipherspec rx_cipherspec
Current RX cipher specification.
Definition: tls.h:303
malloc
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:583
tls_plainstream_deliver
static int tls_plainstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
Deliver datagram as raw data.
Definition: tls.c:2558
tls_new_certificate_request
static int tls_new_certificate_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Certificate Request handshake record.
Definition: tls.c:1827
TLS_RX_MIN_BUFSIZE
#define TLS_RX_MIN_BUFSIZE
Minimum RX I/O buffer size.
Definition: tls.h:376
cipher_null
struct cipher_algorithm cipher_null
Definition: crypto_null.c:79
tls_prf
static void tls_prf(struct tls_connection *tls, void *secret, size_t secret_len, void *out, size_t out_len,...)
Generate secure pseudo-random data.
Definition: tls.c:531
job.h
Job control interfaces.
tls_signature_hash_algorithm::code
struct tls_signature_hash_id code
Numeric code.
Definition: tls.h:195
TLS_NEW_SESSION_TICKET
#define TLS_NEW_SESSION_TICKET
Definition: tls.h:66
ext
uint16_t ext
Extended status.
Definition: ena.h:20
tls_connection::tx_cipherspec_pending
struct tls_cipherspec tx_cipherspec_pending
Next TX cipher specification.
Definition: tls.h:301
tls_hmac_init
static void tls_hmac_init(struct tls_cipherspec *cipherspec, void *ctx, uint64_t seq, struct tls_header *tlshdr)
Initialise HMAC.
Definition: tls.c:2141
tls_connection::pre_master_secret
struct tls_pre_master_secret pre_master_secret
Premaster secret.
Definition: tls.h:307
tls_split_block
static int tls_split_block(struct tls_connection *tls, struct list_head *rx_data, void **mac)
Split block-ciphered record into data and MAC portions.
Definition: tls.c:2412
TLS_SERVER_NAME_HOST_NAME
#define TLS_SERVER_NAME_HOST_NAME
Definition: tls.h:100
tls_verify_data::client
uint8_t client[12]
Client verification data.
Definition: tls.h:121
md5_sha1_digest
An MD5+SHA1 digest.
Definition: tls.h:239
tls_connection::server_negotiation
struct pending_operation server_negotiation
Server security negotiation pending operation.
Definition: tls.h:337
tls_assemble_block
static void * tls_assemble_block(struct tls_connection *tls, const void *data, size_t len, void *digest, size_t *plaintext_len)
Allocate and assemble block-ciphered record from data and MAC portions.
Definition: tls.c:2247
private_key
struct asn1_cursor private_key
Private key.
Definition: privkey.c:67
tls_header
A TLS header.
Definition: tls.h:26
__unused
#define __unused
Declare a variable or data structure as unused.
Definition: compiler.h:573
tls_pre_master_secret::random
uint8_t random[46]
Random data.
Definition: tls.h:216
time.h
Date and time.
pending.h
Pending operations.
TLS_TYPE_HANDSHAKE
#define TLS_TYPE_HANDSHAKE
Handshake content type.
Definition: tls.h:57
tls_connection::rx_data
struct list_head rx_data
List of received data buffers.
Definition: tls.h:357
tls_connection::tx_pending
unsigned int tx_pending
TX pending transmissions.
Definition: tls.h:344
rsa.h
RSA public-key cryptography.
tls24_t
A TLS 24-bit integer.
Definition: tls.c:204
tls_plainstream_desc
static struct interface_descriptor tls_plainstream_desc
TLS plaintext stream interface descriptor.
Definition: tls.c:2607
iob_reserve
#define iob_reserve(iobuf, len)
Definition: iobuf.h:63
tls_generate_keys
static int tls_generate_keys(struct tls_connection *tls)
Generate key material.
Definition: tls.c:633
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
INTF_DESC
#define INTF_DESC(object_type, intf, operations)
Define an object interface descriptor.
Definition: interface.h:65
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:131
tls_send_certificate_verify
static int tls_send_certificate_verify(struct tls_connection *tls)
Transmit Certificate Verify record.
Definition: tls.c:1221
EPERM_RENEG_INSECURE
#define EPERM_RENEG_INSECURE
Definition: tls.c:170
tls_connection::handshake_digest
struct digest_algorithm * handshake_digest
Digest algorithm used for handshake verification.
