iPXE
tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  */
19 
20 FILE_LICENCE ( GPL2_OR_LATER );
21 
22 /**
23  * @file
24  *
25  * Transport Layer Security Protocol
26  */
27 
28 #include <stdint.h>
29 #include <stdlib.h>
30 #include <stdarg.h>
31 #include <string.h>
32 #include <time.h>
33 #include <errno.h>
34 #include <byteswap.h>
35 #include <ipxe/pending.h>
36 #include <ipxe/hmac.h>
37 #include <ipxe/md5.h>
38 #include <ipxe/sha1.h>
39 #include <ipxe/sha256.h>
40 #include <ipxe/aes.h>
41 #include <ipxe/rsa.h>
42 #include <ipxe/iobuf.h>
43 #include <ipxe/xfer.h>
44 #include <ipxe/open.h>
45 #include <ipxe/x509.h>
46 #include <ipxe/privkey.h>
47 #include <ipxe/certstore.h>
48 #include <ipxe/rootcert.h>
49 #include <ipxe/rbg.h>
50 #include <ipxe/validator.h>
51 #include <ipxe/job.h>
52 #include <ipxe/dhe.h>
53 #include <ipxe/tls.h>
54 #include <config/crypto.h>
55 
56 /* Disambiguate the various error causes */
57 #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
58 #define EINFO_EINVAL_CHANGE_CIPHER \
59  __einfo_uniqify ( EINFO_EINVAL, 0x01, \
60  "Invalid Change Cipher record" )
61 #define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
62 #define EINFO_EINVAL_ALERT \
63  __einfo_uniqify ( EINFO_EINVAL, 0x02, \
64  "Invalid Alert record" )
65 #define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
66 #define EINFO_EINVAL_HELLO \
67  __einfo_uniqify ( EINFO_EINVAL, 0x03, \
68  "Invalid Server Hello record" )
69 #define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
70 #define EINFO_EINVAL_CERTIFICATE \
71  __einfo_uniqify ( EINFO_EINVAL, 0x04, \
72  "Invalid Certificate" )
73 #define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
74 #define EINFO_EINVAL_CERTIFICATES \
75  __einfo_uniqify ( EINFO_EINVAL, 0x05, \
76  "Invalid Server Certificate record" )
77 #define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
78 #define EINFO_EINVAL_HELLO_DONE \
79  __einfo_uniqify ( EINFO_EINVAL, 0x06, \
80  "Invalid Server Hello Done record" )
81 #define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
82 #define EINFO_EINVAL_FINISHED \
83  __einfo_uniqify ( EINFO_EINVAL, 0x07, \
84  "Invalid Server Finished record" )
85 #define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
86 #define EINFO_EINVAL_HANDSHAKE \
87  __einfo_uniqify ( EINFO_EINVAL, 0x08, \
88  "Invalid Handshake record" )
89 #define EINVAL_IV __einfo_error ( EINFO_EINVAL_IV )
90 #define EINFO_EINVAL_IV \
91  __einfo_uniqify ( EINFO_EINVAL, 0x0a, \
92  "Invalid initialisation vector" )
93 #define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
94 #define EINFO_EINVAL_PADDING \
95  __einfo_uniqify ( EINFO_EINVAL, 0x0b, \
96  "Invalid block padding" )
97 #define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
98 #define EINFO_EINVAL_RX_STATE \
99  __einfo_uniqify ( EINFO_EINVAL, 0x0c, \
100  "Invalid receive state" )
101 #define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
102 #define EINFO_EINVAL_MAC \
103  __einfo_uniqify ( EINFO_EINVAL, 0x0d, \
104  "Invalid MAC or authentication tag" )
105 #define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
106 #define EINFO_EINVAL_TICKET \
107  __einfo_uniqify ( EINFO_EINVAL, 0x0e, \
108  "Invalid New Session Ticket record")
109 #define EINVAL_KEY_EXCHANGE __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
110 #define EINFO_EINVAL_KEY_EXCHANGE \
111  __einfo_uniqify ( EINFO_EINVAL, 0x0f, \
112  "Invalid Server Key Exchange record" )
113 #define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
114 #define EINFO_EIO_ALERT \
115  __einfo_uniqify ( EINFO_EIO, 0x01, \
116  "Unknown alert level" )
117 #define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
118 #define EINFO_ENOMEM_CONTEXT \
119  __einfo_uniqify ( EINFO_ENOMEM, 0x01, \
120  "Not enough space for crypto context" )
121 #define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
122 #define EINFO_ENOMEM_CERTIFICATE \
123  __einfo_uniqify ( EINFO_ENOMEM, 0x02, \
124  "Not enough space for certificate" )
125 #define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
126 #define EINFO_ENOMEM_CHAIN \
127  __einfo_uniqify ( EINFO_ENOMEM, 0x03, \
128  "Not enough space for certificate chain" )
129 #define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
130 #define EINFO_ENOMEM_TX_PLAINTEXT \
131  __einfo_uniqify ( EINFO_ENOMEM, 0x04, \
132  "Not enough space for transmitted plaintext" )
133 #define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
134 #define EINFO_ENOMEM_TX_CIPHERTEXT \
135  __einfo_uniqify ( EINFO_ENOMEM, 0x05, \
136  "Not enough space for transmitted ciphertext" )
137 #define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
138 #define EINFO_ENOMEM_RX_DATA \
139  __einfo_uniqify ( EINFO_ENOMEM, 0x07, \
140  "Not enough space for received data" )
141 #define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
142 #define EINFO_ENOMEM_RX_CONCAT \
143  __einfo_uniqify ( EINFO_ENOMEM, 0x08, \
144  "Not enough space to concatenate received data" )
145 #define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
146 #define EINFO_ENOTSUP_CIPHER \
147  __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
148  "Unsupported cipher" )
149 #define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
150 #define EINFO_ENOTSUP_NULL \
151  __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
152  "Refusing to use null cipher" )
153 #define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
154 #define EINFO_ENOTSUP_SIG_HASH \
155  __einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
156  "Unsupported signature and hash algorithm" )
157 #define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
158 #define EINFO_ENOTSUP_VERSION \
159  __einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
160  "Unsupported protocol version" )
161 #define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
162 #define EINFO_EPERM_ALERT \
163  __einfo_uniqify ( EINFO_EPERM, 0x01, \
164  "Received fatal alert" )
165 #define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
166 #define EINFO_EPERM_VERIFY \
167  __einfo_uniqify ( EINFO_EPERM, 0x02, \
168  "Handshake verification failed" )
169 #define EPERM_CLIENT_CERT __einfo_error ( EINFO_EPERM_CLIENT_CERT )
170 #define EINFO_EPERM_CLIENT_CERT \
171  __einfo_uniqify ( EINFO_EPERM, 0x03, \
172  "No suitable client certificate available" )
173 #define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
174 #define EINFO_EPERM_RENEG_INSECURE \
175  __einfo_uniqify ( EINFO_EPERM, 0x04, \
176  "Secure renegotiation not supported" )
177 #define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
178 #define EINFO_EPERM_RENEG_VERIFY \
179  __einfo_uniqify ( EINFO_EPERM, 0x05, \
180  "Secure renegotiation verification failed" )
181 #define EPERM_KEY_EXCHANGE __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
182 #define EINFO_EPERM_KEY_EXCHANGE \
183  __einfo_uniqify ( EINFO_EPERM, 0x06, \
184  "ServerKeyExchange verification failed" )
185 #define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
186 #define EINFO_EPROTO_VERSION \
187  __einfo_uniqify ( EINFO_EPROTO, 0x01, \
188  "Illegal protocol version upgrade" )
189 
190 /** List of TLS session */
191 static LIST_HEAD ( tls_sessions );
192 
193 static void tls_tx_resume_all ( struct tls_session *session );
194 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
195  const void *data, size_t len );
196 static void tls_clear_cipher ( struct tls_connection *tls,
197  struct tls_cipherspec *cipherspec );
198 
199 /******************************************************************************
200  *
201  * Utility functions
202  *
203  ******************************************************************************
204  */
205 
206 /** A TLS 24-bit integer
207  *
208  * TLS uses 24-bit integers in several places, which are awkward to
209  * parse in C.
210  */
211 typedef struct {
212  /** High byte */
213  uint8_t high;
214  /** Low word */
215  uint16_t low;
216 } __attribute__ (( packed )) tls24_t;
217 
218 /**
219  * Extract 24-bit field value
220  *
221  * @v field24 24-bit field
222  * @ret value Field value
223  *
224  */
225 static inline __attribute__ (( always_inline )) unsigned long
226 tls_uint24 ( const tls24_t *field24 ) {
227 
228  return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
229 }
230 
231 /**
232  * Set 24-bit field value
233  *
234  * @v field24 24-bit field
235  * @v value Field value
236  */
237 static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
238 
239  field24->high = ( value >> 16 );
240  field24->low = cpu_to_be16 ( value );
241 }
242 
243 /**
244  * Determine if TLS connection is ready for application data
245  *
246  * @v tls TLS connection
247  * @ret is_ready TLS connection is ready
248  */
249 static int tls_ready ( struct tls_connection *tls ) {
250  return ( ( ! is_pending ( &tls->client_negotiation ) ) &&
251  ( ! is_pending ( &tls->server_negotiation ) ) );
252 }
253 
254 /**
255  * Check for TLS version
256  *
257  * @v tls TLS connection
258  * @v version TLS version
259  * @ret at_least TLS connection is using at least the specified version
260  *
261  * Check that TLS connection uses at least the specified protocol
262  * version. Optimise down to a compile-time constant true result if
263  * this is already guaranteed by the minimum supported version check.
264  */
265 static inline __attribute__ (( always_inline )) int
266 tls_version ( struct tls_connection *tls, unsigned int version ) {
267  return ( ( TLS_VERSION_MIN >= version ) ||
268  ( tls->version >= version ) );
269 }
270 
271 /******************************************************************************
272  *
273  * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
274  *
275  ******************************************************************************
276  */
277 
278 /**
279  * Initialise MD5+SHA1 algorithm
280  *
281  * @v ctx MD5+SHA1 context
282  */
283 static void md5_sha1_init ( void *ctx ) {
284  struct md5_sha1_context *context = ctx;
285 
286  digest_init ( &md5_algorithm, context->md5 );
287  digest_init ( &sha1_algorithm, context->sha1 );
288 }
289 
290 /**
291  * Accumulate data with MD5+SHA1 algorithm
292  *
293  * @v ctx MD5+SHA1 context
294  * @v data Data
295  * @v len Length of data
296  */
297 static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
298  struct md5_sha1_context *context = ctx;
299 
300  digest_update ( &md5_algorithm, context->md5, data, len );
301  digest_update ( &sha1_algorithm, context->sha1, data, len );
302 }
303 
304 /**
305  * Generate MD5+SHA1 digest
306  *
307  * @v ctx MD5+SHA1 context
308  * @v out Output buffer
309  */
310 static void md5_sha1_final ( void *ctx, void *out ) {
311  struct md5_sha1_context *context = ctx;
312  struct md5_sha1_digest *digest = out;
313 
314  digest_final ( &md5_algorithm, context->md5, digest->md5 );
315  digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
316 }
317 
318 /** Hybrid MD5+SHA1 digest algorithm */
319 static struct digest_algorithm md5_sha1_algorithm = {
320  .name = "md5+sha1",
321  .ctxsize = sizeof ( struct md5_sha1_context ),
322  .blocksize = 0, /* Not applicable */
323  .digestsize = sizeof ( struct md5_sha1_digest ),
324  .init = md5_sha1_init,
325  .update = md5_sha1_update,
326  .final = md5_sha1_final,
327 };
328 
329 /** RSA digestInfo prefix for MD5+SHA1 algorithm */
330 struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
331  .digest = &md5_sha1_algorithm,
332  .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
333  .len = 0,
334 };
335 
336 /******************************************************************************
337  *
338  * Cleanup functions
339  *
340  ******************************************************************************
341  */
342 
343 /**
344  * Free TLS session
345  *
346  * @v refcnt Reference counter
347  */
348 static void free_tls_session ( struct refcnt *refcnt ) {
349  struct tls_session *session =
350  container_of ( refcnt, struct tls_session, refcnt );
351 
352  /* Sanity check */
353  assert ( list_empty ( &session->conn ) );
354 
355  /* Remove from list of sessions */
356  list_del ( &session->list );
357 
358  /* Free dynamically-allocated resources */
359  x509_root_put ( session->root );
360  privkey_put ( session->key );
361  free ( session->ticket );
362 
363  /* Free session */
364  free ( session );
365 }
366 
367 /**
368  * Free TLS connection
369  *
370  * @v refcnt Reference counter
371  */
372 static void free_tls ( struct refcnt *refcnt ) {
373  struct tls_connection *tls =
374  container_of ( refcnt, struct tls_connection, refcnt );
375  struct tls_session *session = tls->session;
376  struct io_buffer *iobuf;
377  struct io_buffer *tmp;
378 
379  /* Free dynamically-allocated resources */
380  free ( tls->new_session_ticket );
381  tls_clear_cipher ( tls, &tls->tx_cipherspec );
382  tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
383  tls_clear_cipher ( tls, &tls->rx_cipherspec );
384  tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
385  free ( tls->server_key );
386  free ( tls->handshake_ctx );
387  list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
388  list_del ( &iobuf->list );
389  free_iob ( iobuf );
390  }
391  x509_chain_put ( tls->certs );
392  x509_chain_put ( tls->chain );
393  x509_root_put ( tls->root );
394  privkey_put ( tls->key );
395 
396  /* Drop reference to session */
397  assert ( list_empty ( &tls->list ) );
398  ref_put ( &session->refcnt );
399 
400  /* Free TLS structure itself */
401  free ( tls );
402 }
403 
404 /**
405  * Finish with TLS connection
406  *
407  * @v tls TLS connection
408  * @v rc Status code
409  */
410 static void tls_close ( struct tls_connection *tls, int rc ) {
411 
412  /* Remove pending operations, if applicable */
413  pending_put ( &tls->client_negotiation );
414  pending_put ( &tls->server_negotiation );
415  pending_put ( &tls->validation );
416 
417  /* Remove process */
418  process_del ( &tls->process );
419 
420  /* Close all interfaces */
421  intf_shutdown ( &tls->cipherstream, rc );
422  intf_shutdown ( &tls->plainstream, rc );
423  intf_shutdown ( &tls->validator, rc );
424 
425  /* Remove from session */
426  list_del ( &tls->list );
427  INIT_LIST_HEAD ( &tls->list );
428 
429  /* Resume all other connections, in case we were the lead connection */
430  tls_tx_resume_all ( tls->session );
431 }
432 
433 /******************************************************************************
434  *
435  * Random number generation
436  *
437  ******************************************************************************
438  */
439 
440 /**
441  * Generate random data
442  *
443  * @v tls TLS connection
444  * @v data Buffer to fill
445  * @v len Length of buffer
446  * @ret rc Return status code
447  */
448 static int tls_generate_random ( struct tls_connection *tls,
449  void *data, size_t len ) {
450  int rc;
451 
452  /* Generate random bits with no additional input and without
453  * prediction resistance
454  */
455  if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
456  DBGC ( tls, "TLS %p could not generate random data: %s\n",
457  tls, strerror ( rc ) );
458  return rc;
459  }
460 
461  return 0;
462 }
463 
464 /**
465  * Update HMAC with a list of ( data, len ) pairs
466  *
467  * @v digest Hash function to use
468  * @v ctx HMAC context
469  * @v args ( data, len ) pairs of data, terminated by NULL
470  */
471 static void tls_hmac_update_va ( struct digest_algorithm *digest,
472  void *ctx, va_list args ) {
473  void *data;
474  size_t len;
475 
476  while ( ( data = va_arg ( args, void * ) ) ) {
477  len = va_arg ( args, size_t );
478  hmac_update ( digest, ctx, data, len );
479  }
480 }
481 
482 /**
483  * Generate secure pseudo-random data using a single hash function
484  *
485  * @v tls TLS connection
486  * @v digest Hash function to use
487  * @v secret Secret
488  * @v secret_len Length of secret
489  * @v out Output buffer
490  * @v out_len Length of output buffer
491  * @v seeds ( data, len ) pairs of seed data, terminated by NULL
492  */
493 static void tls_p_hash_va ( struct tls_connection *tls,
494  struct digest_algorithm *digest,
495  const void *secret, size_t secret_len,
496  void *out, size_t out_len,
497  va_list seeds ) {
498  uint8_t ctx[ hmac_ctxsize ( digest ) ];
499  uint8_t ctx_partial[ sizeof ( ctx ) ];
500  uint8_t a[digest->digestsize];
501  uint8_t out_tmp[digest->digestsize];
502  size_t frag_len = digest->digestsize;
503  va_list tmp;
504 
505  DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
506  DBGC2_HD ( tls, secret, secret_len );
507 
508  /* Calculate A(1) */
509  hmac_init ( digest, ctx, secret, secret_len );
510  va_copy ( tmp, seeds );
511  tls_hmac_update_va ( digest, ctx, tmp );
512  va_end ( tmp );
513  hmac_final ( digest, ctx, a );
514  DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
515  DBGC2_HD ( tls, &a, sizeof ( a ) );
516 
517  /* Generate as much data as required */
518  while ( out_len ) {
519  /* Calculate output portion */
520  hmac_init ( digest, ctx, secret, secret_len );
521  hmac_update ( digest, ctx, a, sizeof ( a ) );
522  memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
523  va_copy ( tmp, seeds );
524  tls_hmac_update_va ( digest, ctx, tmp );
525  va_end ( tmp );
526  hmac_final ( digest, ctx, out_tmp );
527 
528  /* Copy output */
529  if ( frag_len > out_len )
530  frag_len = out_len;
531  memcpy ( out, out_tmp, frag_len );
532  DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
533  DBGC2_HD ( tls, out, frag_len );
534 
535  /* Calculate A(i) */
536  hmac_final ( digest, ctx_partial, a );
537  DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
538  DBGC2_HD ( tls, &a, sizeof ( a ) );
539 
540  out += frag_len;
541  out_len -= frag_len;
542  }
543 }
544 
545 /**
546  * Generate secure pseudo-random data
547  *
548  * @v tls TLS connection
549  * @v secret Secret
550  * @v secret_len Length of secret
551  * @v out Output buffer
552  * @v out_len Length of output buffer
553  * @v ... ( data, len ) pairs of seed data, terminated by NULL
554  */
555 static void tls_prf ( struct tls_connection *tls, const void *secret,
556  size_t secret_len, void *out, size_t out_len, ... ) {
557  va_list seeds;
558  va_list tmp;
559  size_t subsecret_len;
560  const void *md5_secret;
561  const void *sha1_secret;
562  uint8_t buf[out_len];
563  unsigned int i;
564 
565  va_start ( seeds, out_len );
566 
567  if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
568  /* Use handshake digest PRF for TLSv1.2 and later */
569  tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
570  out, out_len, seeds );
571  } else {
572  /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
573  * and earlier
574  */
575 
576  /* Split secret into two, with an overlap of up to one byte */
577  subsecret_len = ( ( secret_len + 1 ) / 2 );
578  md5_secret = secret;
579  sha1_secret = ( secret + secret_len - subsecret_len );
580 
581  /* Calculate MD5 portion */
582  va_copy ( tmp, seeds );
583  tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
584  subsecret_len, out, out_len, seeds );
585  va_end ( tmp );
586 
587  /* Calculate SHA1 portion */
588  va_copy ( tmp, seeds );
589  tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
590  subsecret_len, buf, out_len, seeds );
591  va_end ( tmp );
592 
593  /* XOR the two portions together into the final output buffer */
594  for ( i = 0 ; i < out_len ; i++ )
595  *( ( uint8_t * ) out + i ) ^= buf[i];
596  }
597 
598  va_end ( seeds );
599 }
600 
601 /**
602  * Generate secure pseudo-random data
603  *
604  * @v secret Secret
605  * @v secret_len Length of secret
606  * @v out Output buffer
607  * @v out_len Length of output buffer
608  * @v label String literal label
609  * @v ... ( data, len ) pairs of seed data
610  */
611 #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
612  tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
613  label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
614 
615 /******************************************************************************
616  *
617  * Secret management
618  *
619  ******************************************************************************
620  */
621 
622 /**
623  * Generate master secret
624  *
625  * @v tls TLS connection
626  * @v pre_master_secret Pre-master secret
627  * @v pre_master_secret_len Length of pre-master secret
628  *
629  * The client and server random values must already be known.
