iPXE
tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  */
19 
20 FILE_LICENCE ( GPL2_OR_LATER );
21 
22 /**
23  * @file
24  *
25  * Transport Layer Security Protocol
26  */
27 
28 #include <stdint.h>
29 #include <stdlib.h>
30 #include <stdarg.h>
31 #include <string.h>
32 #include <time.h>
33 #include <errno.h>
34 #include <byteswap.h>
35 #include <ipxe/pending.h>
36 #include <ipxe/hmac.h>
37 #include <ipxe/md5.h>
38 #include <ipxe/sha1.h>
39 #include <ipxe/sha256.h>
40 #include <ipxe/aes.h>
41 #include <ipxe/rsa.h>
42 #include <ipxe/iobuf.h>
43 #include <ipxe/xfer.h>
44 #include <ipxe/open.h>
45 #include <ipxe/x509.h>
46 #include <ipxe/privkey.h>
47 #include <ipxe/certstore.h>
48 #include <ipxe/rootcert.h>
49 #include <ipxe/rbg.h>
50 #include <ipxe/validator.h>
51 #include <ipxe/job.h>
52 #include <ipxe/dhe.h>
53 #include <ipxe/tls.h>
54 #include <config/crypto.h>
55 
56 /* Disambiguate the various error causes */
57 #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
58 #define EINFO_EINVAL_CHANGE_CIPHER \
59  __einfo_uniqify ( EINFO_EINVAL, 0x01, \
60  "Invalid Change Cipher record" )
61 #define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
62 #define EINFO_EINVAL_ALERT \
63  __einfo_uniqify ( EINFO_EINVAL, 0x02, \
64  "Invalid Alert record" )
65 #define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
66 #define EINFO_EINVAL_HELLO \
67  __einfo_uniqify ( EINFO_EINVAL, 0x03, \
68  "Invalid Server Hello record" )
69 #define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
70 #define EINFO_EINVAL_CERTIFICATE \
71  __einfo_uniqify ( EINFO_EINVAL, 0x04, \
72  "Invalid Certificate" )
73 #define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
74 #define EINFO_EINVAL_CERTIFICATES \
75  __einfo_uniqify ( EINFO_EINVAL, 0x05, \
76  "Invalid Server Certificate record" )
77 #define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
78 #define EINFO_EINVAL_HELLO_DONE \
79  __einfo_uniqify ( EINFO_EINVAL, 0x06, \
80  "Invalid Server Hello Done record" )
81 #define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
82 #define EINFO_EINVAL_FINISHED \
83  __einfo_uniqify ( EINFO_EINVAL, 0x07, \
84  "Invalid Server Finished record" )
85 #define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
86 #define EINFO_EINVAL_HANDSHAKE \
87  __einfo_uniqify ( EINFO_EINVAL, 0x08, \
88  "Invalid Handshake record" )
89 #define EINVAL_IV __einfo_error ( EINFO_EINVAL_IV )
90 #define EINFO_EINVAL_IV \
91  __einfo_uniqify ( EINFO_EINVAL, 0x0a, \
92  "Invalid initialisation vector" )
93 #define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
94 #define EINFO_EINVAL_PADDING \
95  __einfo_uniqify ( EINFO_EINVAL, 0x0b, \
96  "Invalid block padding" )
97 #define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
98 #define EINFO_EINVAL_RX_STATE \
99  __einfo_uniqify ( EINFO_EINVAL, 0x0c, \
100  "Invalid receive state" )
101 #define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
102 #define EINFO_EINVAL_MAC \
103  __einfo_uniqify ( EINFO_EINVAL, 0x0d, \
104  "Invalid MAC or authentication tag" )
105 #define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
106 #define EINFO_EINVAL_TICKET \
107  __einfo_uniqify ( EINFO_EINVAL, 0x0e, \
108  "Invalid New Session Ticket record")
109 #define EINVAL_KEY_EXCHANGE __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
110 #define EINFO_EINVAL_KEY_EXCHANGE \
111  __einfo_uniqify ( EINFO_EINVAL, 0x0f, \
112  "Invalid Server Key Exchange record" )
113 #define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
114 #define EINFO_EIO_ALERT \
115  __einfo_uniqify ( EINFO_EIO, 0x01, \
116  "Unknown alert level" )
117 #define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
118 #define EINFO_ENOMEM_CONTEXT \
119  __einfo_uniqify ( EINFO_ENOMEM, 0x01, \
120  "Not enough space for crypto context" )
121 #define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
122 #define EINFO_ENOMEM_CERTIFICATE \
123  __einfo_uniqify ( EINFO_ENOMEM, 0x02, \
124  "Not enough space for certificate" )