Definition: tls.h:319
tls_client_random::random
uint8_t random[28]
Random data.
Definition: tls.h:224
sha256_algorithm
struct digest_algorithm sha256_algorithm
SHA-256 algorithm.
Definition: sha256.c:265
ENOMEM_TX_PLAINTEXT
#define ENOMEM_TX_PLAINTEXT
Definition: tls.c:126
io_buffer::list
struct list_head list
List of which this buffer is a member.
Definition: iobuf.h:39
code
uint8_t code
Response code.
Definition: scsi.h:16
len
uint32_t len
Length.
Definition: ena.h:14
tls_parse_chain
static int tls_parse_chain(struct tls_connection *tls, const void *data, size_t len)
Parse certificate chain.
Definition: tls.c:1709
tls_connection::validator
struct interface validator
Certificate validator.
Definition: tls.h:332
tls_session
A TLS session.
Definition: tls.h:250
unused
uint8_t unused[32]
Unused.
Definition: eltorito.h:15
tls_process_desc
static struct process_descriptor tls_process_desc
TLS TX process descriptor.
Definition: tls.c:3009
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
__malloc
#define __malloc
Declare a pointer returned by a function as a unique memory address as returned by malloc-type functi...
Definition: compiler.h:598
tls_connection::handshake_sha256_ctx
uint8_t handshake_sha256_ctx[SHA256_CTX_SIZE]
SHA256 context for handshake verification.
Definition: tls.h:317
va_list
__builtin_va_list va_list
Definition: stdarg.h:6
strcmp
int strcmp(const char *first, const char *second)
Compare strings.
Definition: string.c:157
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:24
hmac_init
void hmac_init(struct digest_algorithm *digest, void *digest_ctx, void *key, size_t *key_len)
Initialise HMAC.
Definition: hmac.c:80
sha1.h
SHA-1 algorithm.
digest_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:18
md5_sha1_context::sha1
uint8_t sha1[SHA1_CTX_SIZE]
SHA-1 context.
Definition: tls.h:232
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:44
alert
static void alert(const char *fmt,...)
Print alert message.
Definition: settings_ui.c:324
tls_split_stream
static int tls_split_stream(struct tls_connection *tls, struct list_head *rx_data, void **mac)
Split stream-ciphered record into data and MAC portions.
Definition: tls.c:2385
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition: x509.h:280
pubkey_sign
static int pubkey_sign(struct pubkey_algorithm *pubkey, void *ctx, struct digest_algorithm *digest, const void *value, void *signature)
Definition: crypto.h:241
tls24_t::low
uint16_t low
Low word.
Definition: tls.c:208
tls_connection::rx_cipherspec_pending
struct tls_cipherspec rx_cipherspec_pending
Next RX cipher specification.
Definition: tls.h:305
job_progress
int job_progress(struct interface *intf, struct job_progress *progress)
Get job progress.
Definition: job.c:43
ENOMEM_CERTIFICATE
#define ENOMEM_CERTIFICATE
Definition: tls.c:118
tls_header::version
uint16_t version
Protocol version.
Definition: tls.h:36
EPERM_ALERT
#define EPERM_ALERT
Definition: tls.c:158
digest_algorithm
A message digest algorithm.
Definition: crypto.h:16
tls_connection::version
uint16_t version
Protocol version.
Definition: tls.h:297
cpu_to_be64
#define cpu_to_be64(value)
Definition: byteswap.h:111
cipher_algorithm
A cipher algorithm.
Definition: crypto.h:48
tls_verify_data::server
uint8_t server[12]
Server verification data.
Definition: tls.h:123
rsa_digestinfo_prefix::digest
struct digest_algorithm * digest
Digest algorithm.
Definition: rsa.h:44
tls_connection
A TLS connection.
Definition: tls.h:274
tls_clear_cipher
static void tls_clear_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec)
pubkey_encrypt
static int pubkey_encrypt(struct pubkey_algorithm *pubkey, void *ctx, const void *data, size_t len, void *out)
Definition: crypto.h:231
tls_send_handshake
static int tls_send_handshake(struct tls_connection *tls, void *data, size_t len)
Transmit Handshake record.