630  */
631 static void tls_generate_master_secret ( struct tls_connection *tls,
632  const void *pre_master_secret,
633  size_t pre_master_secret_len ) {
634 
635  DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
636  DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
637  DBGC ( tls, "TLS %p client random bytes:\n", tls );
638  DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
639  DBGC ( tls, "TLS %p server random bytes:\n", tls );
640  DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );
641 
642  tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
643  &tls->master_secret, sizeof ( tls->master_secret ),
644  "master secret",
645  &tls->client_random, sizeof ( tls->client_random ),
646  &tls->server_random, sizeof ( tls->server_random ) );
647 
648  DBGC ( tls, "TLS %p generated master secret:\n", tls );
649  DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
650 }
651 
652 /**
653  * Generate key material
654  *
655  * @v tls TLS connection
656  *
657  * The master secret must already be known.
658  */
659 static int tls_generate_keys ( struct tls_connection *tls ) {
660  struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
661  struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
662  size_t hash_size = tx_cipherspec->suite->mac_len;
663  size_t key_size = tx_cipherspec->suite->key_len;
664  size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
665  size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
666  uint8_t key_block[total];
667  uint8_t *key;
668  int rc;
669 
670  /* Generate key block */
671  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
672  key_block, sizeof ( key_block ), "key expansion",
673  &tls->server_random, sizeof ( tls->server_random ),
674  &tls->client_random, sizeof ( tls->client_random ) );
675 
676  /* Split key block into portions */
677  key = key_block;
678 
679  /* TX MAC secret */
680  memcpy ( tx_cipherspec->mac_secret, key, hash_size );
681  DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
682  DBGC_HD ( tls, key, hash_size );
683  key += hash_size;
684 
685  /* RX MAC secret */
686  memcpy ( rx_cipherspec->mac_secret, key, hash_size );
687  DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
688  DBGC_HD ( tls, key, hash_size );
689  key += hash_size;
690 
691  /* TX key */
692  if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
693  tx_cipherspec->cipher_ctx,
694  key, key_size ) ) != 0 ) {
695  DBGC ( tls, "TLS %p could not set TX key: %s\n",
696  tls, strerror ( rc ) );
697  return rc;
698  }
699  DBGC ( tls, "TLS %p TX key:\n", tls );
700  DBGC_HD ( tls, key, key_size );
701  key += key_size;
702 
703  /* RX key */
704  if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
705  rx_cipherspec->cipher_ctx,
706  key, key_size ) ) != 0 ) {
707  DBGC ( tls, "TLS %p could not set TX key: %s\n",
708  tls, strerror ( rc ) );
709  return rc;
710  }
711  DBGC ( tls, "TLS %p RX key:\n", tls );
712  DBGC_HD ( tls, key, key_size );
713  key += key_size;
714 
715  /* TX initialisation vector */
716  memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
717  DBGC ( tls, "TLS %p TX IV:\n", tls );
718  DBGC_HD ( tls, key, iv_size );
719  key += iv_size;
720 
721  /* RX initialisation vector */
722  memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
723  DBGC ( tls, "TLS %p RX IV:\n", tls );
724  DBGC_HD ( tls, key, iv_size );
725  key += iv_size;
726 
727  assert ( ( key_block + total ) == key );
728 
729  return 0;
730 }
731 
732 /******************************************************************************
733  *
734  * Handshake verification
735  *
736  ******************************************************************************
737  */
738 
739 /**
740  * Clear handshake digest algorithm
741  *
742  * @v tls TLS connection
743  */
744 static void tls_clear_handshake ( struct tls_connection *tls ) {
745 
746  /* Select null digest algorithm */
747  tls->handshake_digest = &digest_null;
748 
749  /* Free any existing context */
750  free ( tls->handshake_ctx );
751  tls->handshake_ctx = NULL;
752 }
753 
754 /**
755  * Select handshake digest algorithm
756  *
757  * @v tls TLS connection
758  * @v digest Handshake digest algorithm
759  * @ret rc Return status code
760  */
761 static int tls_select_handshake ( struct tls_connection *tls,
762  struct digest_algorithm *digest ) {
763 
764  /* Clear existing handshake digest */
765  tls_clear_handshake ( tls );
766 
767  /* Allocate and initialise context */
768  tls->handshake_ctx = malloc ( digest->ctxsize );
769  if ( ! tls->handshake_ctx )
770  return -ENOMEM;
771  tls->handshake_digest = digest;
772  digest_init ( digest, tls->handshake_ctx );
773 
774  return 0;
775 }
776 
777 /**
778  * Add handshake record to verification hash
779  *
780  * @v tls TLS connection
781  * @v data Handshake record
782  * @v len Length of handshake record
783  * @ret rc Return status code
784  */
785 static int tls_add_handshake ( struct tls_connection *tls,
786  const void *data, size_t len ) {
787  struct digest_algorithm *digest = tls->handshake_digest;
788 
789  digest_update ( digest, tls->handshake_ctx, data, len );
790  return 0;
791 }
792 
793 /**
794  * Calculate handshake verification hash
795  *
796  * @v tls TLS connection
797  * @v out Output buffer
798  *
799  * Calculates the digest over all handshake messages seen so far.
800  */
801 static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
802  struct digest_algorithm *digest = tls->handshake_digest;
803  uint8_t ctx[ digest->ctxsize ];
804 
805  memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
806  digest_final ( digest, ctx, out );
807 }
808 
809 /******************************************************************************
810  *
811  * Cipher suite management
812  *
813  ******************************************************************************
814  */
815 
816 /** Null cipher suite */
817 struct tls_cipher_suite tls_cipher_suite_null = {
818  .exchange = &tls_pubkey_exchange_algorithm,
819  .pubkey = &pubkey_null,
820  .cipher = &cipher_null,
821  .digest = &digest_null,
822 };
823 
824 /** Number of supported cipher suites */
825 #define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
826 
827 /**
828  * Identify cipher suite
829  *
830  * @v cipher_suite Cipher suite specification
831  * @ret suite Cipher suite, or NULL
832  */
833 static struct tls_cipher_suite *
834 tls_find_cipher_suite ( unsigned int cipher_suite ) {
835  struct tls_cipher_suite *suite;
836 
837  /* Identify cipher suite */
838  for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
839  if ( suite->code == cipher_suite )
840  return suite;
841  }
842 
843  return NULL;
844 }
845 
846 /**
847  * Clear cipher suite
848  *
849  * @v cipherspec TLS cipher specification
850  */
851 static void tls_clear_cipher ( struct tls_connection *tls __unused,
852  struct tls_cipherspec *cipherspec ) {
853 
854  if ( cipherspec->suite ) {
855  pubkey_final ( cipherspec->suite->pubkey,
856  cipherspec->pubkey_ctx );
857  }
858  free ( cipherspec->dynamic );
859  memset ( cipherspec, 0, sizeof ( *cipherspec ) );
860  cipherspec->suite = &tls_cipher_suite_null;
861 }
862 
863 /**
864  * Set cipher suite
865  *
866  * @v tls TLS connection
867  * @v cipherspec TLS cipher specification
868  * @v suite Cipher suite
869  * @ret rc Return status code
870  */
871 static int tls_set_cipher ( struct tls_connection *tls,
872  struct tls_cipherspec *cipherspec,
873  struct tls_cipher_suite *suite ) {
874  struct pubkey_algorithm *pubkey = suite->pubkey;
875  struct cipher_algorithm *cipher = suite->cipher;
876  size_t total;
877  void *dynamic;
878 
879  /* Clear out old cipher contents, if any */
880  tls_clear_cipher ( tls, cipherspec );
881 
882  /* Allocate dynamic storage */
883  total = ( pubkey->ctxsize + cipher->ctxsize + suite->mac_len +
884  suite->fixed_iv_len );
885  dynamic = zalloc ( total );
886  if ( ! dynamic ) {
887  DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
888  "context\n", tls, total );
889  return -ENOMEM_CONTEXT;
890  }
891 
892  /* Assign storage */
893  cipherspec->dynamic = dynamic;
894  cipherspec->pubkey_ctx = dynamic; dynamic += pubkey->ctxsize;
895  cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
896  cipherspec->mac_secret = dynamic; dynamic += suite->mac_len;
897  cipherspec->fixed_iv = dynamic; dynamic += suite->fixed_iv_len;
898  assert ( ( cipherspec->dynamic + total ) == dynamic );
899 
900  /* Store parameters */
901  cipherspec->suite = suite;
902 
903  return 0;
904 }
905 
906 /**
907  * Select next cipher suite
908  *
909  * @v tls TLS connection
910  * @v cipher_suite Cipher suite specification
911  * @ret rc Return status code
912  */
913 static int tls_select_cipher ( struct tls_connection *tls,
914  unsigned int cipher_suite ) {
915  struct tls_cipher_suite *suite;
916  struct digest_algorithm *digest;
917  int rc;
918 
919  /* Identify cipher suite */
920  suite = tls_find_cipher_suite ( cipher_suite );
921  if ( ! suite ) {
922  DBGC ( tls, "TLS %p does not support cipher %04x\n",
923  tls, ntohs ( cipher_suite ) );
924  return -ENOTSUP_CIPHER;
925  }
926 
927  /* Set handshake digest algorithm */
928  digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
929  suite->handshake : &md5_sha1_algorithm );
930  if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
931  return rc;
932 
933  /* Set ciphers */
934  if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending,
935  suite ) ) != 0 )
936  return rc;
937  if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending,
938  suite ) ) != 0 )
939  return rc;
940 
941  DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
942  suite->exchange->name, suite->pubkey->name,
943  suite->cipher->name, ( suite->key_len * 8 ),
944  suite->digest->name );
945 
946  return 0;
947 }
948 
949 /**
950  * Activate next cipher suite
951  *
952  * @v tls TLS connection
953  * @v pending Pending cipher specification
954  * @v active Active cipher specification to replace
955  * @ret rc Return status code
956  */
957 static int tls_change_cipher ( struct tls_connection *tls,
958  struct tls_cipherspec *pending,
959  struct tls_cipherspec *active ) {
960 
961  /* Sanity check */
962  if ( pending->suite == &tls_cipher_suite_null ) {
963  DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
964  return -ENOTSUP_NULL;
965  }
966 
967  tls_clear_cipher ( tls, active );
968  memswap ( active, pending, sizeof ( *active ) );
969  return 0;
970 }
971 
972 /******************************************************************************
973  *
974  * Signature and hash algorithms
975  *
976  ******************************************************************************
977  */
978 
979 /** Number of supported signature and hash algorithms */
980 #define TLS_NUM_SIG_HASH_ALGORITHMS \
981  table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
982 
983 /**
984  * Find TLS signature and hash algorithm
985  *
986  * @v pubkey Public-key algorithm
987  * @v digest Digest algorithm
988  * @ret sig_hash Signature and hash algorithm, or NULL
989  */
990 static struct tls_signature_hash_algorithm *
991 tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
992  struct digest_algorithm *digest ) {
993  struct tls_signature_hash_algorithm *sig_hash;
994 
995  /* Identify signature and hash algorithm */
996  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
997  if ( ( sig_hash->pubkey == pubkey ) &&
998  ( sig_hash->digest == digest ) ) {
999  return sig_hash;
1000  }
1001  }
1002 
1003  return NULL;
1004 }
1005 
1006 /**
1007  * Find TLS signature algorithm
1008  *
1009  * @v code Signature and hash algorithm identifier
1010  * @ret pubkey Public key algorithm, or NULL
1011  */
1012 static struct pubkey_algorithm *
1013 tls_signature_hash_pubkey ( struct tls_signature_hash_id code ) {
1014  struct tls_signature_hash_algorithm *sig_hash;
1015 
1016  /* Identify signature and hash algorithm */
1017  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1018  if ( sig_hash->code.signature == code.signature )
1019  return sig_hash->pubkey;
1020  }
1021 
1022  return NULL;
1023 }
1024 
1025 /**
1026  * Find TLS hash algorithm
1027  *
1028  * @v code Signature and hash algorithm identifier
1029  * @ret digest Digest algorithm, or NULL
1030  */
1031 static struct digest_algorithm *
1032 tls_signature_hash_digest ( struct tls_signature_hash_id code ) {
1033  struct tls_signature_hash_algorithm *sig_hash;
1034 
1035  /* Identify signature and hash algorithm */
1036  for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1037  if ( sig_hash->code.hash == code.hash )
1038  return sig_hash->digest;
1039  }
1040 
1041  return NULL;
1042 }
1043 
1044 /******************************************************************************
1045  *
1046  * Record handling
1047  *
1048  ******************************************************************************
1049  */
1050 
1051 /**
1052  * Resume TX state machine
1053  *
1054  * @v tls TLS connection
1055  */
1056 static void tls_tx_resume ( struct tls_connection *tls ) {
1057  process_add ( &tls->process );
1058 }
1059 
1060 /**
1061  * Resume TX state machine for all connections within a session
1062  *
1063  * @v session TLS session
1064  */
1065 static void tls_tx_resume_all ( struct tls_session *session ) {
1066  struct tls_connection *tls;
1067 
1068  list_for_each_entry ( tls, &session->conn, list )
1069  tls_tx_resume ( tls );
1070 }
1071 
1072 /**
1073  * Restart negotiation
1074  *
1075  * @v tls TLS connection
1076  */
1077 static void tls_restart ( struct tls_connection *tls ) {
1078 
1079  /* Sanity check */
1080  assert ( ! tls->tx_pending );
1081  assert ( ! is_pending ( &tls->client_negotiation ) );
1082  assert ( ! is_pending ( &tls->server_negotiation ) );
1083  assert ( ! is_pending ( &tls->validation ) );
1084 
1085  /* (Re)start negotiation */
1086  tls->tx_pending = TLS_TX_CLIENT_HELLO;
1087  tls_tx_resume ( tls );
1088  pending_get ( &tls->client_negotiation );
1089  pending_get ( &tls->server_negotiation );
1090 }
1091 
1092 /**
1093  * Transmit Handshake record
1094  *
1095  * @v tls TLS connection
1096  * @v data Plaintext record
1097  * @v len Length of plaintext record
1098  * @ret rc Return status code
1099  */
1100 static int tls_send_handshake ( struct tls_connection *tls,
1101  const void *data, size_t len ) {
1102 
1103  /* Add to handshake digest */
1104  tls_add_handshake ( tls, data, len );
1105 
1106  /* Send record */
1107  return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
1108 }
1109 
1110 /**
1111  * Digest or transmit Client Hello record
1112  *
1113  * @v tls TLS connection
1114  * @v action Action to take on Client Hello record
1115  * @ret rc Return status code
1116  */
1117 static int tls_client_hello ( struct tls_connection *tls,
1118  int ( * action ) ( struct tls_connection *tls,
1119  const void *data,
1120  size_t len ) ) {
1121  struct tls_session *session = tls->session;
1122  size_t name_len = strlen ( session->name );
1123  struct {
1124  uint32_t type_length;
1125  uint16_t version;
1126  uint8_t random[32];
1127  uint8_t session_id_len;
1128  uint8_t session_id[tls->session_id_len];
1129  uint16_t cipher_suite_len;
1130  uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
1131  uint8_t compression_methods_len;
1132  uint8_t compression_methods[1];
1133  uint16_t extensions_len;
1134  struct {
1135  uint16_t server_name_type;
1136  uint16_t server_name_len;
1137  struct {
1138  uint16_t len;
1139  struct {
1140  uint8_t type;
1141  uint16_t len;
1142  uint8_t name[name_len];
1143  } __attribute__ (( packed )) list[1];
1144  } __attribute__ (( packed )) server_name;
1145  uint16_t max_fragment_length_type;
1146  uint16_t max_fragment_length_len;
1147  struct {
1148  uint8_t max;
1149  } __attribute__ (( packed )) max_fragment_length;
1150  uint16_t signature_algorithms_type;
1151  uint16_t signature_algorithms_len;
1152  struct {
1153  uint16_t len;
1154  struct tls_signature_hash_id
1155  code[TLS_NUM_SIG_HASH_ALGORITHMS];
1156  } __attribute__ (( packed )) signature_algorithms;
1157  uint16_t renegotiation_info_type;
1158  uint16_t renegotiation_info_len;
1159  struct {
1160  uint8_t len;
1161  uint8_t data[ tls->secure_renegotiation ?
1162  sizeof ( tls->verify.client ) :0];
1163  } __attribute__ (( packed )) renegotiation_info;
1164  uint16_t session_ticket_type;
1165  uint16_t session_ticket_len;
1166  struct {
1167  uint8_t data[session->ticket_len];
1168  } __attribute__ (( packed )) session_ticket;
1169  } __attribute__ (( packed )) extensions;
1170  } __attribute__ (( packed )) hello;
1171  struct tls_cipher_suite *suite;
1172  struct tls_signature_hash_algorithm *sighash;
1173  unsigned int i;
1174 
1175  /* Construct record */
1176  memset ( &hello, 0, sizeof ( hello ) );
1177  hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
1178  htonl ( sizeof ( hello ) -
1179  sizeof ( hello.type_length ) ) );
1180  hello.version = htons ( TLS_VERSION_MAX );
1181  memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
1182  hello.session_id_len = tls->session_id_len;
1183  memcpy ( hello.session_id, tls->session_id,
1184  sizeof ( hello.session_id ) );
1185  hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1186  i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
1187  hello.cipher_suites[i++] = suite->code;
1188  hello.compression_methods_len = sizeof ( hello.compression_methods );
1189  hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1190  hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
1191  hello.extensions.server_name_len
1192  = htons ( sizeof ( hello.extensions.server_name ) );
1193  hello.extensions.server_name.len
1194  = htons ( sizeof ( hello.extensions.server_name.list ) );
1195  hello.extensions.server_name.list[0].type = TLS_SERVER_NAME_HOST_NAME;
1196  hello.extensions.server_name.list[0].len
1197  = htons ( sizeof ( hello.extensions.server_name.list[0].name ));
1198  memcpy ( hello.extensions.server_name.list[0].name, session->name,
1199  sizeof ( hello.extensions.server_name.list[0].name ) );
1200  hello.extensions.max_fragment_length_type
1201  = htons ( TLS_MAX_FRAGMENT_LENGTH );
1202  hello.extensions.max_fragment_length_len
1203  = htons ( sizeof ( hello.extensions.max_fragment_length ) );
1204  hello.extensions.max_fragment_length.max
1205  = TLS_MAX_FRAGMENT_LENGTH_4096;
1206  hello.extensions.signature_algorithms_type
1207  = htons ( TLS_SIGNATURE_ALGORITHMS );
1208  hello.extensions.signature_algorithms_len
1209  = htons ( sizeof ( hello.extensions.signature_algorithms ) );
1210  hello.extensions.signature_algorithms.len
1211  = htons ( sizeof ( hello.extensions.signature_algorithms.code));
1212  i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
1213  hello.extensions.signature_algorithms.code[i++] = sighash->code;
1214  hello.extensions.renegotiation_info_type
1215  = htons ( TLS_RENEGOTIATION_INFO );
1216  hello.extensions.renegotiation_info_len
1217  = htons ( sizeof ( hello.extensions.renegotiation_info ) );
1218  hello.extensions.renegotiation_info.len
1219  = sizeof ( hello.extensions.renegotiation_info.data );
1220  memcpy ( hello.extensions.renegotiation_info.data, tls->verify.client,
1221  sizeof ( hello.extensions.renegotiation_info.data ) );
1222  hello.extensions.session_ticket_type = htons ( TLS_SESSION_TICKET );
1223  hello.extensions.session_ticket_len
1224  = htons ( sizeof ( hello.extensions.session_ticket ) );
1225  memcpy ( hello.extensions.session_ticket.data, session->ticket,
1226  sizeof ( hello.extensions.session_ticket.data ) );
1227 
1228  return action ( tls, &hello, sizeof ( hello ) );
1229 }
1230 
1231 /**
1232  * Transmit Client Hello record
1233  *
1234  * @v tls TLS connection
1235  * @ret rc Return status code
1236  */
1237 static int tls_send_client_hello ( struct tls_connection *tls ) {
1238 
1239  return tls_client_hello ( tls, tls_send_handshake );
1240 }
1241 
1242 /**
1243  * Transmit Certificate record
1244  *
1245  * @v tls TLS connection
1246  * @ret rc Return status code
1247  */
1248 static int tls_send_certificate ( struct tls_connection *tls ) {
1249  struct {
1250  tls24_t length;
1251  uint8_t data[0];
1252  } __attribute__ (( packed )) *certificate;
1253  struct {
1254  uint32_t type_length;
1255  tls24_t length;
1256  typeof ( *certificate ) certificates[0];
1257  } __attribute__ (( packed )) *certificates;
1258  struct x509_link *link;
1259  struct x509_certificate *cert;
1260  size_t len;
1261  int rc;
1262 
1263  /* Calculate length of client certificates */
1264  len = 0;
1265  list_for_each_entry ( link, &tls->certs->links, list ) {
1266  cert = link->cert;
1267  len += ( sizeof ( *certificate ) + cert->raw.len );
1268  DBGC ( tls, "TLS %p sending client certificate %s\n",
1269  tls, x509_name ( cert ) );
1270  }
1271 
1272  /* Allocate storage for Certificate record (which may be too
1273  * large for the stack).