125 #define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
126 #define EINFO_ENOMEM_CHAIN \
127  __einfo_uniqify ( EINFO_ENOMEM, 0x03, \
128  "Not enough space for certificate chain" )
129 #define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
130 #define EINFO_ENOMEM_TX_PLAINTEXT \
131  __einfo_uniqify ( EINFO_ENOMEM, 0x04, \
132  "Not enough space for transmitted plaintext" )
133 #define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
134 #define EINFO_ENOMEM_TX_CIPHERTEXT \
135  __einfo_uniqify ( EINFO_ENOMEM, 0x05, \
136  "Not enough space for transmitted ciphertext" )
137 #define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
138 #define EINFO_ENOMEM_RX_DATA \
139  __einfo_uniqify ( EINFO_ENOMEM, 0x07, \
140  "Not enough space for received data" )
141 #define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
142 #define EINFO_ENOMEM_RX_CONCAT \
143  __einfo_uniqify ( EINFO_ENOMEM, 0x08, \
144  "Not enough space to concatenate received data" )
145 #define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
146 #define EINFO_ENOTSUP_CIPHER \
147  __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
148  "Unsupported cipher" )
149 #define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
150 #define EINFO_ENOTSUP_NULL \
151  __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
152  "Refusing to use null cipher" )
153 #define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
154 #define EINFO_ENOTSUP_SIG_HASH \
155  __einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
156  "Unsupported signature and hash algorithm" )
157 #define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
158 #define EINFO_ENOTSUP_VERSION \
159  __einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
160  "Unsupported protocol version" )
161 #define ENOTSUP_CURVE __einfo_error ( EINFO_ENOTSUP_CURVE )
162 #define EINFO_ENOTSUP_CURVE \
163  __einfo_uniqify ( EINFO_ENOTSUP, 0x05, \
164  "Unsupported elliptic curve" )
165 #define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
166 #define EINFO_EPERM_ALERT \
167  __einfo_uniqify ( EINFO_EPERM, 0x01, \
168  "Received fatal alert" )
169 #define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
170 #define EINFO_EPERM_VERIFY \
171  __einfo_uniqify ( EINFO_EPERM, 0x02, \
172  "Handshake verification failed" )
173 #define EPERM_CLIENT_CERT __einfo_error ( EINFO_EPERM_CLIENT_CERT )
174 #define EINFO_EPERM_CLIENT_CERT \
175  __einfo_uniqify ( EINFO_EPERM, 0x03, \
176  "No suitable client certificate available" )
177 #define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
178 #define EINFO_EPERM_RENEG_INSECURE \
179  __einfo_uniqify ( EINFO_EPERM, 0x04, \
180  "Secure renegotiation not supported" )
181 #define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
182 #define EINFO_EPERM_RENEG_VERIFY \
183  __einfo_uniqify ( EINFO_EPERM, 0x05, \
184  "Secure renegotiation verification failed" )
185 #define EPERM_KEY_EXCHANGE __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
186 #define EINFO_EPERM_KEY_EXCHANGE \
187  __einfo_uniqify ( EINFO_EPERM, 0x06, \
188  "ServerKeyExchange verification failed" )
189 #define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
190 #define EINFO_EPROTO_VERSION \
191  __einfo_uniqify ( EINFO_EPROTO, 0x01, \
192  "Illegal protocol version upgrade" )
193 
194 /** List of TLS session */
195 static LIST_HEAD ( tls_sessions );
196 
197 static void tls_tx_resume_all ( struct tls_session *session );
198 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
199  const void *data, size_t len );
200 static void tls_clear_cipher ( struct tls_connection *tls,
201  struct tls_cipherspec *cipherspec );
202 
203 /******************************************************************************
204  *
205  * Utility functions
206  *
207  ******************************************************************************
208  */
209 
210 /** A TLS 24-bit integer
211  *
212  * TLS uses 24-bit integers in several places, which are awkward to
213  * parse in C.