Definition: tls.c:998
pubkey_final
static void pubkey_final(struct pubkey_algorithm *pubkey, void *ctx)
Definition: crypto.h:254
md5_sha1_context::md5
uint8_t md5[MD5_CTX_SIZE]
MD5 context.
Definition: tls.h:230
EINVAL_TICKET
#define EINVAL_TICKET
Definition: tls.c:106
INTF_DESC_PASSTHRU
#define INTF_DESC_PASSTHRU(object_type, intf, operations, passthru)
Define an object interface descriptor with pass-through interface.
Definition: interface.h:82
tls_add_handshake
static void tls_add_handshake(struct tls_connection *tls, const void *data, size_t len)
Add handshake record to verification hash.
Definition: tls.c:910
tls_set_uint24
static void tls_set_uint24(tls24_t *field24, unsigned long value)
Set 24-bit field value.
Definition: tls.c:230
tls_new_record
static int tls_new_record(struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
Receive new record.
Definition: tls.c:2064
tls_cipher_suite::cipher
struct cipher_algorithm * cipher
Bulk encryption cipher algorithm.
Definition: tls.h:147
tls_assemble_stream
static void *__malloc tls_assemble_stream(struct tls_connection *tls, const void *data, size_t len, void *digest, size_t *plaintext_len)
Allocate and assemble stream-ciphered record from data and MAC portions.
Definition: tls.c:2213
tls_session::conn
struct list_head conn
List of connections.
Definition: tls.h:270
tls_cipherstream_window
static size_t tls_cipherstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:2725
tls_connection::secure_renegotiation
int secure_renegotiation
Secure renegotiation flag.
Definition: tls.h:325
tls_send_finished
static int tls_send_finished(struct tls_connection *tls)
Transmit Finished record.
Definition: tls.c:1323
tls_new_certificate
static int tls_new_certificate(struct tls_connection *tls, const void *data, size_t len)
Receive new Certificate handshake record.
Definition: tls.c:1787
tls_signature_hash_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm.
Definition: tls.h:193
tls_session
static int tls_session(struct tls_connection *tls, const char *name)
Find or create session for TLS connection.
Definition: tls.c:3026
tls_cipherspec::dynamic
void * dynamic
Dynamically-allocated storage.
Definition: tls.h:169
tls24_t::high
uint8_t high
High byte.
Definition: tls.c:206
tls_hmac
static void tls_hmac(struct tls_cipherspec *cipherspec, uint64_t seq, struct tls_header *tlshdr, const void *data, size_t len, void *hmac)
Calculate HMAC.
Definition: tls.c:2191
data
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *digest_ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:21
tls_send_client_hello
static int tls_send_client_hello(struct tls_connection *tls)
Transmit Client Hello record.
Definition: tls.c:1014
va_start
#define va_start(ap, last)
Definition: stdarg.h:7
tls_generate_random
static int tls_generate_random(struct tls_connection *tls, void *data, size_t len)
Generate random data.
Definition: tls.c:418
__rsa_digestinfo_prefix
struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix
RSA digestInfo prefix for MD5+SHA1 algorithm.
Definition: tls.c:306
EINVAL_CERTIFICATES
#define EINVAL_CERTIFICATES
Definition: tls.c:70
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:198
TLS_MAX_FRAGMENT_LENGTH_4096
#define TLS_MAX_FRAGMENT_LENGTH_4096
Definition: tls.h:107
tls_new_handshake
static int tls_new_handshake(struct tls_connection *tls, const void *data, size_t len)
Receive new Handshake record.
Definition: tls.c:1972
tls_ready
static int tls_ready(struct tls_connection *tls)
Determine if TLS connection is ready for application data.
Definition: tls.c:242
tls_session::name
const char * name
Server name.
Definition: tls.h:257
tls_signature_hash_id
A TLS signature and hash algorithm identifier.
Definition: tls.h:181
intf_init
static void intf_init(struct interface *intf, struct interface_descriptor *desc, struct refcnt *refcnt)
Initialise an object interface.
Definition: interface.h:173
cipher_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:50
create_validator
int create_validator(struct interface *job, struct x509_chain *chain)
Instantiate a certificate validator.
Definition: validator.c:626
TLS_CERTIFICATE_VERIFY
#define TLS_CERTIFICATE_VERIFY
Definition: tls.h:71
TLS_TYPE_DATA
#define TLS_TYPE_DATA
Application data content type.