1274  */
1275  certificates = zalloc ( sizeof ( *certificates ) + len );
1276  if ( ! certificates )
1277  return -ENOMEM_CERTIFICATE;
1278 
1279  /* Populate record */
1280  certificates->type_length =
1281  ( cpu_to_le32 ( TLS_CERTIFICATE ) |
1282  htonl ( sizeof ( *certificates ) + len -
1283  sizeof ( certificates->type_length ) ) );
1284  tls_set_uint24 ( &certificates->length, len );
1285  certificate = &certificates->certificates[0];
1286  list_for_each_entry ( link, &tls->certs->links, list ) {
1287  cert = link->cert;
1288  tls_set_uint24 ( &certificate->length, cert->raw.len );
1289  memcpy ( certificate->data, cert->raw.data, cert->raw.len );
1290  certificate = ( ( ( void * ) certificate->data ) +
1291  cert->raw.len );
1292  }
1293 
1294  /* Transmit record */
1295  rc = tls_send_handshake ( tls, certificates,
1296  ( sizeof ( *certificates ) + len ) );
1297 
1298  /* Free record */
1299  free ( certificates );
1300 
1301  return rc;
1302 }
1303 
1304 /**
1305  * Transmit Client Key Exchange record using public key exchange
1306  *
1307  * @v tls TLS connection
1308  * @ret rc Return status code
1309  */
1310 static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
1311  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1312  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
1313  size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
1314  struct {
1315  uint16_t version;
1316  uint8_t random[46];
1317  } __attribute__ (( packed )) pre_master_secret;
1318  struct {
1319  uint32_t type_length;
1320  uint16_t encrypted_pre_master_secret_len;
1321  uint8_t encrypted_pre_master_secret[max_len];
1322  } __attribute__ (( packed )) key_xchg;
1323  size_t unused;
1324  int len;
1325  int rc;
1326 
1327  /* Generate pre-master secret */
1328  pre_master_secret.version = htons ( TLS_VERSION_MAX );
1329  if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
1330  ( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
1331  return rc;
1332  }
1333 
1334  /* Generate master secret */
1335  tls_generate_master_secret ( tls, &pre_master_secret,
1336  sizeof ( pre_master_secret ) );
1337 
1338  /* Generate keys */
1339  if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
1340  DBGC ( tls, "TLS %p could not generate keys: %s\n",
1341  tls, strerror ( rc ) );
1342  return rc;
1343  }
1344 
1345  /* Encrypt pre-master secret using server's public key */
1346  memset ( &key_xchg, 0, sizeof ( key_xchg ) );
1347  len = pubkey_encrypt ( pubkey, cipherspec->pubkey_ctx,
1348  &pre_master_secret, sizeof ( pre_master_secret ),
1349  key_xchg.encrypted_pre_master_secret );
1350  if ( len < 0 ) {
1351  rc = len;
1352  DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
1353  tls, strerror ( rc ) );
1354  return rc;
1355  }
1356  unused = ( max_len - len );
1357  key_xchg.type_length =
1358  ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1359  htonl ( sizeof ( key_xchg ) -
1360  sizeof ( key_xchg.type_length ) - unused ) );
1361  key_xchg.encrypted_pre_master_secret_len =
1362  htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) -
1363  unused );
1364 
1365  return tls_send_handshake ( tls, &key_xchg,
1366  ( sizeof ( key_xchg ) - unused ) );
1367 }
1368 
1369 /** Public key exchange algorithm */
1370 struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm = {
1371  .name = "pubkey",
1372  .exchange = tls_send_client_key_exchange_pubkey,
1373 };
1374 
1375 /**
1376  * Transmit Client Key Exchange record using DHE key exchange
1377  *
1378  * @v tls TLS connection
1379  * @ret rc Return status code
1380  */
1381 static int tls_send_client_key_exchange_dhe ( struct tls_connection *tls ) {
1382  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1383  struct pubkey_algorithm *pubkey;
1384  struct digest_algorithm *digest;
1385  int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
1386  uint8_t private[ sizeof ( tls->client_random.random ) ];
1387  const struct {
1388  uint16_t len;
1389  uint8_t data[0];
1390  } __attribute__ (( packed )) *dh_val[3];
1391  const struct {
1392  struct tls_signature_hash_id sig_hash[use_sig_hash];
1393  uint16_t signature_len;
1394  uint8_t signature[0];
1395  } __attribute__ (( packed )) *sig;
1396  const void *data;
1397  size_t remaining;
1398  size_t frag_len;
1399  unsigned int i;
1400  int rc;
1401 
1402  /* Parse ServerKeyExchange */
1403  data = tls->server_key;
1404  remaining = tls->server_key_len;
1405  for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
1406  dh_val[i] = data;
1407  if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
1408  ( ntohs ( dh_val[i]->len ) > ( remaining -
1409  sizeof ( *dh_val[i] ) ) )){
1410  DBGC ( tls, "TLS %p received underlength "
1411  "ServerKeyExchange\n", tls );
1412  DBGC_HDA ( tls, 0, tls->server_key,
1413  tls->server_key_len );
1414  rc = -EINVAL_KEY_EXCHANGE;
1415  goto err_header;
1416  }
1417  frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
1418  data += frag_len;
1419  remaining -= frag_len;
1420  }
1421  sig = data;
1422  if ( ( sizeof ( *sig ) > remaining ) ||
1423  ( ntohs ( sig->signature_len ) > ( remaining -
1424  sizeof ( *sig ) ) ) ) {
1425  DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1426  tls );
1427  DBGC_HDA ( tls, 0, tls->server_key, tls->server_key_len );
1428  rc = -EINVAL_KEY_EXCHANGE;
1429  goto err_header;
1430  }
1431 
1432  /* Identify signature and hash algorithm */
1433  if ( use_sig_hash ) {
1434  pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
1435  digest = tls_signature_hash_digest ( sig->sig_hash[0] );
1436  if ( ( ! pubkey ) || ( ! digest ) ) {
1437  DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
1438  "signature and hash algorithm\n", tls );
1439  rc = -ENOTSUP_SIG_HASH;
1440  goto err_sig_hash;
1441  }
1442  if ( pubkey != cipherspec->suite->pubkey ) {
1443  DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
1444  "signature algorithm %s (expected %s)\n", tls,
1445  pubkey->name, cipherspec->suite->pubkey->name );
1446  rc = -EPERM_KEY_EXCHANGE;
1447  goto err_sig_hash;
1448  }
1449  } else {
1450  pubkey = cipherspec->suite->pubkey;
1451  digest = &md5_sha1_algorithm;
1452  }
1453 
1454  /* Verify signature */
1455  {
1456  const void *signature = sig->signature;
1457  size_t signature_len = ntohs ( sig->signature_len );
1458  uint8_t ctx[digest->ctxsize];
1459  uint8_t hash[digest->digestsize];
1460 
1461  /* Calculate digest */
1462  digest_init ( digest, ctx );
1463  digest_update ( digest, ctx, &tls->client_random,
1464  sizeof ( tls->client_random ) );
1465  digest_update ( digest, ctx, tls->server_random,
1466  sizeof ( tls->server_random ) );
1467  digest_update ( digest, ctx, tls->server_key,
1468  ( tls->server_key_len - remaining ) );
1469  digest_final ( digest, ctx, hash );
1470 
1471  /* Verify signature */
1472  if ( ( rc = pubkey_verify ( pubkey, cipherspec->pubkey_ctx,
1473  digest, hash, signature,
1474  signature_len ) ) != 0 ) {
1475  DBGC ( tls, "TLS %p ServerKeyExchange failed "
1476  "verification\n", tls );
1477  DBGC_HDA ( tls, 0, tls->server_key,
1478  tls->server_key_len );
1479  rc = -EPERM_KEY_EXCHANGE;
1480  goto err_verify;
1481  }
1482  }
1483 
1484  /* Generate Diffie-Hellman private key */
1485  if ( ( rc = tls_generate_random ( tls, private,
1486  sizeof ( private ) ) ) != 0 ) {
1487  goto err_random;
1488  }
1489 
1490  /* Construct pre-master secret and ClientKeyExchange record */
1491  {
1492  typeof ( dh_val[0] ) dh_p = dh_val[0];
1493  typeof ( dh_val[1] ) dh_g = dh_val[1];
1494  typeof ( dh_val[2] ) dh_ys = dh_val[2];
1495  size_t len = ntohs ( dh_p->len );
1496  struct {
1497  uint32_t type_length;
1498  uint16_t dh_xs_len;
1499  uint8_t dh_xs[len];
1500  } __attribute__ (( packed )) *key_xchg;
1501  struct {
1502  uint8_t pre_master_secret[len];
1503  typeof ( *key_xchg ) key_xchg;
1504  } *dynamic;
1505  uint8_t *pre_master_secret;
1506 
1507  /* Allocate space */
1508  dynamic = malloc ( sizeof ( *dynamic ) );
1509  if ( ! dynamic ) {
1510  rc = -ENOMEM;
1511  goto err_alloc;
1512  }
1513  pre_master_secret = dynamic->pre_master_secret;
1514  key_xchg = &dynamic->key_xchg;
1515  key_xchg->type_length =
1516  ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1517  htonl ( sizeof ( *key_xchg ) -
1518  sizeof ( key_xchg->type_length ) ) );
1519  key_xchg->dh_xs_len = htons ( len );
1520 
1521  /* Calculate pre-master secret and client public value */
1522  if ( ( rc = dhe_key ( dh_p->data, len,
1523  dh_g->data, ntohs ( dh_g->len ),
1524  dh_ys->data, ntohs ( dh_ys->len ),
1525  private, sizeof ( private ),
1526  key_xchg->dh_xs,
1527  pre_master_secret ) ) != 0 ) {
1528  DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
1529  tls, strerror ( rc ) );
1530  goto err_dhe_key;
1531  }
1532 
1533  /* Strip leading zeroes from pre-master secret */
1534  while ( len && ( ! *pre_master_secret ) ) {
1535  pre_master_secret++;
1536  len--;
1537  }
1538 
1539  /* Generate master secret */
1540  tls_generate_master_secret ( tls, pre_master_secret, len );
1541 
1542  /* Generate keys */
1543  if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
1544  DBGC ( tls, "TLS %p could not generate keys: %s\n",
1545  tls, strerror ( rc ) );
1546  goto err_generate_keys;
1547  }
1548 
1549  /* Transmit Client Key Exchange record */
1550  if ( ( rc = tls_send_handshake ( tls, key_xchg,
1551  sizeof ( *key_xchg ) ) ) !=0){
1552  goto err_send_handshake;
1553  }
1554 
1555  err_send_handshake:
1556  err_generate_keys:
1557  err_dhe_key:
1558  free ( dynamic );
1559  }
1560  err_alloc:
1561  err_random:
1562  err_verify:
1563  err_sig_hash:
1564  err_header:
1565  return rc;
1566 }
1567 
1568 /** Ephemeral Diffie-Hellman key exchange algorithm */
1569 struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm = {
1570  .name = "dhe",
1571  .exchange = tls_send_client_key_exchange_dhe,
1572 };
1573 
1574 /**
1575  * Transmit Client Key Exchange record
1576  *
1577  * @v tls TLS connection
1578  * @ret rc Return status code
1579  */
1580 static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
1581  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1582  struct tls_cipher_suite *suite = cipherspec->suite;
1583 
1584  /* Transmit Client Key Exchange record via key exchange algorithm */
1585  return suite->exchange->exchange ( tls );
1586 }
1587 
1588 /**
1589  * Transmit Certificate Verify record
1590  *
1591  * @v tls TLS connection
1592  * @ret rc Return status code
1593  */
1594 static int tls_send_certificate_verify ( struct tls_connection *tls ) {
1595  struct digest_algorithm *digest = tls->handshake_digest;
1596  struct x509_certificate *cert = x509_first ( tls->certs );
1597  struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
1598  struct asn1_cursor *key = privkey_cursor ( tls->key );
1599  uint8_t digest_out[ digest->digestsize ];
1600  uint8_t ctx[ pubkey->ctxsize ];
1601  struct tls_signature_hash_algorithm *sig_hash = NULL;
1602  int rc;
1603 
1604  /* Generate digest to be signed */
1605  tls_verify_handshake ( tls, digest_out );
1606 
1607  /* Initialise public-key algorithm */
1608  if ( ( rc = pubkey_init ( pubkey, ctx, key->data, key->len ) ) != 0 ) {
1609  DBGC ( tls, "TLS %p could not initialise %s client private "
1610  "key: %s\n", tls, pubkey->name, strerror ( rc ) );
1611  goto err_pubkey_init;
1612  }
1613 
1614  /* TLSv1.2 and later use explicit algorithm identifiers */
1615  if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
1616  sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
1617  if ( ! sig_hash ) {
1618  DBGC ( tls, "TLS %p could not identify (%s,%s) "
1619  "signature and hash algorithm\n", tls,
1620  pubkey->name, digest->name );
1621  rc = -ENOTSUP_SIG_HASH;
1622  goto err_sig_hash;
1623  }
1624  }
1625 
1626  /* Generate and transmit record */
1627  {
1628  size_t max_len = pubkey_max_len ( pubkey, ctx );
1629  int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
1630  struct {
1631  uint32_t type_length;
1632  struct tls_signature_hash_id sig_hash[use_sig_hash];
1633  uint16_t signature_len;
1634  uint8_t signature[max_len];
1635  } __attribute__ (( packed )) certificate_verify;
1636  size_t unused;
1637  int len;
1638 
1639  /* Sign digest */
1640  len = pubkey_sign ( pubkey, ctx, digest, digest_out,
1641  certificate_verify.signature );
1642  if ( len < 0 ) {
1643  rc = len;
1644  DBGC ( tls, "TLS %p could not sign %s digest using %s "
1645  "client private key: %s\n", tls, digest->name,
1646  pubkey->name, strerror ( rc ) );
1647  goto err_pubkey_sign;
1648  }
1649  unused = ( max_len - len );
1650 
1651  /* Construct Certificate Verify record */
1652  certificate_verify.type_length =
1653  ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
1654  htonl ( sizeof ( certificate_verify ) -
1655  sizeof ( certificate_verify.type_length ) -
1656  unused ) );
1657  if ( use_sig_hash ) {
1658  memcpy ( &certificate_verify.sig_hash[0],
1659  &sig_hash->code,
1660  sizeof ( certificate_verify.sig_hash[0] ) );
1661  }
1662  certificate_verify.signature_len =
1663  htons ( sizeof ( certificate_verify.signature ) -
1664  unused );
1665 
1666  /* Transmit record */
1667  rc = tls_send_handshake ( tls, &certificate_verify,
1668  ( sizeof ( certificate_verify ) - unused ) );
1669  }
1670 
1671  err_pubkey_sign:
1672  err_sig_hash:
1673  pubkey_final ( pubkey, ctx );
1674  err_pubkey_init:
1675  return rc;
1676 }
1677 
1678 /**
1679  * Transmit Change Cipher record
1680  *
1681  * @v tls TLS connection
1682  * @ret rc Return status code
1683  */
1684 static int tls_send_change_cipher ( struct tls_connection *tls ) {
1685  static const uint8_t change_cipher[1] = { 1 };
1686  return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
1687  change_cipher, sizeof ( change_cipher ) );
1688 }
1689 
1690 /**
1691  * Transmit Finished record
1692  *
1693  * @v tls TLS connection
1694  * @ret rc Return status code
1695  */
1696 static int tls_send_finished ( struct tls_connection *tls ) {
1697  struct digest_algorithm *digest = tls->handshake_digest;
1698  struct {
1699  uint32_t type_length;
1700  uint8_t verify_data[ sizeof ( tls->verify.client ) ];
1701  } __attribute__ (( packed )) finished;
1702  uint8_t digest_out[ digest->digestsize ];
1703  int rc;
1704 
1705  /* Construct client verification data */
1706  tls_verify_handshake ( tls, digest_out );
1707  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1708  tls->verify.client, sizeof ( tls->verify.client ),
1709  "client finished", digest_out, sizeof ( digest_out ) );
1710 
1711  /* Construct record */
1712  memset ( &finished, 0, sizeof ( finished ) );
1713  finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
1714  htonl ( sizeof ( finished ) -
1715  sizeof ( finished.type_length ) ) );
1716  memcpy ( finished.verify_data, tls->verify.client,
1717  sizeof ( finished.verify_data ) );
1718 
1719  /* Transmit record */
1720  if ( ( rc = tls_send_handshake ( tls, &finished,
1721  sizeof ( finished ) ) ) != 0 )
1722  return rc;
1723 
1724  /* Mark client as finished */
1725  pending_put ( &tls->client_negotiation );
1726 
1727  return 0;
1728 }
1729 
1730 /**
1731  * Receive new Change Cipher record
1732  *
1733  * @v tls TLS connection
1734  * @v data Plaintext record
1735  * @v len Length of plaintext record
1736  * @ret rc Return status code
1737  */
1738 static int tls_new_change_cipher ( struct tls_connection *tls,
1739  const void *data, size_t len ) {
1740  int rc;
1741 
1742  if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
1743  DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
1744  DBGC_HD ( tls, data, len );
1745  return -EINVAL_CHANGE_CIPHER;
1746  }
1747 
1748  if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
1749  &tls->rx_cipherspec ) ) != 0 ) {
1750  DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
1751  tls, strerror ( rc ) );
1752  return rc;
1753  }
1754  tls->rx_seq = ~( ( uint64_t ) 0 );
1755 
1756  return 0;
1757 }
1758 
1759 /**
1760  * Receive new Alert record
1761  *
1762  * @v tls TLS connection
1763  * @v data Plaintext record
1764  * @v len Length of plaintext record
1765  * @ret rc Return status code
1766  */
1767 static int tls_new_alert ( struct tls_connection *tls, const void *data,
1768  size_t len ) {
1769  const struct {
1770  uint8_t level;
1771  uint8_t description;
1772  char next[0];
1773  } __attribute__ (( packed )) *alert = data;
1774 
1775  /* Sanity check */
1776  if ( sizeof ( *alert ) != len ) {
1777  DBGC ( tls, "TLS %p received overlength Alert\n", tls );
1778  DBGC_HD ( tls, data, len );
1779  return -EINVAL_ALERT;
1780  }
1781 
1782  switch ( alert->level ) {
1783  case TLS_ALERT_WARNING:
1784  DBGC ( tls, "TLS %p received warning alert %d\n",
1785  tls, alert->description );
1786  return 0;
1787  case TLS_ALERT_FATAL:
1788  DBGC ( tls, "TLS %p received fatal alert %d\n",
1789  tls, alert->description );
1790  return -EPERM_ALERT;
1791  default:
1792  DBGC ( tls, "TLS %p received unknown alert level %d"
1793  "(alert %d)\n", tls, alert->level, alert->description );
1794  return -EIO_ALERT;
1795  }
1796 }
1797 
1798 /**
1799  * Receive new Hello Request handshake record
1800  *
1801  * @v tls TLS connection
1802  * @v data Plaintext handshake record
1803  * @v len Length of plaintext handshake record
1804  * @ret rc Return status code
1805  */
1806 static int tls_new_hello_request ( struct tls_connection *tls,
1807  const void *data __unused,
1808  size_t len __unused ) {
1809 
1810  /* Ignore if a handshake is in progress */
1811  if ( ! tls_ready ( tls ) ) {
1812  DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
1813  return 0;
1814  }
1815 
1816  /* Fail unless server supports secure renegotiation */
1817  if ( ! tls->secure_renegotiation ) {
1818  DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
1819  tls );
1820  return -EPERM_RENEG_INSECURE;
1821  }
1822 
1823  /* Restart negotiation */
1824  tls_restart ( tls );
1825 
1826  return 0;
1827 }
1828 
1829 /**
1830  * Receive new Server Hello handshake record
1831  *
1832  * @v tls TLS connection
1833  * @v data Plaintext handshake record
1834  * @v len Length of plaintext handshake record
1835  * @ret rc Return status code
1836  */
1837 static int tls_new_server_hello ( struct tls_connection *tls,
1838  const void *data, size_t len ) {
1839  const struct {
1840  uint16_t version;
1841  uint8_t random[32];
1842  uint8_t session_id_len;
1843  uint8_t session_id[0];
1844  } __attribute__ (( packed )) *hello_a = data;
1845  const uint8_t *session_id;
1846  const struct {
1847  uint16_t cipher_suite;
1848  uint8_t compression_method;
1849  char next[0];
1850  } __attribute__ (( packed )) *hello_b;
1851  const struct {
1852  uint16_t len;
1853  uint8_t data[0];
1854  } __attribute__ (( packed )) *exts;
1855  const struct {
1856  uint16_t type;
1857  uint16_t len;
1858  uint8_t data[0];
1859  } __attribute__ (( packed )) *ext;
1860  const struct {
1861  uint8_t len;
1862  uint8_t data[0];
1863  } __attribute__ (( packed )) *reneg = NULL;
1864  uint16_t version;
1865  size_t exts_len;