214  */
215 typedef struct {
216  /** High byte */
218  /** Low word */
220 } __attribute__ (( packed )) tls24_t;
221 
222 /**
223  * Extract 24-bit field value
224  *
225  * @v field24 24-bit field
226  * @ret value Field value
227  *
228  */
229 static inline __attribute__ (( always_inline )) unsigned long
230 tls_uint24 ( const tls24_t *field24 ) {
231 
232  return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
233 }
234 
235 /**
236  * Set 24-bit field value
237  *
238  * @v field24 24-bit field
239  * @v value Field value
240  */
241 static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
242 
243  field24->high = ( value >> 16 );
244  field24->low = cpu_to_be16 ( value );
245 }
246 
247 /**
248  * Determine if TLS connection is ready for application data
249  *
250  * @v tls TLS connection
251  * @ret is_ready TLS connection is ready
252  */
253 static int tls_ready ( struct tls_connection *tls ) {
254  return ( ( ! is_pending ( &tls->client_negotiation ) ) &&
255  ( ! is_pending ( &tls->server_negotiation ) ) );
256 }
257 
258 /**
259  * Check for TLS version
260  *
261  * @v tls TLS connection
262  * @v version TLS version
263  * @ret at_least TLS connection is using at least the specified version
264  *
265  * Check that TLS connection uses at least the specified protocol
266  * version. Optimise down to a compile-time constant true result if
267  * this is already guaranteed by the minimum supported version check.
268  */
269 static inline __attribute__ (( always_inline )) int
270 tls_version ( struct tls_connection *tls, unsigned int version ) {
271  return ( ( TLS_VERSION_MIN >= version ) ||
272  ( tls->version >= version ) );
273 }
274 
275 /******************************************************************************
276  *
277  * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
278  *
279  ******************************************************************************
280  */
281 
282 /**
283  * Initialise MD5+SHA1 algorithm
284  *
285  * @v ctx MD5+SHA1 context
286  */
287 static void md5_sha1_init ( void *ctx ) {
288  struct md5_sha1_context *context = ctx;
289 
290  digest_init ( &md5_algorithm, context->md5 );
291  digest_init ( &sha1_algorithm, context->sha1 );
292 }
293 
294 /**
295  * Accumulate data with MD5+SHA1 algorithm
296  *
297  * @v ctx MD5+SHA1 context
298  * @v data Data
299  * @v len Length of data
300  */
301 static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
302  struct md5_sha1_context *context = ctx;
303 
304  digest_update ( &md5_algorithm, context->md5, data, len );
305  digest_update ( &sha1_algorithm, context->sha1, data, len );
306 }
307 
308 /**
309  * Generate MD5+SHA1 digest
310  *
311  * @v ctx MD5+SHA1 context
312  * @v out Output buffer
313  */
314 static void md5_sha1_final ( void *ctx, void *out ) {
315  struct md5_sha1_context *context = ctx;
316  struct md5_sha1_digest *digest = out;
317 
318  digest_final ( &md5_algorithm, context->md5, digest->md5 );
319  digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
320 }
321 
322 /** Hybrid MD5+SHA1 digest algorithm */
324  .name = "md5+sha1",
325  .ctxsize = sizeof ( struct md5_sha1_context ),
326  .blocksize = 0, /* Not applicable */
327  .digestsize = sizeof ( struct md5_sha1_digest ),
328  .init = md5_sha1_init,
329  .update = md5_sha1_update,
330  .final = md5_sha1_final,
331 };
332 
333 /** RSA digestInfo prefix for MD5+SHA1 algorithm */
334 struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
336  .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
337  .len = 0,
338 };
339 
340 /******************************************************************************
341  *
342  * Cleanup functions
343  *
344  ******************************************************************************
345  */
346 
347 /**
348  * Free TLS session
349  *
350  * @v refcnt Reference counter
351  */
352 static void free_tls_session ( struct refcnt *refcnt ) {
353  struct tls_session *session =
354  container_of ( refcnt, struct tls_session, refcnt );
355 
356  /* Sanity check */
357  assert ( list_empty ( &session->conn ) );
358 
359  /* Remove from list of sessions */
360  list_del ( &session->list );
361 
362  /* Free dynamically-allocated resources */
363  x509_root_put ( session->root );
364  privkey_put ( session->key );
365  free ( session->ticket );
366 
367  /* Free session */