Definition: tls.h:60
ENOTSUP_SIG_HASH
#define ENOTSUP_SIG_HASH
Definition: tls.c:150
tls_generate_master_secret
static void tls_generate_master_secret(struct tls_connection *tls)
Generate master secret.
Definition: tls.c:606
tls_connection::session_id_len
size_t session_id_len
Length of session ID.
Definition: tls.h:285
TLS_TYPE_ALERT
#define TLS_TYPE_ALERT
Alert content type.
Definition: tls.h:54
add_tls
int add_tls(struct interface *xfer, const char *name, struct interface **next)
Definition: tls.c:3073
tls_connection::plainstream
struct interface plainstream
Plaintext stream.
Definition: tls.h:292
time
uint64_t time
Current time.
Definition: ntlm.h:20
md5.h
MD5 algorithm.
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:98
sha256.h
SHA-256 algorithm.
tls_set_cipher
static int tls_set_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
Set cipher suite.
Definition: tls.c:769
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
tls_new_change_cipher
static int tls_new_change_cipher(struct tls_connection *tls, const void *data, size_t len)
Receive new Change Cipher record.
Definition: tls.c:1365
string.h
String functions.
tls_prf_label
#define tls_prf_label(tls, secret, secret_len, out, out_len, label,...)
Generate secure pseudo-random data.
Definition: tls.c:587
TLS_CIPHER_SUITES
#define TLS_CIPHER_SUITES
TLS cipher suite table.
Definition: tls.h:157
pubkey_algorithm
A public key algorithm.
Definition: crypto.h:94
htons
#define htons(value)
Definition: byteswap.h:135
TLS_CLIENT_KEY_EXCHANGE
#define TLS_CLIENT_KEY_EXCHANGE
Definition: tls.h:72
pending_get
void pending_get(struct pending_operation *pending)
Mark an operation as pending.
Definition: pending.c:45
done
struct bofm_section_header done
Definition: bofm_test.c:46
TLS_SERVER_HELLO
#define TLS_SERVER_HELLO
Definition: tls.h:65
key
union @375 key
Sense key.
Definition: scsi.h:18
tls_new_server_hello_done
static int tls_new_server_hello_done(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello Done handshake record.
Definition: tls.c:1860
TLS_FINISHED
#define TLS_FINISHED
Definition: tls.h:73
tls_connection::cert
struct x509_certificate * cert
Client certificate (if used)
Definition: tls.h:323
md5_sha1_update
static void md5_sha1_update(void *ctx, const void *data, size_t len)
Accumulate data with MD5+SHA1 algorithm.
Definition: tls.c:273
TLS_SIGNATURE_ALGORITHMS
#define TLS_SIGNATURE_ALGORITHMS
Definition: tls.h:110
EINVAL_STREAM
#define EINVAL_STREAM
Definition: tls.c:86
pubkey_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:96
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:287
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:187
tls_plainstream_window
static size_t tls_plainstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:2541
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106
cipher_setiv
static void cipher_setiv(struct cipher_algorithm *cipher, void *ctx, const void *iv)
Definition: crypto.h:192
tls_cipher_suite::code
uint16_t code
Numeric code (in network-endian order)
Definition: tls.h:153
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:258
tls_p_hash_va
static void tls_p_hash_va(struct tls_connection *tls, struct digest_algorithm *digest, void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
Generate secure pseudo-random data using a single hash function.
Definition: tls.c:463
pubkey_init
static int pubkey_init(struct pubkey_algorithm *pubkey, void *ctx, const void *key, size_t key_len)
Definition: crypto.h:221
tls_cipherspec::mac_secret
void * mac_secret
MAC secret.
Definition: tls.h:177
tls_connection::tx_seq
uint64_t tx_seq
TX sequence number.
Definition: tls.h:342
tls_new_alert
static int tls_new_alert(struct tls_connection *tls, const void *data, size_t len)
Receive new Alert record.
Definition: tls.c:1394
memset
void * memset(void *dest, int character, size_t len) __nonnull
tls_pre_master_secret::version
uint16_t version
TLS version.
Definition: tls.h:214
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:32
tls_cipherspec::cipher_next_ctx
void * cipher_next_ctx
Next bulk encryption cipher context (TX only)
Definition: tls.h:175
Generated by   doxygen 1.8.15