1866  size_t ext_len;
1867  size_t remaining;
1868  int rc;
1869 
1870  /* Parse header */
1871  if ( ( sizeof ( *hello_a ) > len ) ||
1872  ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
1873  ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
1874  hello_a->session_id_len ) ) ) {
1875  DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
1876  DBGC_HD ( tls, data, len );
1877  return -EINVAL_HELLO;
1878  }
1879  session_id = hello_a->session_id;
1880  hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
1881 
1882  /* Parse extensions, if present */
1883  remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
1884  sizeof ( *hello_b ) );
1885  if ( remaining ) {
1886 
1887  /* Parse extensions length */
1888  exts = ( ( void * ) hello_b->next );
1889  if ( ( sizeof ( *exts ) > remaining ) ||
1890  ( ( exts_len = ntohs ( exts->len ) ) >
1891  ( remaining - sizeof ( *exts ) ) ) ) {
1892  DBGC ( tls, "TLS %p received underlength extensions\n",
1893  tls );
1894  DBGC_HD ( tls, data, len );
1895  return -EINVAL_HELLO;
1896  }
1897 
1898  /* Parse extensions */
1899  for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
1900  remaining ;
1901  ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
1902  remaining -= ( sizeof ( *ext ) + ext_len ) ) {
1903 
1904  /* Parse extension length */
1905  if ( ( sizeof ( *ext ) > remaining ) ||
1906  ( ( ext_len = ntohs ( ext->len ) ) >
1907  ( remaining - sizeof ( *ext ) ) ) ) {
1908  DBGC ( tls, "TLS %p received underlength "
1909  "extension\n", tls );
1910  DBGC_HD ( tls, data, len );
1911  return -EINVAL_HELLO;
1912  }
1913 
1914  /* Record known extensions */
1915  switch ( ext->type ) {
1916  case htons ( TLS_RENEGOTIATION_INFO ) :
1917  reneg = ( ( void * ) ext->data );
1918  if ( ( sizeof ( *reneg ) > ext_len ) ||
1919  ( reneg->len >
1920  ( ext_len - sizeof ( *reneg ) ) ) ) {
1921  DBGC ( tls, "TLS %p received "
1922  "underlength renegotiation "
1923  "info\n", tls );
1924  DBGC_HD ( tls, data, len );
1925  return -EINVAL_HELLO;
1926  }
1927  break;
1928  }
1929  }
1930  }
1931 
1932  /* Check and store protocol version */
1933  version = ntohs ( hello_a->version );
1934  if ( version < TLS_VERSION_MIN ) {
1935  DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
1936  tls, ( version >> 8 ), ( version & 0xff ) );
1937  return -ENOTSUP_VERSION;
1938  }
1939  if ( version > tls->version ) {
1940  DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
1941  "protocol version %d.%d\n",
1942  tls, ( version >> 8 ), ( version & 0xff ) );
1943  return -EPROTO_VERSION;
1944  }
1945  tls->version = version;
1946  DBGC ( tls, "TLS %p using protocol version %d.%d\n",
1947  tls, ( version >> 8 ), ( version & 0xff ) );
1948 
1949  /* Select cipher suite */
1950  if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
1951  return rc;
1952 
1953  /* Add preceding Client Hello to handshake digest */
1954  if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
1955  return rc;
1956 
1957  /* Copy out server random bytes */
1958  memcpy ( &tls->server_random, &hello_a->random,
1959  sizeof ( tls->server_random ) );
1960 
1961  /* Check session ID */
1962  if ( hello_a->session_id_len &&
1963  ( hello_a->session_id_len == tls->session_id_len ) &&
1964  ( memcmp ( session_id, tls->session_id,
1965  tls->session_id_len ) == 0 ) ) {
1966 
1967  /* Session ID match: reuse master secret */
1968  DBGC ( tls, "TLS %p resuming session ID:\n", tls );
1969  DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
1970  if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
1971  return rc;
1972 
1973  } else {
1974 
1975  /* Record new session ID, if present */
1976  if ( hello_a->session_id_len &&
1977  ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
1978  tls->session_id_len = hello_a->session_id_len;
1979  memcpy ( tls->session_id, session_id,
1980  tls->session_id_len );
1981  DBGC ( tls, "TLS %p new session ID:\n", tls );
1982  DBGC_HDA ( tls, 0, tls->session_id,
1983  tls->session_id_len );
1984  }
1985  }
1986 
1987  /* Handle secure renegotiation */
1988  if ( tls->secure_renegotiation ) {
1989 
1990  /* Secure renegotiation is expected; verify data */
1991  if ( ( reneg == NULL ) ||
1992  ( reneg->len != sizeof ( tls->verify ) ) ||
1993  ( memcmp ( reneg->data, &tls->verify,
1994  sizeof ( tls->verify ) ) != 0 ) ) {
1995  DBGC ( tls, "TLS %p server failed secure "
1996  "renegotiation\n", tls );
1997  return -EPERM_RENEG_VERIFY;
1998  }
1999 
2000  } else if ( reneg != NULL ) {
2001 
2002  /* Secure renegotiation is being enabled */
2003  if ( reneg->len != 0 ) {
2004  DBGC ( tls, "TLS %p server provided non-empty initial "
2005  "renegotiation\n", tls );
2006  return -EPERM_RENEG_VERIFY;
2007  }
2008  tls->secure_renegotiation = 1;
2009  }
2010 
2011  return 0;
2012 }
2013 
2014 /**
2015  * Receive New Session Ticket handshake record
2016  *
2017  * @v tls TLS connection
2018  * @v data Plaintext handshake record
2019  * @v len Length of plaintext handshake record
2020  * @ret rc Return status code
2021  */
2022 static int tls_new_session_ticket ( struct tls_connection *tls,
2023  const void *data, size_t len ) {
2024  const struct {
2025  uint32_t lifetime;
2026  uint16_t len;
2027  uint8_t ticket[0];
2028  } __attribute__ (( packed )) *new_session_ticket = data;
2029  size_t ticket_len;
2030 
2031  /* Parse header */
2032  if ( sizeof ( *new_session_ticket ) > len ) {
2033  DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
2034  tls );
2035  DBGC_HD ( tls, data, len );
2036  return -EINVAL_TICKET;
2037  }
2038  ticket_len = ntohs ( new_session_ticket->len );
2039  if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
2040  DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
2041  tls );
2042  DBGC_HD ( tls, data, len );
2043  return -EINVAL_TICKET;
2044  }
2045 
2046  /* Free any unapplied new session ticket */
2047  free ( tls->new_session_ticket );
2048  tls->new_session_ticket = NULL;
2049  tls->new_session_ticket_len = 0;
2050 
2051  /* Record ticket */
2052  tls->new_session_ticket = malloc ( ticket_len );
2053  if ( ! tls->new_session_ticket )
2054  return -ENOMEM;
2055  memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
2056  ticket_len );
2057  tls->new_session_ticket_len = ticket_len;
2058  DBGC ( tls, "TLS %p new session ticket:\n", tls );
2059  DBGC_HDA ( tls, 0, tls->new_session_ticket,
2060  tls->new_session_ticket_len );
2061 
2062  return 0;
2063 }
2064 
2065 /**
2066  * Parse certificate chain
2067  *
2068  * @v tls TLS connection
2069  * @v data Certificate chain
2070  * @v len Length of certificate chain
2071  * @ret rc Return status code
2072  */
2073 static int tls_parse_chain ( struct tls_connection *tls,
2074  const void *data, size_t len ) {
2075  size_t remaining = len;
2076  int rc;
2077 
2078  /* Free any existing certificate chain */
2079  x509_chain_put ( tls->chain );
2080  tls->chain = NULL;
2081 
2082  /* Create certificate chain */
2083  tls->chain = x509_alloc_chain();
2084  if ( ! tls->chain ) {
2085  rc = -ENOMEM_CHAIN;
2086  goto err_alloc_chain;
2087  }
2088 
2089  /* Add certificates to chain */
2090  while ( remaining ) {
2091  const struct {
2092  tls24_t length;
2093  uint8_t data[0];
2094  } __attribute__ (( packed )) *certificate = data;
2095  size_t certificate_len;
2096  size_t record_len;
2097  struct x509_certificate *cert;
2098 
2099  /* Parse header */
2100  if ( sizeof ( *certificate ) > remaining ) {
2101  DBGC ( tls, "TLS %p underlength certificate:\n", tls );
2102  DBGC_HDA ( tls, 0, data, remaining );
2103  rc = -EINVAL_CERTIFICATE;
2104  goto err_underlength;
2105  }
2106  certificate_len = tls_uint24 ( &certificate->length );
2107  if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
2108  DBGC ( tls, "TLS %p overlength certificate:\n", tls );
2109  DBGC_HDA ( tls, 0, data, remaining );
2110  rc = -EINVAL_CERTIFICATE;
2111  goto err_overlength;
2112  }
2113  record_len = ( sizeof ( *certificate ) + certificate_len );
2114 
2115  /* Add certificate to chain */
2116  if ( ( rc = x509_append_raw ( tls->chain, certificate->data,
2117  certificate_len ) ) != 0 ) {
2118  DBGC ( tls, "TLS %p could not append certificate: %s\n",
2119  tls, strerror ( rc ) );
2120  DBGC_HDA ( tls, 0, data, remaining );
2121  goto err_parse;
2122  }
2123  cert = x509_last ( tls->chain );
2124  DBGC ( tls, "TLS %p found certificate %s\n",
2125  tls, x509_name ( cert ) );
2126 
2127  /* Move to next certificate in list */
2128  data += record_len;
2129  remaining -= record_len;
2130  }
2131 
2132  return 0;
2133 
2134  err_parse:
2135  err_overlength:
2136  err_underlength:
2137  x509_chain_put ( tls->chain );
2138  tls->chain = NULL;
2139  err_alloc_chain:
2140  return rc;
2141 }
2142 
2143 /**
2144  * Receive new Certificate handshake record
2145  *
2146  * @v tls TLS connection
2147  * @v data Plaintext handshake record
2148  * @v len Length of plaintext handshake record
2149  * @ret rc Return status code
2150  */
2151 static int tls_new_certificate ( struct tls_connection *tls,
2152  const void *data, size_t len ) {
2153  const struct {
2154  tls24_t length;
2155  uint8_t certificates[0];
2156  } __attribute__ (( packed )) *certificate = data;
2157  size_t certificates_len;
2158  int rc;
2159 
2160  /* Parse header */
2161  if ( sizeof ( *certificate ) > len ) {
2162  DBGC ( tls, "TLS %p received underlength Server Certificate\n",
2163  tls );
2164  DBGC_HD ( tls, data, len );
2165  return -EINVAL_CERTIFICATES;
2166  }
2167  certificates_len = tls_uint24 ( &certificate->length );
2168  if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
2169  DBGC ( tls, "TLS %p received overlength Server Certificate\n",
2170  tls );
2171  DBGC_HD ( tls, data, len );
2172  return -EINVAL_CERTIFICATES;
2173  }
2174 
2175  /* Parse certificate chain */
2176  if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
2177  certificates_len ) ) != 0 )
2178  return rc;
2179 
2180  return 0;
2181 }
2182 
2183 /**
2184  * Receive new Server Key Exchange handshake record
2185  *
2186  * @v tls TLS connection
2187  * @v data Plaintext handshake record
2188  * @v len Length of plaintext handshake record
2189  * @ret rc Return status code
2190  */
2191 static int tls_new_server_key_exchange ( struct tls_connection *tls,
2192  const void *data, size_t len ) {
2193 
2194  /* Free any existing server key exchange record */
2195  free ( tls->server_key );
2196  tls->server_key_len = 0;
2197 
2198  /* Allocate copy of server key exchange record */
2199  tls->server_key = malloc ( len );
2200  if ( ! tls->server_key )
2201  return -ENOMEM;
2202 
2203  /* Store copy of server key exchange record for later
2204  * processing. We cannot verify the signature at this point
2205  * since the certificate validation will not yet have
2206  * completed.
2207  */
2208  memcpy ( tls->server_key, data, len );
2209  tls->server_key_len = len;
2210 
2211  return 0;
2212 }
2213 
2214 /**
2215  * Receive new Certificate Request handshake record
2216  *
2217  * @v tls TLS connection
2218  * @v data Plaintext handshake record
2219  * @v len Length of plaintext handshake record
2220  * @ret rc Return status code
2221  */
2222 static int tls_new_certificate_request ( struct tls_connection *tls,
2223  const void *data __unused,
2224  size_t len __unused ) {
2225  struct x509_certificate *cert;
2226  int rc;
2227 
2228  /* We can only send a single certificate, so there is no point
2229  * in parsing the Certificate Request.
2230  */
2231 
2232  /* Free any existing client certificate chain */
2233  x509_chain_put ( tls->certs );
2234  tls->certs = NULL;
2235 
2236  /* Determine client certificate to be sent */
2237  cert = certstore_find_key ( tls->key );
2238  if ( ! cert ) {
2239  DBGC ( tls, "TLS %p could not find certificate corresponding "
2240  "to private key\n", tls );
2241  rc = -EPERM_CLIENT_CERT;
2242  goto err_find;
2243  }
2244  x509_get ( cert );
2245  DBGC ( tls, "TLS %p selected client certificate %s\n",
2246  tls, x509_name ( cert ) );
2247 
2248  /* Create client certificate chain */
2249  tls->certs = x509_alloc_chain();
2250  if ( ! tls->certs ) {
2251  rc = -ENOMEM;
2252  goto err_alloc;
2253  }
2254 
2255  /* Append client certificate to chain */
2256  if ( ( rc = x509_append ( tls->certs, cert ) ) != 0 )
2257  goto err_append;
2258 
2259  /* Append any relevant issuer certificates */
2260  if ( ( rc = x509_auto_append ( tls->certs, &certstore ) ) != 0 )
2261  goto err_auto_append;
2262 
2263  /* Drop local reference to client certificate */
2264  x509_put ( cert );
2265 
2266  return 0;
2267 
2268  err_auto_append:
2269  err_append:
2270  x509_chain_put ( tls->certs );
2271  tls->certs = NULL;
2272  err_alloc:
2273  x509_put ( cert );
2274  err_find:
2275  return rc;
2276 }
2277 
2278 /**
2279  * Receive new Server Hello Done handshake record
2280  *
2281  * @v tls TLS connection
2282  * @v data Plaintext handshake record
2283  * @v len Length of plaintext handshake record
2284  * @ret rc Return status code
2285  */
2286 static int tls_new_server_hello_done ( struct tls_connection *tls,
2287  const void *data, size_t len ) {
2288  const struct {
2289  char next[0];
2290  } __attribute__ (( packed )) *hello_done = data;
2291  int rc;
2292 
2293  /* Sanity check */
2294  if ( sizeof ( *hello_done ) != len ) {
2295  DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
2296  tls );
2297  DBGC_HD ( tls, data, len );
2298  return -EINVAL_HELLO_DONE;
2299  }
2300 
2301  /* Begin certificate validation */
2302  if ( ( rc = create_validator ( &tls->validator, tls->chain,
2303  tls->root ) ) != 0 ) {
2304  DBGC ( tls, "TLS %p could not start certificate validation: "
2305  "%s\n", tls, strerror ( rc ) );
2306  return rc;
2307  }
2308  pending_get ( &tls->validation );
2309 
2310  return 0;
2311 }
2312 
2313 /**
2314  * Receive new Finished handshake record
2315  *
2316  * @v tls TLS connection
2317  * @v data Plaintext handshake record
2318  * @v len Length of plaintext handshake record
2319  * @ret rc Return status code
2320  */
2321 static int tls_new_finished ( struct tls_connection *tls,
2322  const void *data, size_t len ) {
2323  struct tls_session *session = tls->session;
2324  struct digest_algorithm *digest = tls->handshake_digest;
2325  const struct {
2326  uint8_t verify_data[ sizeof ( tls->verify.server ) ];
2327  char next[0];
2328  } __attribute__ (( packed )) *finished = data;
2329  uint8_t digest_out[ digest->digestsize ];
2330 
2331  /* Sanity check */
2332  if ( sizeof ( *finished ) != len ) {
2333  DBGC ( tls, "TLS %p received overlength Finished\n", tls );
2334  DBGC_HD ( tls, data, len );
2335  return -EINVAL_FINISHED;
2336  }
2337 
2338  /* Verify data */
2339  tls_verify_handshake ( tls, digest_out );
2340  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
2341  tls->verify.server, sizeof ( tls->verify.server ),
2342  "server finished", digest_out, sizeof ( digest_out ) );
2343  if ( memcmp ( tls->verify.server, finished->verify_data,
2344  sizeof ( tls->verify.server ) ) != 0 ) {
2345  DBGC ( tls, "TLS %p verification failed\n", tls );
2346  return -EPERM_VERIFY;
2347  }
2348 
2349  /* Mark server as finished */
2350  pending_put ( &tls->server_negotiation );
2351 
2352  /* If we are resuming a session (i.e. if the server Finished
2353  * arrives before the client Finished is sent), then schedule
2354  * transmission of Change Cipher and Finished.
2355  */
2356  if ( is_pending ( &tls->client_negotiation ) ) {
2357  tls->tx_pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
2358  tls_tx_resume ( tls );
2359  }
2360 
2361  /* Record session ID, ticket, and master secret, if applicable */
2362  if ( tls->session_id_len || tls->new_session_ticket_len ) {
2363  memcpy ( session->master_secret, tls->master_secret,
2364  sizeof ( session->master_secret ) );
2365  }
2366  if ( tls->session_id_len ) {
2367  session->id_len = tls->session_id_len;
2368  memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
2369  }
2370  if ( tls->new_session_ticket_len ) {
2371  free ( session->ticket );
2372  session->ticket = tls->new_session_ticket;
2373  session->ticket_len = tls->new_session_ticket_len;
2374  tls->new_session_ticket = NULL;
2375  tls->new_session_ticket_len = 0;
2376  }
2377 
2378  /* Move to end of session's connection list and allow other
2379  * connections to start making progress.
2380  */
2381  list_del ( &tls->list );
2382  list_add_tail ( &tls->list, &session->conn );
2383  tls_tx_resume_all ( session );
2384 
2385  /* Send notification of a window change */
2386  xfer_window_changed ( &tls->plainstream );
2387 
2388  return 0;
2389 }
2390 
2391 /**
2392  * Receive new Handshake record
2393  *
2394  * @v tls TLS connection
2395  * @v data Plaintext record
2396  * @v len Length of plaintext record
2397  * @ret rc Return status code
2398  */
2399 static int tls_new_handshake ( struct tls_connection *tls,
2400  const void *data, size_t len ) {
2401  size_t remaining = len;
2402  int rc;
2403 
2404  while ( remaining ) {
2405  const struct {
2406  uint8_t type;
2407  tls24_t length;
2408  uint8_t payload[0];
2409  } __attribute__ (( packed )) *handshake = data;
2410  const void *payload;
2411  size_t payload_len;
2412  size_t record_len;
2413 
2414  /* Parse header */
2415  if ( sizeof ( *handshake ) > remaining ) {
2416  DBGC ( tls, "TLS %p received underlength Handshake\n",
2417  tls );
2418  DBGC_HD ( tls, data, remaining );
2419  return -EINVAL_HANDSHAKE;
2420  }
2421  payload_len = tls_uint24 ( &handshake->length );
2422  if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
2423  DBGC ( tls, "TLS %p received overlength Handshake\n",
2424  tls );
2425  DBGC_HD ( tls, data, len );
2426  return -EINVAL_HANDSHAKE;
2427  }
2428  payload = &handshake->payload;
2429  record_len = ( sizeof ( *handshake ) + payload_len );
2430 
2431  /* Handle payload */
2432  switch ( handshake->type ) {
2433  case TLS_HELLO_REQUEST:
2434  rc = tls_new_hello_request ( tls, payload,
2435  payload_len );
2436  break;
2437  case TLS_SERVER_HELLO:
2438  rc = tls_new_server_hello ( tls, payload, payload_len );
2439  break;
2440  case TLS_NEW_SESSION_TICKET:
2441  rc = tls_new_session_ticket ( tls, payload,
2442  payload_len );
2443  break;
2444  case TLS_CERTIFICATE:
2445  rc = tls_new_certificate ( tls, payload, payload_len );
2446  break;
2447  case TLS_SERVER_KEY_EXCHANGE:
2448  rc = tls_new_server_key_exchange ( tls, payload,
2449  payload_len );
2450  break;
2451  case TLS_CERTIFICATE_REQUEST:
2452  rc = tls_new_certificate_request ( tls, payload,
2453  payload_len );
2454  break;
2455  case TLS_SERVER_HELLO_DONE:
2456  rc = tls_new_server_hello_done ( tls, payload,
2457  payload_len );
2458  break;
2459  case TLS_FINISHED:
2460  rc = tls_new_finished ( tls, payload, payload_len );
2461  break;
2462  default:
2463  DBGC ( tls, "TLS %p ignoring handshake type %d\n",
2464  tls, handshake->type );
2465  rc = 0;
2466  break;
2467  }
2468 
2469  /* Add to handshake digest (except for Hello Requests,
2470  * which are explicitly excluded).