368  free ( session );
369 }
370 
371 /**
372  * Free TLS connection
373  *
374  * @v refcnt Reference counter
375  */
376 static void free_tls ( struct refcnt *refcnt ) {
377  struct tls_connection *tls =
379  struct tls_session *session = tls->session;
380  struct io_buffer *iobuf;
381  struct io_buffer *tmp;
382 
383  /* Free dynamically-allocated resources */
384  free ( tls->new_session_ticket );
385  tls_clear_cipher ( tls, &tls->tx_cipherspec );
387  tls_clear_cipher ( tls, &tls->rx_cipherspec );
389  free ( tls->server_key );
390  free ( tls->handshake_ctx );
391  list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
392  list_del ( &iobuf->list );
393  free_iob ( iobuf );
394  }
395  free_iob ( tls->rx_handshake );
396  x509_chain_put ( tls->certs );
397  x509_chain_put ( tls->chain );
398  x509_root_put ( tls->root );
399  privkey_put ( tls->key );
400 
401  /* Drop reference to session */
402  assert ( list_empty ( &tls->list ) );
403  ref_put ( &session->refcnt );
404 
405  /* Free TLS structure itself */
406  free ( tls );
407 }
408 
409 /**
410  * Finish with TLS connection
411  *
412  * @v tls TLS connection
413  * @v rc Status code
414  */
415 static void tls_close ( struct tls_connection *tls, int rc ) {
416 
417  /* Remove pending operations, if applicable */
420  pending_put ( &tls->validation );
421 
422  /* Remove process */
423  process_del ( &tls->process );
424 
425  /* Close all interfaces */
426  intf_shutdown ( &tls->cipherstream, rc );
427  intf_shutdown ( &tls->plainstream, rc );
428  intf_shutdown ( &tls->validator, rc );
429 
430  /* Remove from session */
431  list_del ( &tls->list );
432  INIT_LIST_HEAD ( &tls->list );
433 
434  /* Resume all other connections, in case we were the lead connection */
435  tls_tx_resume_all ( tls->session );
436 }
437 
438 /******************************************************************************
439  *
440  * Random number generation
441  *
442  ******************************************************************************
443  */
444 
445 /**
446  * Generate random data
447  *
448  * @v tls TLS connection
449  * @v data Buffer to fill
450  * @v len Length of buffer
451  * @ret rc Return status code
452  */
453 static int tls_generate_random ( struct tls_connection *tls,
454  void *data, size_t len ) {
455  int rc;
456 
457  /* Generate random bits with no additional input and without
458  * prediction resistance
459  */
460  if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
461  DBGC ( tls, "TLS %p could not generate random data: %s\n",
462  tls, strerror ( rc ) );
463  return rc;
464  }
465 
466  return 0;
467 }
468 
469 /**
470  * Update HMAC with a list of ( data, len ) pairs
471  *
472  * @v digest Hash function to use
473  * @v ctx HMAC context
474  * @v args ( data, len ) pairs of data, terminated by NULL
475  */
477  void *ctx, va_list args ) {
478  void *data;
479  size_t len;
480 
481  while ( ( data = va_arg ( args, void * ) ) ) {
482  len = va_arg ( args, size_t );
483  hmac_update ( digest, ctx, data, len );
484  }
485 }
486 
487 /**
488  * Generate secure pseudo-random data using a single hash function
489  *
490  * @v tls TLS connection
491  * @v digest Hash function to use
492  * @v secret Secret
493  * @v secret_len Length of secret
494  * @v out Output buffer
495  * @v out_len Length of output buffer
496  * @v seeds ( data, len ) pairs of seed data, terminated by NULL
497  */
498 static void tls_p_hash_va ( struct tls_connection *tls,
499  struct digest_algorithm *digest,
500  const void *secret, size_t secret_len,
501  void *out, size_t out_len,
502  va_list seeds ) {
503  uint8_t ctx[ hmac_ctxsize ( digest ) ];
504  uint8_t ctx_partial[ sizeof ( ctx ) ];
506  uint8_t out_tmp[digest->digestsize];
507  size_t frag_len = digest->digestsize;
508  va_list tmp;
509 
510  DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
511  DBGC2_HD ( tls, secret, secret_len );
512 
513  /* Calculate A(1) */
514  hmac_init ( digest, ctx, secret, secret_len );
515  va_copy ( tmp, seeds );
517  va_end ( tmp );
518  hmac_final ( digest, ctx, a );
519  DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
520  DBGC2_HD ( tls, &a, sizeof ( a ) );
521 
522  /* Generate as much data as required */
523  while ( out_len ) {
524  /* Calculate output portion */
525  hmac_init ( digest, ctx, secret, secret_len );