2471  */
2472  if ( handshake->type != TLS_HELLO_REQUEST )
2473  tls_add_handshake ( tls, data, record_len );
2474 
2475  /* Abort on failure */
2476  if ( rc != 0 )
2477  return rc;
2478 
2479  /* Move to next handshake record */
2480  data += record_len;
2481  remaining -= record_len;
2482  }
2483 
2484  return 0;
2485 }
2486 
2487 /**
2488  * Receive new record
2489  *
2490  * @v tls TLS connection
2491  * @v type Record type
2492  * @v rx_data List of received data buffers
2493  * @ret rc Return status code
2494  */
2495 static int tls_new_record ( struct tls_connection *tls, unsigned int type,
2496  struct list_head *rx_data ) {
2497  struct io_buffer *iobuf;
2498  int ( * handler ) ( struct tls_connection *tls, const void *data,
2499  size_t len );
2500  int rc;
2501 
2502  /* Deliver data records to the plainstream interface */
2503  if ( type == TLS_TYPE_DATA ) {
2504 
2505  /* Fail unless we are ready to receive data */
2506  if ( ! tls_ready ( tls ) )
2507  return -ENOTCONN;
2508 
2509  /* Deliver each I/O buffer in turn */
2510  while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
2511  list ) ) ) {
2512  list_del ( &iobuf->list );
2513  if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
2514  iobuf ) ) != 0 ) {
2515  DBGC ( tls, "TLS %p could not deliver data: "
2516  "%s\n", tls, strerror ( rc ) );
2517  return rc;
2518  }
2519  }
2520  return 0;
2521  }
2522 
2523  /* For all other records, merge into a single I/O buffer */
2524  iobuf = iob_concatenate ( rx_data );
2525  if ( ! iobuf ) {
2526  DBGC ( tls, "TLS %p could not concatenate non-data record "
2527  "type %d\n", tls, type );
2528  return -ENOMEM_RX_CONCAT;
2529  }
2530 
2531  /* Determine handler */
2532  switch ( type ) {
2533  case TLS_TYPE_CHANGE_CIPHER:
2534  handler = tls_new_change_cipher;
2535  break;
2536  case TLS_TYPE_ALERT:
2537  handler = tls_new_alert;
2538  break;
2539  case TLS_TYPE_HANDSHAKE:
2540  handler = tls_new_handshake;
2541  break;
2542  default:
2543  /* RFC4346 says that we should just ignore unknown
2544  * record types.
2545  */
2546  handler = NULL;
2547  DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type );
2548  break;
2549  }
2550 
2551  /* Handle record and free I/O buffer */
2552  rc = ( handler ? handler ( tls, iobuf->data, iob_len ( iobuf ) ) : 0 );
2553  free_iob ( iobuf );
2554  return rc;
2555 }
2556 
2557 /******************************************************************************
2558  *
2559  * Record encryption/decryption
2560  *
2561  ******************************************************************************
2562  */
2563 
2564 /**
2565  * Initialise HMAC
2566  *
2567  * @v cipherspec Cipher specification
2568  * @v ctx Context
2569  * @v authhdr Authentication header
2570  */
2571 static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
2572  struct tls_auth_header *authhdr ) {
2573  struct tls_cipher_suite *suite = cipherspec->suite;
2574  struct digest_algorithm *digest = suite->digest;
2575 
2576  hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
2577  hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
2578 }
2579 
2580 /**
2581  * Update HMAC
2582  *
2583  * @v cipherspec Cipher specification
2584  * @v ctx Context
2585  * @v data Data
2586  * @v len Length of data
2587  */
2588 static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
2589  const void *data, size_t len ) {
2590  struct digest_algorithm *digest = cipherspec->suite->digest;
2591 
2592  hmac_update ( digest, ctx, data, len );
2593 }
2594 
2595 /**
2596  * Finalise HMAC
2597  *
2598  * @v cipherspec Cipher specification
2599  * @v ctx Context
2600  * @v mac HMAC to fill in
2601  */
2602 static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
2603  void *hmac ) {
2604  struct digest_algorithm *digest = cipherspec->suite->digest;
2605 
2606  hmac_final ( digest, ctx, hmac );
2607 }
2608 
2609 /**
2610  * Calculate HMAC
2611  *
2612  * @v cipherspec Cipher specification
2613  * @v authhdr Authentication header
2614  * @v data Data
2615  * @v len Length of data
2616  * @v mac HMAC to fill in
2617  */
2618 static void tls_hmac ( struct tls_cipherspec *cipherspec,
2619  struct tls_auth_header *authhdr,
2620  const void *data, size_t len, void *hmac ) {
2621  struct digest_algorithm *digest = cipherspec->suite->digest;
2622  uint8_t ctx[ hmac_ctxsize ( digest ) ];
2623 
2624  tls_hmac_init ( cipherspec, ctx, authhdr );
2625  tls_hmac_update ( cipherspec, ctx, data, len );
2626  tls_hmac_final ( cipherspec, ctx, hmac );
2627 }
2628 
2629 /**
2630  * Calculate HMAC over list of I/O buffers
2631  *
2632  * @v cipherspec Cipher specification
2633  * @v authhdr Authentication header
2634  * @v list List of I/O buffers
2635  * @v mac HMAC to fill in
2636  */
2637 static void tls_hmac_list ( struct tls_cipherspec *cipherspec,
2638  struct tls_auth_header *authhdr,
2639  struct list_head *list, void *hmac ) {
2640  struct digest_algorithm *digest = cipherspec->suite->digest;
2641  uint8_t ctx[ hmac_ctxsize ( digest ) ];
2642  struct io_buffer *iobuf;
2643 
2644  tls_hmac_init ( cipherspec, ctx, authhdr );
2645  list_for_each_entry ( iobuf, list, list ) {
2646  tls_hmac_update ( cipherspec, ctx, iobuf->data,
2647  iob_len ( iobuf ) );
2648  }
2649  tls_hmac_final ( cipherspec, ctx, hmac );
2650 }
2651 
2652 /**
2653  * Send plaintext record
2654  *
2655  * @v tls TLS connection
2656  * @v type Record type
2657  * @v data Plaintext record
2658  * @v len Length of plaintext record
2659  * @ret rc Return status code
2660  */
2661 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
2662  const void *data, size_t len ) {
2663  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
2664  struct tls_cipher_suite *suite = cipherspec->suite;
2665  struct cipher_algorithm *cipher = suite->cipher;
2666  struct digest_algorithm *digest = suite->digest;
2667  struct {
2668  uint8_t fixed[suite->fixed_iv_len];
2669  uint8_t record[suite->record_iv_len];
2670  } __attribute__ (( packed )) iv;
2671  struct tls_auth_header authhdr;
2672  struct tls_header *tlshdr;
2673  void *plaintext = NULL;
2674  size_t plaintext_len = len;
2675  struct io_buffer *ciphertext = NULL;
2676  size_t ciphertext_len;
2677  size_t padding_len;
2678  uint8_t mac[digest->digestsize];
2679  void *tmp;
2680  int rc;
2681 
2682  /* Construct initialisation vector */
2683  memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
2684  tls_generate_random ( tls, iv.record, sizeof ( iv.record ) );
2685 
2686  /* Construct authentication data */
2687  authhdr.seq = cpu_to_be64 ( tls->tx_seq );
2688  authhdr.header.type = type;
2689  authhdr.header.version = htons ( tls->version );
2690  authhdr.header.length = htons ( len );
2691 
2692  /* Calculate padding length */
2693  plaintext_len += suite->mac_len;
2694  if ( is_block_cipher ( cipher ) ) {
2695  padding_len = ( ( ( cipher->blocksize - 1 ) &
2696  -( plaintext_len + 1 ) ) + 1 );
2697  } else {
2698  padding_len = 0;
2699  }
2700  plaintext_len += padding_len;
2701 
2702  /* Allocate plaintext */
2703  plaintext = malloc ( plaintext_len );
2704  if ( ! plaintext ) {
2705  DBGC ( tls, "TLS %p could not allocate %zd bytes for "
2706  "plaintext\n", tls, plaintext_len );
2707  rc = -ENOMEM_TX_PLAINTEXT;
2708  goto done;
2709  }
2710 
2711  /* Assemble plaintext */
2712  tmp = plaintext;
2713  memcpy ( tmp, data, len );
2714  tmp += len;
2715  if ( suite->mac_len )
2716  tls_hmac ( cipherspec, &authhdr, data, len, mac );
2717  memcpy ( tmp, mac, suite->mac_len );
2718  tmp += suite->mac_len;
2719  memset ( tmp, ( padding_len - 1 ), padding_len );
2720  tmp += padding_len;
2721  assert ( tmp == ( plaintext + plaintext_len ) );
2722  DBGC2 ( tls, "Sending plaintext data:\n" );
2723  DBGC2_HD ( tls, plaintext, plaintext_len );
2724 
2725  /* Set initialisation vector */
2726  cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
2727 
2728  /* Process authentication data, if applicable */
2729  if ( is_auth_cipher ( cipher ) ) {
2730  cipher_encrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
2731  NULL, sizeof ( authhdr ) );
2732  }
2733 
2734  /* Allocate ciphertext */
2735  ciphertext_len = ( sizeof ( *tlshdr ) + sizeof ( iv.record ) +
2736  plaintext_len + cipher->authsize );
2737  ciphertext = xfer_alloc_iob ( &tls->cipherstream, ciphertext_len );
2738  if ( ! ciphertext ) {
2739  DBGC ( tls, "TLS %p could not allocate %zd bytes for "
2740  "ciphertext\n", tls, ciphertext_len );
2741  rc = -ENOMEM_TX_CIPHERTEXT;
2742  goto done;
2743  }
2744 
2745  /* Assemble ciphertext */
2746  tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
2747  tlshdr->type = type;
2748  tlshdr->version = htons ( tls->version );
2749  tlshdr->length = htons ( ciphertext_len - sizeof ( *tlshdr ) );
2750  memcpy ( iob_put ( ciphertext, sizeof ( iv.record ) ), iv.record,
2751  sizeof ( iv.record ) );
2752  cipher_encrypt ( cipher, cipherspec->cipher_ctx, plaintext,
2753  iob_put ( ciphertext, plaintext_len ), plaintext_len );
2754  cipher_auth ( cipher, cipherspec->cipher_ctx,
2755  iob_put ( ciphertext, cipher->authsize ) );
2756  assert ( iob_len ( ciphertext ) == ciphertext_len );
2757 
2758  /* Free plaintext as soon as possible to conserve memory */
2759  free ( plaintext );
2760  plaintext = NULL;
2761 
2762  /* Send ciphertext */
2763  if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
2764  iob_disown ( ciphertext ) ) ) != 0 ) {
2765  DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
2766  tls, strerror ( rc ) );
2767  goto done;
2768  }
2769 
2770  /* Update TX state machine to next record */
2771  tls->tx_seq += 1;
2772 
2773  done:
2774  free ( plaintext );
2775  free_iob ( ciphertext );
2776  return rc;
2777 }
2778 
2779 /**
2780  * Verify block padding
2781  *
2782  * @v tls TLS connection
2783  * @v iobuf Last received I/O buffer
2784  * @ret len Padding length, or negative error
2785  * @ret rc Return status code
2786  */
2787 static int tls_verify_padding ( struct tls_connection *tls,
2788  struct io_buffer *iobuf ) {
2789  uint8_t *padding;
2790  unsigned int pad;
2791  unsigned int i;
2792  size_t len;
2793 
2794  /* Extract and verify padding */
2795  padding = ( iobuf->tail - 1 );
2796  pad = *padding;
2797  len = ( pad + 1 );
2798  if ( len > iob_len ( iobuf ) ) {
2799  DBGC ( tls, "TLS %p received underlength padding\n", tls );
2800  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2801  return -EINVAL_PADDING;
2802  }
2803  for ( i = 0 ; i < pad ; i++ ) {
2804  if ( *(--padding) != pad ) {
2805  DBGC ( tls, "TLS %p received bad padding\n", tls );
2806  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2807  return -EINVAL_PADDING;
2808  }
2809  }
2810 
2811  return len;
2812 }
2813 
2814 /**
2815  * Receive new ciphertext record
2816  *
2817  * @v tls TLS connection
2818  * @v tlshdr Record header
2819  * @v rx_data List of received data buffers
2820  * @ret rc Return status code
2821  */
2822 static int tls_new_ciphertext ( struct tls_connection *tls,
2823  struct tls_header *tlshdr,
2824  struct list_head *rx_data ) {
2825  struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
2826  struct tls_cipher_suite *suite = cipherspec->suite;
2827  struct cipher_algorithm *cipher = suite->cipher;
2828  struct digest_algorithm *digest = suite->digest;
2829  size_t len = ntohs ( tlshdr->length );
2830  struct {
2831  uint8_t fixed[suite->fixed_iv_len];
2832  uint8_t record[suite->record_iv_len];
2833  } __attribute__ (( packed )) iv;
2834  struct tls_auth_header authhdr;
2835  uint8_t verify_mac[digest->digestsize];
2836  uint8_t verify_auth[cipher->authsize];
2837  struct io_buffer *first;
2838  struct io_buffer *last;
2839  struct io_buffer *iobuf;
2840  void *mac;
2841  void *auth;
2842  size_t check_len;
2843  int pad_len;
2844  int rc;
2845 
2846  /* Locate first and last data buffers */
2847  assert ( ! list_empty ( rx_data ) );
2848  first = list_first_entry ( rx_data, struct io_buffer, list );
2849  last = list_last_entry ( rx_data, struct io_buffer, list );
2850 
2851  /* Extract initialisation vector */
2852  if ( iob_len ( first ) < sizeof ( iv.record ) ) {
2853  DBGC ( tls, "TLS %p received underlength IV\n", tls );
2854  DBGC_HD ( tls, first->data, iob_len ( first ) );
2855  return -EINVAL_IV;
2856  }
2857  memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
2858  memcpy ( iv.record, first->data, sizeof ( iv.record ) );
2859  iob_pull ( first, sizeof ( iv.record ) );
2860  len -= sizeof ( iv.record );
2861 
2862  /* Extract unencrypted authentication tag */
2863  if ( iob_len ( last ) < cipher->authsize ) {
2864  DBGC ( tls, "TLS %p received underlength authentication tag\n",
2865  tls );
2866  DBGC_HD ( tls, last->data, iob_len ( last ) );
2867  return -EINVAL_MAC;
2868  }
2869  iob_unput ( last, cipher->authsize );
2870  len -= cipher->authsize;
2871  auth = last->tail;
2872 
2873  /* Construct authentication data */
2874  authhdr.seq = cpu_to_be64 ( tls->rx_seq );
2875  authhdr.header.type = tlshdr->type;
2876  authhdr.header.version = tlshdr->version;
2877  authhdr.header.length = htons ( len );
2878 
2879  /* Set initialisation vector */
2880  cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
2881 
2882  /* Process authentication data, if applicable */
2883  if ( is_auth_cipher ( cipher ) ) {
2884  cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
2885  NULL, sizeof ( authhdr ) );
2886  }
2887 
2888  /* Decrypt the received data */
2889  check_len = 0;
2890  list_for_each_entry ( iobuf, &tls->rx_data, list ) {
2891  cipher_decrypt ( cipher, cipherspec->cipher_ctx,
2892  iobuf->data, iobuf->data, iob_len ( iobuf ) );
2893  check_len += iob_len ( iobuf );
2894  }
2895  assert ( check_len == len );
2896 
2897  /* Strip block padding, if applicable */
2898  if ( is_block_cipher ( cipher ) ) {
2899  pad_len = tls_verify_padding ( tls, last );
2900  if ( pad_len < 0 ) {
2901  /* Assume zero padding length to avoid timing attacks */
2902  pad_len = 0;
2903  }
2904  iob_unput ( last, pad_len );
2905  len -= pad_len;
2906  }
2907 
2908  /* Extract decrypted MAC */
2909  if ( iob_len ( last ) < suite->mac_len ) {
2910  DBGC ( tls, "TLS %p received underlength MAC\n", tls );
2911  DBGC_HD ( tls, last->data, iob_len ( last ) );
2912  return -EINVAL_MAC;
2913  }
2914  iob_unput ( last, suite->mac_len );
2915  len -= suite->mac_len;
2916  mac = last->tail;
2917 
2918  /* Dump received data */
2919  DBGC2 ( tls, "Received plaintext data:\n" );
2920  check_len = 0;
2921  list_for_each_entry ( iobuf, rx_data, list ) {
2922  DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
2923  check_len += iob_len ( iobuf );
2924  }
2925  assert ( check_len == len );
2926 
2927  /* Generate MAC */
2928  authhdr.header.length = htons ( len );
2929  if ( suite->mac_len )
2930  tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );
2931 
2932  /* Generate authentication tag */
2933  cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );
2934 
2935  /* Verify MAC */
2936  if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
2937  DBGC ( tls, "TLS %p failed MAC verification\n", tls );
2938  return -EINVAL_MAC;
2939  }
2940 
2941  /* Verify authentication tag */
2942  if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
2943  DBGC ( tls, "TLS %p failed authentication tag verification\n",
2944  tls );
2945  return -EINVAL_MAC;
2946  }
2947 
2948  /* Process plaintext record */
2949  if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
2950  return rc;
2951 
2952  return 0;
2953 }
2954 
2955 /******************************************************************************
2956  *
2957  * Plaintext stream operations
2958  *
2959  ******************************************************************************
2960  */
2961 
2962 /**
2963  * Check flow control window
2964  *
2965  * @v tls TLS connection
2966  * @ret len Length of window
2967  */
2968 static size_t tls_plainstream_window ( struct tls_connection *tls ) {
2969 
2970  /* Block window unless we are ready to accept data */
2971  if ( ! tls_ready ( tls ) )
2972  return 0;
2973 
2974  return xfer_window ( &tls->cipherstream );
2975 }
2976 
2977 /**
2978  * Deliver datagram as raw data
2979  *
2980  * @v tls TLS connection
2981  * @v iobuf I/O buffer
2982  * @v meta Data transfer metadata
2983  * @ret rc Return status code
2984  */
2985 static int tls_plainstream_deliver ( struct tls_connection *tls,
2986  struct io_buffer *iobuf,
2987  struct xfer_metadata *meta __unused ) {
2988  int rc;
2989 
2990  /* Refuse unless we are ready to accept data */
2991  if ( ! tls_ready ( tls ) ) {
2992  rc = -ENOTCONN;
2993  goto done;
2994  }
2995 
2996  if ( ( rc = tls_send_plaintext ( tls, TLS_TYPE_DATA, iobuf->data,
2997  iob_len ( iobuf ) ) ) != 0 )
2998  goto done;
2999 
3000  done:
3001  free_iob ( iobuf );
3002  return rc;
3003 }
3004 
3005 /**
3006  * Report job progress
3007  *
3008  * @v tls TLS connection
3009  * @v progress Progress report to fill in
3010  * @ret ongoing_rc Ongoing job status code (if known)
3011  */
3012 static int tls_progress ( struct tls_connection *tls,
3013  struct job_progress *progress ) {
3014 
3015  /* Return cipherstream or validator progress as applicable */
3016  if ( is_pending ( &tls->validation ) ) {
3017  return job_progress ( &tls->validator, progress );
3018  } else {
3019  return job_progress ( &tls->cipherstream, progress );
3020  }
3021 }
3022 
3023 /** TLS plaintext stream interface operations */
3024 static struct interface_operation tls_plainstream_ops[] = {
3025  INTF_OP ( xfer_deliver, struct tls_connection *,
3026  tls_plainstream_deliver ),
3027  INTF_OP ( xfer_window, struct tls_connection *,
3028  tls_plainstream_window ),
3029  INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
3030  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
3031 };
3032 
3033 /** TLS plaintext stream interface descriptor */
3034 static struct interface_descriptor tls_plainstream_desc =
3035  INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
3036  tls_plainstream_ops, cipherstream );
3037 
3038 /******************************************************************************
3039  *
3040  * Ciphertext stream operations
3041  *
3042  ******************************************************************************
3043  */
3044 
3045 /**
3046  * Handle received TLS header
3047  *
3048  * @v tls TLS connection
3049  * @ret rc Returned status code
3050  */
3051 static int tls_newdata_process_header ( struct tls_connection *tls ) {
3052  struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
3053  struct cipher_algorithm *cipher = cipherspec->suite->cipher;
3054  size_t iv_len = cipherspec->suite->record_iv_len;
3055  size_t data_len = ntohs ( tls->rx_header.length );
3056  size_t remaining = data_len;
3057  size_t frag_len;
3058  size_t reserve;
3059  struct io_buffer *iobuf;
3060  struct io_buffer *tmp;
3061  int rc;
3062 
3063  /* Sanity check */
3064  assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
3065 
3066  /* Calculate alignment reservation at start of first data buffer */
3067  reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
3068  remaining += reserve;
3069 
3070  /* Allocate data buffers now that we know the length */
3071  assert ( list_empty ( &tls->rx_data ) );
3072  while ( remaining ) {
3073 
3074  /* Calculate fragment length. Ensure that no block is
3075  * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
3076  * allocation length if necessary).
3077  */
3078  frag_len = remaining;
3079  if ( frag_len > TLS_RX_BUFSIZE )
3080  frag_len = TLS_RX_BUFSIZE;
3081  remaining -= frag_len;
3082  if ( remaining < TLS_RX_MIN_BUFSIZE ) {
3083  frag_len += remaining;
3084  remaining = 0;
3085  }
3086 
3087  /* Allocate buffer */
3088  iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
3089  if ( ! iobuf ) {
3090  DBGC ( tls, "TLS %p could not allocate %zd of %zd "
3091  "bytes for receive buffer\n", tls,
3092  remaining, data_len );
3093  rc = -ENOMEM_RX_DATA;
3094  goto err;
3095  }
3096 
3097  /* Ensure tailroom is exactly what we asked for. This
3098  * will result in unaligned I/O buffers when the
3099  * fragment length is unaligned, which can happen only
3100  * before we switch to using a block cipher.
3101  */
3102  iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
3103 
3104  /* Ensure first buffer length will be aligned to a
3105  * multiple of the cipher alignment size after
3106  * stripping the record IV.
3107  */
3108  iob_reserve ( iobuf, reserve );
3109  reserve = 0;
3110 
3111  /* Add I/O buffer to list */
3112  list_add_tail ( &iobuf->list, &tls->rx_data );
3113  }
3114 
3115  /* Move to data state */
3116  tls->rx_state = TLS_RX_DATA;
3117 
3118  return 0;
3119 
3120  err:
3121  list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
3122  list_del ( &iobuf->list );
3123  free_iob ( iobuf );
3124  }
3125  return rc;
3126 }
3127 
3128 /**
3129  * Handle received TLS data payload
3130  *
3131  * @v tls TLS connection
3132  * @ret rc Returned status code
3133  */
3134 static int tls_newdata_process_data ( struct tls_connection *tls ) {
3135  struct io_buffer *iobuf;
3136  int rc;
3137 
3138  /* Move current buffer to end of list */
3139  iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
3140  list_del ( &iobuf->list );
3141  list_add_tail ( &iobuf->list, &tls->rx_data );
3142 
3143  /* Continue receiving data if any space remains */
3144  iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
3145  if ( iob_tailroom ( iobuf ) )
3146  return 0;
3147 
3148  /* Process record */
3149  if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
3150  &tls->rx_data ) ) != 0 )
3151  return rc;
3152 
3153  /* Increment RX sequence number */
3154  tls->rx_seq += 1;
3155 
3156  /* Return to header state */
3157  assert ( list_empty ( &tls->rx_data ) );
3158  tls->rx_state = TLS_RX_HEADER;
3159  iob_unput ( &tls->rx_header_iobuf, sizeof ( tls->rx_header ) );
3160 
3161  return 0;
3162 }
3163 
3164 /**
3165  * Check flow control window
3166  *
3167  * @v tls TLS connection
3168  * @ret len Length of window
3169  */
3170 static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
3171 
3172  /* Open window until we are ready to accept data */
3173  if ( ! tls_ready ( tls ) )
3174  return -1UL;
3175 
3176  return xfer_window ( &tls->plainstream );
3177 }
3178 
3179 /**
3180  * Receive new ciphertext
3181  *
3182  * @v tls TLS connection
3183  * @v iobuf I/O buffer
3184  * @v meta Data transfer metadat
3185  * @ret rc Return status code
3186  */
3187 static int tls_cipherstream_deliver ( struct tls_connection *tls,
3188  struct io_buffer *iobuf,
3189  struct xfer_metadata *xfer __unused ) {
3190  size_t frag_len;
3191  int ( * process ) ( struct tls_connection *tls );
3192  struct io_buffer *dest;
3193  int rc;
3194 
3195  while ( iob_len ( iobuf ) ) {
3196 
3197  /* Select buffer according to current state */
3198  switch ( tls->rx_state ) {
3199  case TLS_RX_HEADER:
3200  dest = &tls->rx_header_iobuf;
3201  process = tls_newdata_process_header;
3202  break;
3203  case TLS_RX_DATA:
3204  dest = list_first_entry ( &tls->rx_data,
3205  struct io_buffer, list );
3206  assert ( dest != NULL );
3207  process = tls_newdata_process_data;
3208  break;
3209  default:
3210  assert ( 0 );
3211  rc = -EINVAL_RX_STATE;
3212  goto done;
3213  }
3214 
3215  /* Copy data portion to buffer */
3216  frag_len = iob_len ( iobuf );
3217  if ( frag_len > iob_tailroom ( dest ) )
3218  frag_len = iob_tailroom ( dest );
3219  memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
3220  iob_pull ( iobuf, frag_len );
3221 
3222  /* Process data if buffer is now full */
3223  if ( iob_tailroom ( dest ) == 0 ) {
3224  if ( ( rc = process ( tls ) ) != 0 ) {
3225  tls_close ( tls, rc );
3226  goto done;
3227  }
3228  }
3229  }
3230  rc = 0;
3231 
3232  done:
3233  free_iob ( iobuf );
3234  return rc;
3235 }
3236 
3237 /** TLS ciphertext stream interface operations */
3238 static struct interface_operation tls_cipherstream_ops[] = {
3239  INTF_OP ( xfer_deliver, struct tls_connection *,
3240  tls_cipherstream_deliver ),
3241  INTF_OP ( xfer_window, struct tls_connection *,
3242  tls_cipherstream_window ),
3243  INTF_OP ( xfer_window_changed, struct tls_connection *,
3244  tls_tx_resume ),
3245  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
3246 };
3247 
3248 /** TLS ciphertext stream interface descriptor */
3249 static struct interface_descriptor tls_cipherstream_desc =
3250  INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
3251  tls_cipherstream_ops, plainstream );
3252 
3253 /******************************************************************************
3254  *
3255  * Certificate validator
3256  *
3257  ******************************************************************************
3258  */
3259 
3260 /**
3261  * Handle certificate validation completion
3262  *
3263  * @v tls TLS connection
3264  * @v rc Reason for completion
3265  */
3266 static void tls_validator_done ( struct tls_connection *tls, int rc ) {
3267  struct tls_session *session = tls->session;
3268  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
3269  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
3270  struct x509_certificate *cert;
3271 
3272  /* Mark validation as complete */
3273  pending_put ( &tls->validation );
3274 
3275  /* Close validator interface */
3276  intf_restart ( &tls->validator, rc );
3277 
3278  /* Check for validation failure */
3279  if ( rc != 0 ) {
3280  DBGC ( tls, "TLS %p certificate validation failed: %s\n",
3281  tls, strerror ( rc ) );
3282  goto err;
3283  }
3284  DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
3285 
3286  /* Extract first certificate */
3287  cert = x509_first ( tls->chain );
3288  assert ( cert != NULL );
3289 
3290  /* Verify server name */
3291  if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
3292  DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
3293  tls, session->name, strerror ( rc ) );
3294  goto err;
3295  }
3296 
3297  /* Initialise public key algorithm */
3298  if ( ( rc = pubkey_init ( pubkey, cipherspec->pubkey_ctx,
3299  cert->subject.public_key.raw.data,
3300  cert->subject.public_key.raw.len ) ) != 0 ) {
3301  DBGC ( tls, "TLS %p cannot initialise public key: %s\n",
3302  tls, strerror ( rc ) );
3303  goto err;
3304  }
3305 
3306  /* Schedule Client Key Exchange, Change Cipher, and Finished */
3307  tls->tx_pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
3308  TLS_TX_CHANGE_CIPHER |
3309  TLS_TX_FINISHED );
3310  if ( tls->certs ) {
3311  tls->tx_pending |= ( TLS_TX_CERTIFICATE |
3312  TLS_TX_CERTIFICATE_VERIFY );
3313  }
3314  tls_tx_resume ( tls );
3315 
3316  return;
3317 
3318  err:
3319  tls_close ( tls, rc );
3320  return;
3321 }
3322 
3323 /** TLS certificate validator interface operations */
3324 static struct interface_operation tls_validator_ops[] = {
3325  INTF_OP ( intf_close, struct tls_connection *, tls_validator_done ),
3326 };
3327 
3328 /** TLS certificate validator interface descriptor */
3329 static struct interface_descriptor tls_validator_desc =
3330  INTF_DESC ( struct tls_connection, validator, tls_validator_ops );
3331 
3332 /******************************************************************************
3333  *
3334  * Controlling process
3335  *
3336  ******************************************************************************
3337  */
3338 
3339 /**
3340  * TLS TX state machine
3341  *
3342  * @v tls TLS connection
3343  */
3344 static void tls_tx_step ( struct tls_connection *tls ) {
3345  struct tls_session *session = tls->session;
3346  struct tls_connection *conn;
3347  int rc;
3348 
3349  /* Wait for cipherstream to become ready */
3350  if ( ! xfer_window ( &tls->cipherstream ) )
3351  return;
3352 
3353  /* Send first pending transmission */
3354  if ( tls->tx_pending & TLS_TX_CLIENT_HELLO ) {
3355  /* Serialise server negotiations within a session, to
3356  * provide a consistent view of session IDs and
3357  * session tickets.
3358  */
3359  list_for_each_entry ( conn, &session->conn, list ) {
3360  if ( conn == tls )
3361  break;
3362  if ( is_pending ( &conn->server_negotiation ) )
3363  return;
3364  }
3365  /* Record or generate session ID and associated master secret */
3366  if ( session->id_len ) {
3367  /* Attempt to resume an existing session */
3368  memcpy ( tls->session_id, session->id,
3369  sizeof ( tls->session_id ) );
3370  tls->session_id_len = session->id_len;
3371  memcpy ( tls->master_secret, session->master_secret,
3372  sizeof ( tls->master_secret ) );
3373  } else {
3374  /* No existing session: use a random session ID */
3375  assert ( sizeof ( tls->session_id ) ==
3376  sizeof ( tls->client_random ) );
3377  memcpy ( tls->session_id, &tls->client_random,
3378  sizeof ( tls->session_id ) );
3379  tls->session_id_len = sizeof ( tls->session_id );
3380  }
3381  /* Send Client Hello */
3382  if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
3383  DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
3384  tls, strerror ( rc ) );
3385  goto err;
3386  }
3387  tls->tx_pending &= ~TLS_TX_CLIENT_HELLO;
3388  } else if ( tls->tx_pending & TLS_TX_CERTIFICATE ) {
3389  /* Send Certificate */
3390  if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
3391  DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
3392  tls, strerror ( rc ) );
3393  goto err;
3394  }
3395  tls->tx_pending &= ~TLS_TX_CERTIFICATE;
3396  } else if ( tls->tx_pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
3397  /* Send Client Key Exchange */
3398  if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
3399  DBGC ( tls, "TLS %p could not send Client Key "
3400  "Exchange: %s\n", tls, strerror ( rc ) );
3401  goto err;
3402  }
3403  tls->tx_pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
3404  } else if ( tls->tx_pending & TLS_TX_CERTIFICATE_VERIFY ) {
3405  /* Send Certificate Verify */
3406  if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
3407  DBGC ( tls, "TLS %p could not send Certificate "
3408  "Verify: %s\n", tls, strerror ( rc ) );
3409  goto err;
3410  }
3411  tls->tx_pending &= ~TLS_TX_CERTIFICATE_VERIFY;
3412  } else if ( tls->tx_pending & TLS_TX_CHANGE_CIPHER ) {
3413  /* Send Change Cipher, and then change the cipher in use */
3414  if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
3415  DBGC ( tls, "TLS %p could not send Change Cipher: "
3416  "%s\n", tls, strerror ( rc ) );
3417  goto err;
3418  }
3419  if ( ( rc = tls_change_cipher ( tls,
3420  &tls->tx_cipherspec_pending,
3421  &tls->tx_cipherspec )) != 0 ){
3422  DBGC ( tls, "TLS %p could not activate TX cipher: "
3423  "%s\n", tls, strerror ( rc ) );
3424  goto err;
3425  }
3426  tls->tx_seq = 0;
3427  tls->tx_pending &= ~TLS_TX_CHANGE_CIPHER;
3428  } else if ( tls->tx_pending & TLS_TX_FINISHED ) {
3429  /* Send Finished */
3430  if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
3431  DBGC ( tls, "TLS %p could not send Finished: %s\n",
3432  tls, strerror ( rc ) );
3433  goto err;
3434  }
3435  tls->tx_pending &= ~TLS_TX_FINISHED;
3436  }
3437 
3438  /* Reschedule process if pending transmissions remain,
3439  * otherwise send notification of a window change.
3440  */
3441  if ( tls->tx_pending ) {
3442  tls_tx_resume ( tls );
3443  } else {
3444  xfer_window_changed ( &tls->plainstream );
3445  }
3446 
3447  return;
3448 
3449  err:
3450  tls_close ( tls, rc );
3451 }
3452 
3453 /** TLS TX process descriptor */
3454 static struct process_descriptor tls_process_desc =
3455  PROC_DESC_ONCE ( struct tls_connection, process, tls_tx_step );
3456 
3457 /******************************************************************************
3458  *
3459  * Session management
3460  *
3461  ******************************************************************************
3462  */
3463 
3464 /**
3465  * Find or create session for TLS connection
3466  *
3467  * @v tls TLS connection
3468  * @v name Server name
3469  * @ret rc Return status code
3470  */
3471 static int tls_session ( struct tls_connection *tls, const char *name ) {
3472  struct tls_session *session;
3473  char *name_copy;
3474  int rc;
3475 
3476  /* Find existing matching session, if any */
3477  list_for_each_entry ( session, &tls_sessions, list ) {
3478  if ( ( strcmp ( name, session->name ) == 0 ) &&
3479  ( tls->root == session->root ) &&
3480  ( tls->key == session->key ) ) {
3481  ref_get ( &session->refcnt );
3482  tls->session = session;
3483  DBGC ( tls, "TLS %p joining session %s\n", tls, name );
3484  return 0;
3485  }
3486  }
3487 
3488  /* Create new session */
3489  session = zalloc ( sizeof ( *session ) + strlen ( name )
3490  + 1 /* NUL */ );
3491  if ( ! session ) {
3492  rc = -ENOMEM;
3493  goto err_alloc;
3494  }
3495  ref_init ( &session->refcnt, free_tls_session );
3496  name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
3497  strcpy ( name_copy, name );
3498  session->name = name_copy;
3499  session->root = x509_root_get ( tls->root );
3500  session->key = privkey_get ( tls->key );
3501  INIT_LIST_HEAD ( &session->conn );
3502  list_add ( &session->list, &tls_sessions );
3503 
3504  /* Record session */
3505  tls->session = session;
3506 
3507  DBGC ( tls, "TLS %p created session %s\n", tls, name );
3508  return 0;
3509 
3510  ref_put ( &session->refcnt );
3511  err_alloc:
3512  return rc;
3513 }
3514 
3515 /******************************************************************************
3516  *
3517  * Instantiator
3518  *
3519  ******************************************************************************
3520  */
3521 
3522 /**
3523  * Add TLS on an interface
3524  *
3525  * @v xfer Data transfer interface
3526  * @v name Host name
3527  * @v root Root of trust (or NULL to use default)
3528  * @v key Private key (or NULL to use default)
3529  * @ret rc Return status code
3530  */
3531 int add_tls ( struct interface *xfer, const char *name,
3532  struct x509_root *root, struct private_key *key ) {
3533  struct tls_connection *tls;
3534  int rc;
3535 
3536  /* Allocate and initialise TLS structure */
3537  tls = malloc ( sizeof ( *tls ) );
3538  if ( ! tls ) {
3539  rc = -ENOMEM;
3540  goto err_alloc;
3541  }
3542  memset ( tls, 0, sizeof ( *tls ) );
3543  ref_init ( &tls->refcnt, free_tls );
3544  INIT_LIST_HEAD ( &tls->list );
3545  intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
3546  intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
3547  intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt );
3548  process_init_stopped ( &tls->process, &tls_process_desc,
3549  &tls->refcnt );
3550  tls->key = privkey_get ( key ? key : &private_key );
3551  tls->root = x509_root_get ( root ? root : &root_certificates );
3552  tls->version = TLS_VERSION_MAX;
3553  tls_clear_cipher ( tls, &tls->tx_cipherspec );
3554  tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
3555  tls_clear_cipher ( tls, &tls->rx_cipherspec );
3556  tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
3557  tls_clear_handshake ( tls );
3558  tls->client_random.gmt_unix_time = time ( NULL );
3559  iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
3560  sizeof ( tls->rx_header ) );
3561  INIT_LIST_HEAD ( &tls->rx_data );
3562  if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
3563  ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
3564  goto err_random;
3565  }
3566  if ( ( rc = tls_session ( tls, name ) ) != 0 )
3567  goto err_session;
3568  list_add_tail ( &tls->list, &tls->session->conn );
3569 
3570  /* Start negotiation */
3571  tls_restart ( tls );
3572 
3573  /* Attach to parent interface, mortalise self, and return */
3574  intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
3575  ref_put ( &tls->refcnt );
3576  return 0;
3577 
3578  err_session:
3579  err_random:
3580  ref_put ( &tls->refcnt );
3581  err_alloc:
3582  return rc;
3583 }
3584 
3585 /* Drag in objects via add_tls() */
3586 REQUIRING_SYMBOL ( add_tls );
3587 
3588 /* Drag in crypto configuration */
3589 REQUIRE_OBJECT ( config_crypto );
tls.h
Transport Layer Security Protocol.
cpu_to_be16
#define cpu_to_be16(value)
Definition: byteswap.h:109
tls_connection::verify
struct tls_verify_data verify
Verification data.
Definition: tls.h:365
memswap
void * memswap(void *first, void *second, size_t len)
Swap memory regions.
Definition: string.c:153
free_tls
static void free_tls(struct refcnt *refcnt)
Free TLS connection.
Definition: tls.c:372
x509_chain_put
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition: x509.h:269
process
A process.
Definition: process.h:17
iob_pull
#define iob_pull(iobuf, len)
Definition: iobuf.h:102
tls_send_certificate
static int tls_send_certificate(struct tls_connection *tls)
Transmit Certificate record.
Definition: tls.c:1248
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
__attribute__
#define __attribute__(x)
Definition: compiler.h:10
interface_operation
An object interface operation.
Definition: interface.h:17
length
u16 length
Definition: sky2.h:9
EPERM_CLIENT_CERT
#define EPERM_CLIENT_CERT
Definition: tls.c:169
is_auth_cipher
static int is_auth_cipher(struct cipher_algorithm *cipher)
Definition: crypto.h:256
cipher_algorithm::blocksize
size_t blocksize
Block size.
Definition: crypto.h:59
tls_signature_hash_algorithm::digest
struct digest_algorithm * digest
Digest algorithm.
Definition: tls.h:232
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:50
tls_auth_header::seq
uint64_t seq
Sequence number.
Definition: tls.h:131
EINVAL_PADDING
#define EINVAL_PADDING
Definition: tls.c:93
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
tls_tx_resume_all
static void tls_tx_resume_all(struct tls_session *session)
Resume TX state machine for all connections within a session.
Definition: tls.c:1065
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition: crypto.h:203
name
const char * name
Definition: ath9k_hw.c:1984
xfer_window_changed
void xfer_window_changed(struct interface *intf)
Report change of flow control window.
Definition: xfer.c:145
uint16_t
unsigned short uint16_t
Definition: stdint.h:11
intf_close
void intf_close(struct interface *intf, int rc)
Close an object interface.
Definition: interface.c:249
tls_connection::chain
struct x509_chain * chain
Server certificate chain.
Definition: tls.h:370
md5_sha1_context
An MD5+SHA1 context.
Definition: tls.h:261
tls_validator_done
static void tls_validator_done(struct tls_connection *tls, int rc)
Handle certificate validation completion.
Definition: tls.c:3266
privkey_put
static void privkey_put(struct private_key *key)
Drop reference to private key.