526  hmac_update ( digest, ctx, a, sizeof ( a ) );
527  memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
528  va_copy ( tmp, seeds );
530  va_end ( tmp );
531  hmac_final ( digest, ctx, out_tmp );
532 
533  /* Copy output */
534  if ( frag_len > out_len )
535  frag_len = out_len;
536  memcpy ( out, out_tmp, frag_len );
537  DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
538  DBGC2_HD ( tls, out, frag_len );
539 
540  /* Calculate A(i) */
541  hmac_final ( digest, ctx_partial, a );
542  DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
543  DBGC2_HD ( tls, &a, sizeof ( a ) );
544 
545  out += frag_len;
546  out_len -= frag_len;
547  }
548 }
549 
550 /**
551  * Generate secure pseudo-random data
552  *
553  * @v tls TLS connection
554  * @v secret Secret
555  * @v secret_len Length of secret
556  * @v out Output buffer
557  * @v out_len Length of output buffer
558  * @v ... ( data, len ) pairs of seed data, terminated by NULL
559  */
560 static void tls_prf ( struct tls_connection *tls, const void *secret,
561  size_t secret_len, void *out, size_t out_len, ... ) {
562  va_list seeds;
563  va_list tmp;
564  size_t subsecret_len;
565  const void *md5_secret;
566  const void *sha1_secret;
567  uint8_t buf[out_len];
568  unsigned int i;
569 
570  va_start ( seeds, out_len );
571 
572  if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
573  /* Use handshake digest PRF for TLSv1.2 and later */
574  tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
575  out, out_len, seeds );
576  } else {
577  /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
578  * and earlier
579  */
580 
581  /* Split secret into two, with an overlap of up to one byte */
582  subsecret_len = ( ( secret_len + 1 ) / 2 );
583  md5_secret = secret;
584  sha1_secret = ( secret + secret_len - subsecret_len );
585 
586  /* Calculate MD5 portion */
587  va_copy ( tmp, seeds );
588  tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
589  subsecret_len, out, out_len, seeds );
590  va_end ( tmp );
591 
592  /* Calculate SHA1 portion */
593  va_copy ( tmp, seeds );
594  tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
595  subsecret_len, buf, out_len, seeds );
596  va_end ( tmp );
597 
598  /* XOR the two portions together into the final output buffer */
599  for ( i = 0 ; i < out_len ; i++ )
600  *( ( uint8_t * ) out + i ) ^= buf[i];
601  }
602 
603  va_end ( seeds );
604 }
605 
606 /**
607  * Generate secure pseudo-random data
608  *
609  * @v secret Secret
610  * @v secret_len Length of secret
611  * @v out Output buffer
612  * @v out_len Length of output buffer
613  * @v label String literal label
614  * @v ... ( data, len ) pairs of seed data
615  */
616 #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
617  tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
618  label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
619 
620 /******************************************************************************
621  *
622  * Secret management
623  *
624  ******************************************************************************
625  */
626 
627 /**
628  * Generate master secret
629  *
630  * @v tls TLS connection
631  * @v pre_master_secret Pre-master secret
632  * @v pre_master_secret_len Length of pre-master secret
633  *
634  * The client and server random values must already be known.
635  */
636 static void tls_generate_master_secret ( struct tls_connection *tls,
637  const void *pre_master_secret,
638  size_t pre_master_secret_len ) {
639 
640  DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
641  DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
642  DBGC ( tls, "TLS %p client random bytes:\n", tls );
643  DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
644  DBGC ( tls, "TLS %p server random bytes:\n", tls );
645  DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );
646 
647  tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
648  &tls->master_secret, sizeof ( tls->master_secret ),
649  "master secret",
650  &tls->client_random, sizeof ( tls->client_random ),
651  &tls->server_random, sizeof ( tls->server_random ) );
652 
653  DBGC ( tls, "TLS %p generated master secret:\n", tls );
654  DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
655 }
656 
657 /**
658  * Generate key material
659  *
660  * @v tls TLS connection
661  *
662  * The master secret must already be known.
663  */
664 static int tls_generate_keys ( struct tls_connection *tls ) {
665  struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
666  struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
667  size_t hash_size = tx_cipherspec->suite->mac_len;
668  size_t key_size = tx_cipherspec->suite->key_len;
669  size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
670  size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
671  uint8_t key_block[total];
672  uint8_t *key;
673  int rc;
674 
675  /* Generate key block */
676  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
677  key_block, sizeof ( key_block ), "key expansion",
678  &tls->server_random, sizeof ( tls->server_random ),
679  &tls->client_random, sizeof ( tls->client_random ) );
680 
681  /* Split key block into portions */
682  key = key_block;
683 
684  /* TX MAC secret */
685  memcpy ( tx_cipherspec->mac_secret, key, hash_size );
686  DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
687  DBGC_HD ( tls, key, hash_size );
688  key += hash_size;
689 
690  /* RX MAC secret */
691  memcpy ( rx_cipherspec->mac_secret, key, hash_size );
692  DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
693  DBGC_HD ( tls, key, hash_size );
694  key += hash_size;
695 
696  /* TX key */
697  if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
698  tx_cipherspec->cipher_ctx,
699  key, key_size ) ) != 0 ) {
700  DBGC ( tls, "TLS %p could not set TX key: %s\n",
701  tls, strerror ( rc ) );
702  return rc;
703  }
704  DBGC ( tls, "TLS %p TX key:\n", tls );
705  DBGC_HD ( tls, key, key_size );
706  key += key_size;
707 
708  /* RX key */
709  if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
710  rx_cipherspec->cipher_ctx,
711  key, key_size ) ) != 0 ) {
712  DBGC ( tls, "TLS %p could not set TX key: %s\n",
713  tls, strerror ( rc ) );
714  return rc;
715  }
716  DBGC ( tls, "TLS %p RX key:\n", tls );
717  DBGC_HD ( tls, key, key_size );
718  key += key_size;
719 
720  /* TX initialisation vector */
721  memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
722  DBGC ( tls, "TLS %p TX IV:\n", tls );
723  DBGC_HD ( tls, key, iv_size );
724  key += iv_size;
725 
726  /* RX initialisation vector */
727  memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
728  DBGC ( tls, "TLS %p RX IV:\n", tls );
729  DBGC_HD ( tls, key, iv_size );
730  key += iv_size;
731 
732  assert ( ( key_block + total ) == key );
733 
734  return 0;
735 }
736 
737 /******************************************************************************
738  *
739  * Handshake verification
740  *
741  ******************************************************************************
742  */
743 
744 /**
745  * Clear handshake digest algorithm
746  *
747  * @v tls TLS connection
748  */
749 static void tls_clear_handshake ( struct tls_connection *tls ) {
750 
751  /* Select null digest algorithm */
753 
754  /* Free any existing context */
755  free ( tls->handshake_ctx );
756  tls->handshake_ctx = NULL;
757 }
758 
759 /**
760  * Select handshake digest algorithm
761  *
762  * @v tls TLS connection
763  * @v digest Handshake digest algorithm
764  * @ret rc Return status code
765  */
766 static int tls_select_handshake ( struct tls_connection *tls,
767  struct digest_algorithm *digest ) {
768 
769  /* Clear existing handshake digest */
770  tls_clear_handshake ( tls );
771 
772  /* Allocate and initialise context */
773  tls->handshake_ctx = malloc ( digest->ctxsize );
774  if ( ! tls->handshake_ctx )
775  return -ENOMEM;
776  tls->handshake_digest = digest;
777  digest_init ( digest, tls->handshake_ctx );
778 
779  return 0;
780 }
781 
782 /**
783  * Add handshake record to verification hash
784  *
785  * @v tls TLS connection
786  * @v data Handshake record
787  * @v len Length of handshake record
788  * @ret rc Return status code
789  */
790 static int tls_add_handshake ( struct tls_connection *tls,
791  const void *data, size_t len ) {
793 
794  digest_update ( digest, tls->handshake_ctx, data, len );
795  return 0;
796 }
797 
798 /**
799  * Calculate handshake verification hash
800  *
801  * @v tls TLS connection
802  * @v out Output buffer
803  *
804  * Calculates the digest over all handshake messages seen so far.