Definition: privkey.h:41
intf_restart
void intf_restart(struct interface *intf, int rc)
Shut down and restart an object interface.
Definition: interface.c:342
tls_cipher_suite_null
struct tls_cipher_suite tls_cipher_suite_null
Null cipher suite.
Definition: tls.c:817
tls_select_cipher
static int tls_select_cipher(struct tls_connection *tls, unsigned int cipher_suite)
Select next cipher suite.
Definition: tls.c:913
tls_connection::client_negotiation
struct pending_operation client_negotiation
Client security negotiation pending operation.
Definition: tls.h:375
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:120
va_end
#define va_end(ap)
Definition: stdarg.h:9
tls_connection::process
struct process process
TX process.
Definition: tls.h:386
TLS_NUM_CIPHER_SUITES
#define TLS_NUM_CIPHER_SUITES
Number of supported cipher suites.
Definition: tls.c:825
xfer_metadata
Data transfer metadata.
Definition: xfer.h:22
intf_shutdown
void intf_shutdown(struct interface *intf, int rc)
Shut down an object interface.
Definition: interface.c:278
tls_tx_resume
static void tls_tx_resume(struct tls_connection *tls)
Resume TX state machine.
Definition: tls.c:1056
tls_new_ciphertext
static int tls_new_ciphertext(struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
Receive new ciphertext record.
Definition: tls.c:2822
tls_newdata_process_header
static int tls_newdata_process_header(struct tls_connection *tls)
Handle received TLS header.
Definition: tls.c:3051
TLS_RENEGOTIATION_INFO
#define TLS_RENEGOTIATION_INFO
Definition: tls.h:126
xfer_deliver_iob
int xfer_deliver_iob(struct interface *intf, struct io_buffer *iobuf)
Deliver datagram as I/O buffer without metadata.
Definition: xfer.c:254
certstore_find_key
struct x509_certificate * certstore_find_key(struct private_key *key)
Find certificate in store corresponding to a private key.
Definition: certstore.c:119
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
max
#define max(x, y)
Definition: ath.h:39
tls_connection::session
struct tls_session * session
Session.
Definition: tls.h:317
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
tls_cipher_suite::exchange
struct tls_key_exchange_algorithm * exchange
Key exchange algorithm.
Definition: tls.h:176
tls_connection::rx_header_iobuf
struct io_buffer rx_header_iobuf
Current received record header (static I/O buffer)
Definition: tls.h:395
tls_cipher_suite::record_iv_len
uint8_t record_iv_len
Record initialisation vector length.
Definition: tls.h:192
tls_uint24
static unsigned long tls_uint24(const tls24_t *field24)
Extract 24-bit field value.
Definition: tls.c:226
tls_restart
static void tls_restart(struct tls_connection *tls)
Restart negotiation.
Definition: tls.c:1077
dhe_key
int dhe_key(const void *modulus, size_t len, const void *generator, size_t generator_len, const void *partner, size_t partner_len, const void *private, size_t private_len, void *public, void *shared)
Calculate Diffie-Hellman key.
Definition: dhe.c:53
tls_signature_hash_pubkey
static struct pubkey_algorithm * tls_signature_hash_pubkey(struct tls_signature_hash_id code)
Find TLS signature algorithm.
Definition: tls.c:1013
sig
u8 sig
Definition: CIB_PRM.h:43
root
struct stp_switch root
Root switch.
Definition: stp.h:26
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
next
uint32_t next
Next descriptor address.
Definition: myson.h:18
max_len
static void size_t size_t max_len
Definition: entropy.h:153
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
tls_find_cipher_suite
static struct tls_cipher_suite * tls_find_cipher_suite(unsigned int cipher_suite)
Identify cipher suite.
Definition: tls.c:834
EPERM_KEY_EXCHANGE
#define EPERM_KEY_EXCHANGE
Definition: tls.c:181
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
errno.h
Error codes.
tls_connection::refcnt
struct refcnt refcnt
Reference counter.
Definition: tls.h:314
EINVAL_HELLO
#define EINVAL_HELLO
Definition: tls.c:65
tls_connection::rx_seq
uint64_t rx_seq
RX sequence number.
Definition: tls.h:389
tls_header::type
uint8_t type
Content type.
Definition: tls.h:33
tls_verify_handshake
static void tls_verify_handshake(struct tls_connection *tls, void *out)
Calculate handshake verification hash.
Definition: tls.c:801
x509_check_name
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition: x509.c:1569
rbg_generate
static int rbg_generate(const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate bits using RBG.
Definition: rbg.h:36
tls_send_client_key_exchange_pubkey
static int tls_send_client_key_exchange_pubkey(struct tls_connection *tls)
Transmit Client Key Exchange record using public key exchange.
Definition: tls.c:1310
iobuf.h
I/O buffers.
tls_cipherstream_deliver
static int tls_cipherstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
Receive new ciphertext.
Definition: tls.c:3187
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:146
alloc_iob_raw
struct io_buffer * alloc_iob_raw(size_t len, size_t align, size_t offset)
Allocate I/O buffer with specified alignment and offset.
Definition: iobuf.c:48
tls_add_handshake
static int tls_add_handshake(struct tls_connection *tls, const void *data, size_t len)
Add handshake record to verification hash.
Definition: tls.c:785
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition: crypto.h:208
type
uint32_t type
Operating system type.
Definition: ena.h:12
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1675
tls_generate_master_secret
static void tls_generate_master_secret(struct tls_connection *tls, const void *pre_master_secret, size_t pre_master_secret_len)
Generate master secret.
Definition: tls.c:631
LIST_HEAD
static LIST_HEAD(tls_sessions)
List of TLS session.
cipher_algorithm::alignsize
size_t alignsize
Alignment size.
Definition: crypto.h:71
ENOTSUP_VERSION
#define ENOTSUP_VERSION
Definition: tls.c:157
tls_plainstream_ops
static struct interface_operation tls_plainstream_ops[]
TLS plaintext stream interface operations.
Definition: tls.c:3024
pending_put
void pending_put(struct pending_operation *pending)
Mark an operation as no longer pending.
Definition: pending.c:58
TLS_CLIENT_HELLO
#define TLS_CLIENT_HELLO
Definition: tls.h:66
root_certificates
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:208
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
tls_connection::new_session_ticket_len
size_t new_session_ticket_len
Length of new session ticket.
Definition: tls.h:327
ENOMEM_RX_CONCAT
#define ENOMEM_RX_CONCAT
Definition: tls.c:141
process_descriptor
A process descriptor.
Definition: process.h:31
TLS_VERSION_TLS_1_2
#define TLS_VERSION_TLS_1_2
TLS version 1.2.
Definition: tls.h:47
TLS_CERTIFICATE
#define TLS_CERTIFICATE
Definition: tls.h:69
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1650
privkey_get
static struct private_key * privkey_get(struct private_key *key)
Get reference to private key.
Definition: privkey.h:30
tls_connection::server_random
uint8_t server_random[32]
Server random bytes.
Definition: tls.h:347
tls_connection::session_id
uint8_t session_id[32]
Session ID.
Definition: tls.h:321
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER)
tls_connection::rx_header
struct tls_header rx_header
Current received record header.
Definition: tls.h:393
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition: x509.c:1627
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:373
EINVAL_HELLO_DONE
#define EINVAL_HELLO_DONE
Definition: tls.c:77
tls_header::length
uint16_t length
Length of payload.
Definition: tls.h:40
tls_connection::root
struct x509_root * root
Root of trust.
Definition: tls.h:368
uint64_t
unsigned long long uint64_t
Definition: stdint.h:13
xfer_alloc_iob
struct io_buffer * xfer_alloc_iob(struct interface *intf, size_t len)
Allocate I/O buffer.
Definition: xfer.c:157
fixed
struct eltorito_descriptor_fixed fixed
Fixed portion.
Definition: eltorito.h:13
pubkey_null
struct pubkey_algorithm pubkey_null
Definition: crypto_null.c:135
EINVAL_HANDSHAKE
#define EINVAL_HANDSHAKE
Definition: tls.c:85
EPROTO_VERSION
#define EPROTO_VERSION
Definition: tls.c:185
EIO_ALERT
#define EIO_ALERT
Definition: tls.c:113
tls_pubkey_exchange_algorithm
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm
Public key exchange algorithm.
Definition: tls.c:1370
tls_signature_hash_digest
static struct digest_algorithm * tls_signature_hash_digest(struct tls_signature_hash_id code)
Find TLS hash algorithm.
Definition: tls.c:1032
tls_validator_ops
static struct interface_operation tls_validator_ops[]
TLS certificate validator interface operations.
Definition: tls.c:3324
ENOMEM_CHAIN
#define ENOMEM_CHAIN
Definition: tls.c:125
va_copy
#define va_copy(dest, src)
Definition: stdarg.h:10
ntohs
#define ntohs(value)
Definition: byteswap.h:136
TLS_SERVER_HELLO_DONE
#define TLS_SERVER_HELLO_DONE
Definition: tls.h:72
PROC_DESC_ONCE
#define PROC_DESC_ONCE(object_type, process, _step)
Define a process descriptor for a process that runs only once.
Definition: process.h:97
tls_close
static void tls_close(struct tls_connection *tls, int rc)
Finish with TLS connection.
Definition: tls.c:410
TLS_CERTIFICATE_REQUEST
#define TLS_CERTIFICATE_REQUEST
Definition: tls.h:71
tls_auth_header
TLS authentication header.
Definition: tls.h:129
pad
u32 pad[9]
Padding.
Definition: ar9003_mac.h:90
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
md5_sha1_final
static void md5_sha1_final(void *ctx, void *out)
Generate MD5+SHA1 digest.
Definition: tls.c:310
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tls_cipherspec
A TLS cipher specification.
Definition: tls.h:206
iob_populate
static void iob_populate(struct io_buffer *iobuf, void *data, size_t len, size_t max_len)
Create a temporary I/O buffer.
Definition: iobuf.h:190
EINVAL_CERTIFICATE
#define EINVAL_CERTIFICATE
Definition: tls.c:69
free_tls_session
static void free_tls_session(struct refcnt *refcnt)
Free TLS session.
Definition: tls.c:348
tls_key_exchange_algorithm::name
const char * name
Algorithm name.
Definition: tls.h:163
tls_cipher_suite::pubkey
struct pubkey_algorithm * pubkey
Public-key encryption algorithm.
Definition: tls.h:178
md5_sha1_init
static void md5_sha1_init(void *ctx)
Initialise MD5+SHA1 algorithm.
Definition: tls.c:283
list_last_entry
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition: list.h:346
process_del
void process_del(struct process *process)
Remove process from process list.
Definition: process.c:79
digest
struct md4_digest digest
Digest of data already processed.
Definition: md4.h:12
htonl
#define htonl(value)
Definition: byteswap.h:133
xfer_window
size_t xfer_window(struct interface *intf)
Check flow control window.
Definition: xfer.c:115
a
uint32_t a
Definition: md4.c:28
pubkey_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:124
tls_hmac_final
static void tls_hmac_final(struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
Finalise HMAC.
Definition: tls.c:2602
tls_cipherstream_desc
static struct interface_descriptor tls_cipherstream_desc
TLS ciphertext stream interface descriptor.
Definition: tls.c:3249
list_head
A doubly-linked list entry (or list head)
Definition: list.h:18
TLS_MAX_FRAGMENT_LENGTH
#define TLS_MAX_FRAGMENT_LENGTH
Definition: tls.h:113
tls_send_handshake
static int tls_send_handshake(struct tls_connection *tls, const void *data, size_t len)
Transmit Handshake record.
Definition: tls.c:1100
xfer.h
Data transfer interfaces.
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
refcnt
A reference counter.
Definition: refcnt.h:26
validator
A certificate validator.
Definition: validator.c:65
privkey_cursor
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition: privkey.h:52
pending
uint32_t pending
Pending events.
Definition: hyperv.h:12
tls_validator_desc
static struct interface_descriptor tls_validator_desc
TLS certificate validator interface descriptor.
Definition: tls.c:3329
EINVAL_CHANGE_CIPHER
#define EINVAL_CHANGE_CIPHER
Definition: tls.c:57
privkey.h
Private key.
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
tls_hmac_list
static void tls_hmac_list(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, struct list_head *list, void *hmac)
Calculate HMAC over list of I/O buffers.
Definition: tls.c:2637
ENOMEM_CONTEXT
#define ENOMEM_CONTEXT
Definition: tls.c:117
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:312
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:228
list_first_entry
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition: list.h:333
tls_connection::rx_state
enum tls_rx_state rx_state
RX state.
Definition: tls.h:391
cipher_algorithm::authsize
size_t authsize
Authentication tag size.
Definition: crypto.h:73
pubkey_max_len
static size_t pubkey_max_len(struct pubkey_algorithm *pubkey, void *ctx)
Definition: crypto.h:265
EINVAL_MAC
#define EINVAL_MAC
Definition: tls.c:101
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
io_buffer::tail
void * tail
End of data.
Definition: iobuf.h:50
tls_new_hello_request
static int tls_new_hello_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Hello Request handshake record.
Definition: tls.c:1806
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
ENOTSUP_NULL
#define ENOTSUP_NULL
Definition: tls.c:149
iob_disown
#define iob_disown(iobuf)
Disown an I/O buffer.
Definition: iobuf.h:212
tls_connection::handshake_ctx
uint8_t * handshake_ctx
Digest algorithm context used for handshake verification.
Definition: tls.h:357
tls_connection::tx_cipherspec
struct tls_cipherspec tx_cipherspec
Current TX cipher specification.
Definition: tls.h:337
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
pubkey_verify
static int pubkey_verify(struct pubkey_algorithm *pubkey, void *ctx, struct digest_algorithm *digest, const void *value, const void *signature, size_t signature_len)
Definition: crypto.h:286
certstore.h
Certificate store.
va_arg
#define va_arg(ap, type)
Definition: stdarg.h:8
tls_hmac_update_va
static void tls_hmac_update_va(struct digest_algorithm *digest, void *ctx, va_list args)
Update HMAC with a list of ( data, len ) pairs.
Definition: tls.c:471
tls_key_exchange_algorithm::exchange
int(* exchange)(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.h:170
version
u32 version
Driver version.
Definition: ath9k_hw.c:1983
REQUIRE_OBJECT
REQUIRE_OBJECT(config_crypto)
tls_newdata_process_data
static int tls_newdata_process_data(struct tls_connection *tls)
Handle received TLS data payload.
Definition: tls.c:3134
create_validator
int create_validator(struct interface *job, struct x509_chain *chain, struct x509_root *root)
Instantiate a certificate validator.
Definition: validator.c:630
TLS_TYPE_CHANGE_CIPHER
#define TLS_TYPE_CHANGE_CIPHER
Change cipher content type.
Definition: tls.h:53
ENOTSUP_CIPHER
#define ENOTSUP_CIPHER
Definition: tls.c:145
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
validator.h
Certificate validator.
tls_signature_hash_algorithm
static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm(struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
Find TLS signature and hash algorithm.
Definition: tls.c:991
interface
An object interface.
Definition: interface.h:124
hmac.h
Keyed-Hashing for Message Authentication.
ENOMEM_RX_DATA
#define ENOMEM_RX_DATA
Definition: tls.c:137
session
struct ntlm_data session
Session key.
Definition: ntlm.h:24
TLS_RX_ALIGN
#define TLS_RX_ALIGN
RX I/O buffer alignment.
Definition: tls.h:419
tls_connection::new_session_ticket
void * new_session_ticket
New session ticket.
Definition: tls.h:325
tls_progress
static int tls_progress(struct tls_connection *tls, struct job_progress *progress)
Report job progress.
Definition: tls.c:3012
tls_send_change_cipher
static int tls_send_change_cipher(struct tls_connection *tls)
Transmit Change Cipher record.
Definition: tls.c:1684
tls_cipherspec::cipher_ctx
void * cipher_ctx
Bulk encryption cipher context.
Definition: tls.h:214
tls_tx_step
static void tls_tx_step(struct tls_connection *tls)
TLS TX state machine.
Definition: tls.c:3344
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
TLS_SESSION_TICKET
#define TLS_SESSION_TICKET
Definition: tls.h:123
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
tls_new_session_ticket
static int tls_new_session_ticket(struct tls_connection *tls, const void *data, size_t len)
Receive New Session Ticket handshake record.
Definition: tls.c:2022
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
tls_cipherspec::suite
struct tls_cipher_suite * suite
Cipher suite.
Definition: tls.h:208
tls_connection::certs
struct x509_chain * certs
Client certificate chain (if used)
Definition: tls.h:361
tls_hmac_update
static void tls_hmac_update(struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: tls.c:2588
EINVAL_FINISHED
#define EINVAL_FINISHED
Definition: tls.c:81
tls_cipher_suite::digest
struct digest_algorithm * digest
MAC digest algorithm.
Definition: tls.h:182
tls_prf
static void tls_prf(struct tls_connection *tls, const void *secret, size_t secret_len, void *out, size_t out_len,...)
Generate secure pseudo-random data.
Definition: tls.c:555
tls_connection::validation
struct pending_operation validation
Certificate validation pending operation.
Definition: tls.h:379
tls_connection::list
struct list_head list
List of connections within the same session.
Definition: tls.h:319
tls_client_random::gmt_unix_time
uint32_t gmt_unix_time
GMT Unix time.
Definition: tls.h:255
be16_to_cpu
#define be16_to_cpu(value)
Definition: byteswap.h:115
out
__be32 out[4]
Definition: CIB_PRM.h:36
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
tls_cipher_suite::fixed_iv_len
uint8_t fixed_iv_len
Fixed initialisation vector length.
Definition: tls.h:190
tls_cipher_suite
A TLS cipher suite.
Definition: tls.h:174
strcpy
char * strcpy(char *dest, const char *src)
Copy string.
Definition: string.c:326
TLS_SERVER_NAME
#define TLS_SERVER_NAME
Definition: tls.h:109
tls_signature_hash_algorithm
A TLS signature algorithm.
Definition: tls.h:230
is_pending
static int is_pending(struct pending_operation *pending)
Check if an operation is pending.
Definition: pending.h:24
EPERM_VERIFY
#define EPERM_VERIFY
Definition: tls.c:165
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition: x509.h:362
tls_connection::master_secret
uint8_t master_secret[48]
Master secret.
Definition: tls.h:345
tls_session::list
struct list_head list
List of sessions.
Definition: tls.h:287
tls_hmac_init
static void tls_hmac_init(struct tls_cipherspec *cipherspec, void *ctx, struct tls_auth_header *authhdr)
Initialise HMAC.
Definition: tls.c:2571
TLS_ALERT_WARNING
#define TLS_ALERT_WARNING
Definition: tls.h:78
ENOMEM_TX_CIPHERTEXT
#define ENOMEM_TX_CIPHERTEXT
Definition: tls.c:133
tls_send_client_key_exchange
static int tls_send_client_key_exchange(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.c:1580
EINVAL_RX_STATE
#define EINVAL_RX_STATE
Definition: tls.c:97
TLS_RX_BUFSIZE
#define TLS_RX_BUFSIZE
RX I/O buffer size.
Definition: tls.h:408
dest
static void * dest
Definition: strings.h:176
list_for_each_entry_safe
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition: list.h:447
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:107
md5_sha1_algorithm
static struct digest_algorithm md5_sha1_algorithm
Hybrid MD5+SHA1 digest algorithm.
Definition: tls.c:319
rbg.h
RBG mechanism.
value
pseudo_bit_t value[0x00020]
Definition: arbel.h:13
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
process_add
void process_add(struct process *process)
Add process to process list.
Definition: process.c:59
meta
int meta(WINDOW *, bool)
ENOTCONN
#define ENOTCONN
The socket is not connected.
Definition: errno.h:569
aes.h
AES algorithm.
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition: crypto.h:198
iob_concatenate
struct io_buffer * iob_concatenate(struct list_head *list)
Concatenate I/O buffers into a single buffer.
Definition: iobuf.c:243
interface_descriptor
An object interface descriptor.
Definition: interface.h:55
TLS_NUM_SIG_HASH_ALGORITHMS
#define TLS_NUM_SIG_HASH_ALGORITHMS
Number of supported signature and hash algorithms.
Definition: tls.c:980
TLS_HELLO_REQUEST
#define TLS_HELLO_REQUEST
Definition: tls.h:65
tls_auth_header::header
struct tls_header header
TLS header.
Definition: tls.h:133
iob_unput
#define iob_unput(iobuf, len)
Definition: iobuf.h:135
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:169
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:294
tls_send_plaintext
static int tls_send_plaintext(struct tls_connection *tls, unsigned int type, const void *data, size_t len)
Send plaintext record.
Definition: tls.c:2661
hash
pseudo_bit_t hash[0x00010]
Hash algorithm.
Definition: arbel.h:13
tls_connection::client_random
struct tls_client_random client_random
Client random bytes.
Definition: tls.h:349
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:185
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
tls_connection::cipherstream
struct interface cipherstream
Ciphertext stream.
Definition: tls.h:332
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
DBGC2_HD
#define DBGC2_HD(...)
Definition: compiler.h:524
tls_new_finished
static int tls_new_finished(struct tls_connection *tls, const void *data, size_t len)
Receive new Finished handshake record.
Definition: tls.c:2321
tls_connection::server_key
void * server_key
Server Key Exchange record (if any)
Definition: tls.h:351
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:214
tls_signature_hash_id::hash
uint8_t hash
Hash algorithm.
Definition: tls.h:224
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92
digest_null
struct digest_algorithm digest_null
Definition: crypto_null.c:48
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:155
tls_cipherstream_ops
static struct interface_operation tls_cipherstream_ops[]
TLS ciphertext stream interface operations.
Definition: tls.c:3238
job_progress
Job progress.
Definition: job.h:15
tmp
uint8_t * tmp
Definition: entropy.h:156
INTF_OP
#define INTF_OP(op_type, object_type, op_func)
Define an object interface operation.
Definition: interface.h:32
tls_new_server_hello
static int tls_new_server_hello(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello handshake record.
Definition: tls.c:1837
EINVAL_ALERT
#define EINVAL_ALERT
Definition: tls.c:61
DBGC_HD
#define DBGC_HD(...)
Definition: compiler.h:507
cipher_setiv
static void cipher_setiv(struct cipher_algorithm *cipher, void *ctx, const void *iv, size_t ivlen)
Definition: crypto.h:218
for_each_table_entry
#define for_each_table_entry(pointer, table)
Iterate through all entries within a linker table.
Definition: tables.h:385
tls_cipher_suite::mac_len
uint8_t mac_len
MAC length.
Definition: tls.h:194
random
long int random(void)
Generate a pseudo-random number between 0 and 2147483647L or 2147483562?
Definition: random.c:30
tls_cipherspec::pubkey_ctx
void * pubkey_ctx
Public key encryption context.
Definition: tls.h:212
iob_tailroom
static size_t iob_tailroom(struct io_buffer *iobuf)
Calculate available space at end of an I/O buffer.
Definition: iobuf.h:175
xfer_deliver
int xfer_deliver(struct interface *intf, struct io_buffer *iobuf, struct xfer_metadata *meta)
Deliver datagram.
Definition: xfer.c:193
strlen
size_t strlen(const char *src)
Get length of string.
Definition: string.c:243
rsa_digestinfo_prefix
An RSA digestInfo prefix.
Definition: rsa.h:42
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
tls_signature_hash_id::signature
uint8_t signature
Signature algorithm.
Definition: tls.h:226
open.h
Data transfer interface opening.
TLS_ALERT_FATAL
#define TLS_ALERT_FATAL
Definition: tls.h:79
EPERM_RENEG_VERIFY
#define EPERM_RENEG_VERIFY
Definition: tls.c:177
TLS_SIG_HASH_ALGORITHMS
#define TLS_SIG_HASH_ALGORITHMS
TLS signature hash algorithm table.
Definition: tls.h:244
REQUIRING_SYMBOL
REQUIRING_SYMBOL(add_tls)
tls_connection::key
struct private_key * key
Private key.
Definition: tls.h:359
hello
uint16_t hello
Hello time.
Definition: stp.h:38
tls_change_cipher
static int tls_change_cipher(struct tls_connection *tls, struct tls_cipherspec *pending, struct tls_cipherspec *active)
Activate next cipher suite.
Definition: tls.c:957
process_init_stopped
static void process_init_stopped(struct process *process, struct process_descriptor *desc, struct refcnt *refcnt)
Initialise process without adding to process list.
Definition: process.h:145
x509.h
X.509 certificates.
lifetime
u32 lifetime
For Lifetime-type KDEs, the lifetime in seconds.
Definition: wpa.h:54
cipher_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:53
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:238
last
uint32_t last
Length to read in last segment, or zero.
Definition: pccrc.h:30
uint32_t
unsigned int uint32_t
Definition: stdint.h:12
tls_connection::rx_cipherspec
struct tls_cipherspec rx_cipherspec
Current RX cipher specification.
Definition: tls.h:341
malloc
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:583
tls_plainstream_deliver
static int tls_plainstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
Deliver datagram as raw data.
Definition: tls.c:2985
tls_new_certificate_request
static int tls_new_certificate_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Certificate Request handshake record.
Definition: tls.c:2222
TLS_RX_MIN_BUFSIZE
#define TLS_RX_MIN_BUFSIZE
Minimum RX I/O buffer size.
Definition: tls.h:416
cipher_null
struct cipher_algorithm cipher_null
Definition: crypto_null.c:83
crypto.h
Cryptographic configuration.
job.h
Job control interfaces.
tls_signature_hash_algorithm::code
struct tls_signature_hash_id code
Numeric code.
Definition: tls.h:236
TLS_NEW_SESSION_TICKET
#define TLS_NEW_SESSION_TICKET
Definition: tls.h:68
ext
uint16_t ext
Extended status.
Definition: ena.h:20
tls_connection::tx_cipherspec_pending
struct tls_cipherspec tx_cipherspec_pending
Next TX cipher specification.
Definition: tls.h:339
TLS_VERSION_MAX
#define TLS_VERSION_MAX
Maximum supported TLS version.
Definition: tls.h:50
TLS_SERVER_NAME_HOST_NAME
#define TLS_SERVER_NAME_HOST_NAME
Definition: tls.h:110
tls_verify_data::client
uint8_t client[12]
Client verification data.
Definition: tls.h:139
md5_sha1_digest
An MD5+SHA1 digest.
Definition: tls.h:272
tls_connection::server_negotiation
struct pending_operation server_negotiation
Server security negotiation pending operation.
Definition: tls.h:377
x509_root
An X.509 root certificate list.
Definition: x509.h:344
tls_header
A TLS header.
Definition: tls.h:28
__unused
#define __unused
Declare a variable or data structure as unused.
Definition: compiler.h:573
time.h
Date and time.
pending.h
Pending operations.
pad_len
long pad_len
Definition: bigint.h:30
TLS_TYPE_HANDSHAKE
#define TLS_TYPE_HANDSHAKE
Handshake content type.
Definition: tls.h:59
tls_connection::rx_data
struct list_head rx_data
List of received data buffers.
Definition: tls.h:397
tls_connection::tx_pending
unsigned int tx_pending
TX pending transmissions.
Definition: tls.h:384
rsa.h
RSA public-key cryptography.
tls24_t
A TLS 24-bit integer.
Definition: tls.c:211
tls_plainstream_desc
static struct interface_descriptor tls_plainstream_desc
TLS plaintext stream interface descriptor.
Definition: tls.c:3034
iob_reserve
#define iob_reserve(iobuf, len)
Definition: iobuf.h:67
tls_generate_keys
static int tls_generate_keys(struct tls_connection *tls)
Generate key material.
Definition: tls.c:659
intf_insert
void intf_insert(struct interface *intf, struct interface *upper, struct interface *lower)
Insert a filter interface.
Definition: interface.c:400
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
INTF_DESC
#define INTF_DESC(object_type, intf, operations)
Define an object interface descriptor.
Definition: interface.h:80
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
tls_version
static int tls_version(struct tls_connection *tls, unsigned int version)
Check for TLS version.
Definition: tls.c:266
tls_send_certificate_verify
static int tls_send_certificate_verify(struct tls_connection *tls)
Transmit Certificate Verify record.
Definition: tls.c:1594
EPERM_RENEG_INSECURE
#define EPERM_RENEG_INSECURE
Definition: tls.c:173
tls_connection::handshake_digest
struct digest_algorithm * handshake_digest
Digest algorithm used for handshake verification.
Definition: tls.h:355
tls_client_random::random
uint8_t random[28]
Random data.
Definition: tls.h:257
tls_client_hello
static int tls_client_hello(struct tls_connection *tls, int(*action)(struct tls_connection *tls, const void *data, size_t len))
Digest or transmit Client Hello record.
Definition: tls.c:1117
ENOMEM_TX_PLAINTEXT
#define ENOMEM_TX_PLAINTEXT
Definition: tls.c:129
tls_hmac
static void tls_hmac(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, const void *data, size_t len, void *hmac)
Calculate HMAC.
Definition: tls.c:2618
io_buffer::list
struct list_head list
List of which this buffer is a member.
Definition: iobuf.h:40
EINVAL_IV
#define EINVAL_IV
Definition: tls.c:89
code
uint8_t code
Response code.
Definition: scsi.h:16
len
uint32_t len
Length.
Definition: ena.h:14
tls_parse_chain
static int tls_parse_chain(struct tls_connection *tls, const void *data, size_t len)
Parse certificate chain.
Definition: tls.c:2073
tls_connection::validator
struct interface validator
Certificate validator.
Definition: tls.h:372
tls_session
A TLS session.
Definition: tls.h:283
unused
uint8_t unused[32]
Unused.
Definition: eltorito.h:15
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *certs)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1734
TLS_SERVER_KEY_EXCHANGE
#define TLS_SERVER_KEY_EXCHANGE
Definition: tls.h:70
tls_process_desc
static struct process_descriptor tls_process_desc
TLS TX process descriptor.
Definition: tls.c:3454
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
va_list
__builtin_va_list va_list
Definition: stdarg.h:6
strcmp
int strcmp(const char *first, const char *second)
Compare strings.
Definition: string.c:173
sha1.h
SHA-1 algorithm.
digest_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:19
md5_sha1_context::sha1
uint8_t sha1[SHA1_CTX_SIZE]
SHA-1 context.
Definition: tls.h:265
iv
uint8_t iv[12]
Initialisation vector.
Definition: gcm.h:12
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
tls_cipher_suite::handshake
struct digest_algorithm * handshake
Handshake digest algorithm (for TLSv1.2 and above)
Definition: tls.h:184
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:48
alert
static void alert(const char *fmt,...)
Print alert message.
Definition: settings_ui.c:324
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition: x509.h:280
pubkey_sign
static int pubkey_sign(struct pubkey_algorithm *pubkey, void *ctx, struct digest_algorithm *digest, const void *value, void *signature)
Definition: crypto.h:280
tls24_t::low
uint16_t low
Low word.
Definition: tls.c:215
dhe.h
Ephemeral Diffie-Hellman key exchange.
tls_connection::rx_cipherspec_pending
struct tls_cipherspec rx_cipherspec_pending
Next RX cipher specification.
Definition: tls.h:343
job_progress
int job_progress(struct interface *intf, struct job_progress *progress)
Get job progress.
Definition: job.c:43
ENOMEM_CERTIFICATE
#define ENOMEM_CERTIFICATE
Definition: tls.c:121
tls_header::version
uint16_t version
Protocol version.
Definition: tls.h:38
EPERM_ALERT
#define EPERM_ALERT
Definition: tls.c:161
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
tls_connection::version
uint16_t version
Protocol version.
Definition: tls.h:335
cpu_to_be64
#define cpu_to_be64(value)
Definition: byteswap.h:111
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
tls_clear_handshake
static void tls_clear_handshake(struct tls_connection *tls)
Clear handshake digest algorithm.
Definition: tls.c:744
cipher_algorithm
A cipher algorithm.
Definition: crypto.h:49
private_key
A private key.
Definition: privkey.h:16
tls_verify_data::server
uint8_t server[12]
Server verification data.
Definition: tls.h:141
tls_key_exchange_algorithm
A TLS key exchange algorithm.
Definition: tls.h:161
rsa_digestinfo_prefix::digest
struct digest_algorithm * digest
Digest algorithm.
Definition: rsa.h:44
rootcert.h
Root certificate store.
tls_connection
A TLS connection.
Definition: tls.h:312
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
tls_clear_cipher
static void tls_clear_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec)
pubkey_encrypt
static int pubkey_encrypt(struct pubkey_algorithm *pubkey, void *ctx, const void *data, size_t len, void *out)
Definition: crypto.h:270
pubkey_final
static void pubkey_final(struct pubkey_algorithm *pubkey, void *ctx)
Definition: crypto.h:293
cipher_auth
static void cipher_auth(struct cipher_algorithm *cipher, void *ctx, void *auth)
Definition: crypto.h:243
md5_sha1_context::md5
uint8_t md5[MD5_CTX_SIZE]
MD5 context.
Definition: tls.h:263
EINVAL_TICKET
#define EINVAL_TICKET
Definition: tls.c:105
INTF_DESC_PASSTHRU
#define INTF_DESC_PASSTHRU(object_type, intf, operations, passthru)
Define an object interface descriptor with pass-through interface.
Definition: interface.h:97
tls_set_uint24
static void tls_set_uint24(tls24_t *field24, unsigned long value)
Set 24-bit field value.
Definition: tls.c:237
tls_new_record
static int tls_new_record(struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
Receive new record.
Definition: tls.c:2495
tls_cipher_suite::cipher
struct cipher_algorithm * cipher
Bulk encryption cipher algorithm.
Definition: tls.h:180
tls_session::conn
struct list_head conn
List of connections.
Definition: tls.h:308
tls_cipherstream_window
static size_t tls_cipherstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:3170
tls_connection::secure_renegotiation
int secure_renegotiation
Secure renegotiation flag.
Definition: tls.h:363
tls_send_finished
static int tls_send_finished(struct tls_connection *tls)
Transmit Finished record.
Definition: tls.c:1696
typeof
typeof(acpi_finder=acpi_find)
ACPI table finder.
Definition: acpi.c:45
EINVAL_KEY_EXCHANGE
#define EINVAL_KEY_EXCHANGE
Definition: tls.c:109
tls_new_certificate
static int tls_new_certificate(struct tls_connection *tls, const void *data, size_t len)
Receive new Certificate handshake record.
Definition: tls.c:2151
tls_signature_hash_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm.
Definition: tls.h:234
tls_p_hash_va
static void tls_p_hash_va(struct tls_connection *tls, struct digest_algorithm *digest, const void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
Generate secure pseudo-random data using a single hash function.
Definition: tls.c:493
tls_session
static int tls_session(struct tls_connection *tls, const char *name)
Find or create session for TLS connection.
Definition: tls.c:3471
tls_cipherspec::dynamic
void * dynamic
Dynamically-allocated storage.
Definition: tls.h:210
tls24_t::high
uint8_t high
High byte.
Definition: tls.c:213
tls_send_client_hello
static int tls_send_client_hello(struct tls_connection *tls)
Transmit Client Hello record.
Definition: tls.c:1237
va_start
#define va_start(ap, last)
Definition: stdarg.h:7
tls_generate_random
static int tls_generate_random(struct tls_connection *tls, void *data, size_t len)
Generate random data.
Definition: tls.c:448
__rsa_digestinfo_prefix
struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix
RSA digestInfo prefix for MD5+SHA1 algorithm.
Definition: tls.c:330
EINVAL_CERTIFICATES
#define EINVAL_CERTIFICATES
Definition: tls.c:73
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:200
TLS_MAX_FRAGMENT_LENGTH_4096
#define TLS_MAX_FRAGMENT_LENGTH_4096
Definition: tls.h:117
tls_new_handshake
static int tls_new_handshake(struct tls_connection *tls, const void *data, size_t len)
Receive new Handshake record.
Definition: tls.c:2399
tls_ready
static int tls_ready(struct tls_connection *tls)
Determine if TLS connection is ready for application data.
Definition: tls.c:249
tls_session::name
const char * name
Server name.
Definition: tls.h:290
tls_signature_hash_id
A TLS signature and hash algorithm identifier.
Definition: tls.h:222
intf_init
static void intf_init(struct interface *intf, struct interface_descriptor *desc, struct refcnt *refcnt)
Initialise an object interface.
Definition: interface.h:190
cipher_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:51
TLS_CERTIFICATE_VERIFY
#define TLS_CERTIFICATE_VERIFY
Definition: tls.h:73
TLS_TYPE_DATA
#define TLS_TYPE_DATA
Application data content type.
Definition: tls.h:62
ENOTSUP_SIG_HASH
#define ENOTSUP_SIG_HASH
Definition: tls.c:153
tls_connection::session_id_len
size_t session_id_len
Length of session ID.
Definition: tls.h:323
TLS_TYPE_ALERT
#define TLS_TYPE_ALERT
Alert content type.
Definition: tls.h:56
tls_verify_padding
static int tls_verify_padding(struct tls_connection *tls, struct io_buffer *iobuf)
Verify block padding.
Definition: tls.c:2787
tls_connection::plainstream
struct interface plainstream
Plaintext stream.
Definition: tls.h:330
TLS_VERSION_MIN
#define TLS_VERSION_MIN
Minimum TLS version.
Definition: crypto.h:13
tls_dhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm
Ephemeral Diffie-Hellman key exchange algorithm.
Definition: tls.c:1569
time
uint64_t time
Current time.
Definition: ntlm.h:20
signature
u8 signature
Signature.
Definition: CIB_PRM.h:35
md5.h
MD5 algorithm.
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
sha256.h
SHA-256 algorithm.
tls_set_cipher
static int tls_set_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
Set cipher suite.
Definition: tls.c:871
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
tls_select_handshake
static int tls_select_handshake(struct tls_connection *tls, struct digest_algorithm *digest)
Select handshake digest algorithm.
Definition: tls.c:761
tls_new_change_cipher
static int tls_new_change_cipher(struct tls_connection *tls, const void *data, size_t len)
Receive new Change Cipher record.
Definition: tls.c:1738
string.h
String functions.
tls_prf_label
#define tls_prf_label(tls, secret, secret_len, out, out_len, label,...)
Generate secure pseudo-random data.
Definition: tls.c:611
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
TLS_CIPHER_SUITES
#define TLS_CIPHER_SUITES
TLS cipher suite table.
Definition: tls.h:198
pubkey_algorithm
A public key algorithm.
Definition: crypto.h:120
htons
#define htons(value)
Definition: byteswap.h:135
TLS_CLIENT_KEY_EXCHANGE
#define TLS_CLIENT_KEY_EXCHANGE
Definition: tls.h:74
pending_get
void pending_get(struct pending_operation *pending)
Mark an operation as pending.
Definition: pending.c:45
done
struct bofm_section_header done
Definition: bofm_test.c:46
tls_cipherspec::fixed_iv
void * fixed_iv
Fixed initialisation vector.
Definition: tls.h:218
TLS_SERVER_HELLO
#define TLS_SERVER_HELLO
Definition: tls.h:67
first
uint32_t first
Length to skip in first segment.
Definition: pccrc.h:23
key
union @382 key
Sense key.
Definition: scsi.h:18
tls_new_server_hello_done
static int tls_new_server_hello_done(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello Done handshake record.
Definition: tls.c:2286
TLS_FINISHED
#define TLS_FINISHED
Definition: tls.h:75
add_tls
int add_tls(struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key)
Add TLS on an interface.
Definition: tls.c:3531
md5_sha1_update
static void md5_sha1_update(void *ctx, const void *data, size_t len)
Accumulate data with MD5+SHA1 algorithm.
Definition: tls.c:297
TLS_SIGNATURE_ALGORITHMS
#define TLS_SIGNATURE_ALGORITHMS
Definition: tls.h:120
tls_new_server_key_exchange
static int tls_new_server_key_exchange(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Key Exchange handshake record.
Definition: tls.c:2191
pubkey_algorithm::name
const char * name
Algorithm name.
Definition: crypto.h:122
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:286
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:213
tls_plainstream_window
static size_t tls_plainstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:2968
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106
tls_send_client_key_exchange_dhe
static int tls_send_client_key_exchange_dhe(struct tls_connection *tls)
Transmit Client Key Exchange record using DHE key exchange.
Definition: tls.c:1381
tls_cipher_suite::code
uint16_t code
Numeric code (in network-endian order)
Definition: tls.h:186
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257
pubkey_init
static int pubkey_init(struct pubkey_algorithm *pubkey, void *ctx, const void *key, size_t key_len)
Definition: crypto.h:260
tls_cipherspec::mac_secret
void * mac_secret
MAC secret.
Definition: tls.h:216
tls_connection::tx_seq
uint64_t tx_seq
TX sequence number.
Definition: tls.h:382
is_block_cipher
static int is_block_cipher(struct cipher_algorithm *cipher)
Definition: crypto.h:252
tls_new_alert
static int tls_new_alert(struct tls_connection *tls, const void *data, size_t len)
Receive new Alert record.
Definition: tls.c:1767
memset
void * memset(void *dest, int character, size_t len) __nonnull
tls_connection::server_key_len
size_t server_key_len
Server Key Exchange record length.
Definition: tls.h:353
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:33
tls_cipher_suite::key_len
uint8_t key_len
Key length.
Definition: tls.h:188
Generated by   doxygen 1.8.15