805  */
806 static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
809 
810  memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
811  digest_final ( digest, ctx, out );
812 }
813 
814 /******************************************************************************
815  *
816  * Cipher suite management
817  *
818  ******************************************************************************
819  */
820 
821 /** Null cipher suite */
824  .pubkey = &pubkey_null,
825  .cipher = &cipher_null,
826  .digest = &digest_null,
827 };
828 
829 /** Number of supported cipher suites */
830 #define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
831 
832 /**
833  * Identify cipher suite
834  *
835  * @v cipher_suite Cipher suite specification
836  * @ret suite Cipher suite, or NULL
837  */
838 static struct tls_cipher_suite *
839 tls_find_cipher_suite ( unsigned int cipher_suite ) {
840  struct tls_cipher_suite *suite;
841 
842  /* Identify cipher suite */
844  if ( suite->code == cipher_suite )
845  return suite;
846  }
847 
848  return NULL;
849 }
850 
851 /**
852  * Clear cipher suite
853  *
854  * @v cipherspec TLS cipher specification
855  */
856 static void tls_clear_cipher ( struct tls_connection *tls __unused,
857  struct tls_cipherspec *cipherspec ) {
858 
859  if ( cipherspec->suite ) {
860  pubkey_final ( cipherspec->suite->pubkey,
861  cipherspec->pubkey_ctx );
862  }
863  free ( cipherspec->dynamic );
864  memset ( cipherspec, 0, sizeof ( *cipherspec ) );
865  cipherspec->suite = &tls_cipher_suite_null;
866 }
867 
868 /**
869  * Set cipher suite
870  *
871  * @v tls TLS connection
872  * @v cipherspec TLS cipher specification
873  * @v suite Cipher suite
874  * @ret rc Return status code
875  */
876 static int tls_set_cipher ( struct tls_connection *tls,
877  struct tls_cipherspec *cipherspec,
878  struct tls_cipher_suite *suite ) {
879  struct pubkey_algorithm *pubkey = suite->pubkey;
880  struct cipher_algorithm *cipher = suite->cipher;
881  size_t total;
882  void *dynamic;
883 
884  /* Clear out old cipher contents, if any */
885  tls_clear_cipher ( tls, cipherspec );
886 
887  /* Allocate dynamic storage */
888  total = ( pubkey->ctxsize + cipher->ctxsize + suite->mac_len +
889  suite->fixed_iv_len );
890  dynamic = zalloc ( total );
891  if ( ! dynamic ) {
892  DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
893  "context\n", tls, total );
894  return -ENOMEM_CONTEXT;
895  }
896 
897  /* Assign storage */
898  cipherspec->dynamic = dynamic;
899  cipherspec->pubkey_ctx = dynamic; dynamic += pubkey->ctxsize;
900  cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
901  cipherspec->mac_secret = dynamic; dynamic += suite->mac_len;
902  cipherspec->fixed_iv = dynamic; dynamic += suite->fixed_iv_len;
903  assert ( ( cipherspec->dynamic + total ) == dynamic );
904 
905  /* Store parameters */
906  cipherspec->suite = suite;
907 
908  return 0;
909 }
910 
911 /**
912  * Select next cipher suite
913  *
914  * @v tls TLS connection
915  * @v cipher_suite Cipher suite specification
916  * @ret rc Return status code
917  */
918 static int tls_select_cipher ( struct tls_connection *tls,
919  unsigned int cipher_suite ) {
920  struct tls_cipher_suite *suite;
921  struct digest_algorithm *digest;
922  int rc;
923 
924  /* Identify cipher suite */
925  suite = tls_find_cipher_suite ( cipher_suite );
926  if ( ! suite ) {
927  DBGC ( tls, "TLS %p does not support cipher %04x\n",
928  tls, ntohs ( cipher_suite ) );
929  return -ENOTSUP_CIPHER;
930  }
931 
932  /* Set handshake digest algorithm */
933  digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
934  suite->handshake : &md5_sha1_algorithm );
935  if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
936  return rc;
937 
938  /* Set ciphers */
939  if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending,
940  suite ) ) != 0 )
941  return rc;
942  if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending,
943  suite ) ) != 0 )
944  return rc;
945 
946  DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
947  suite->exchange->name, suite->pubkey->name,
948  suite->cipher->name, ( suite->key_len * 8 ),
949  suite->digest->name );
950 
951  return 0;
952 }
953 
954 /**
955  * Activate next cipher suite
956  *
957  * @v tls TLS connection
958  * @v pending Pending cipher specification
959  * @v active Active cipher specification to replace
960  * @ret rc Return status code
961  */
962 static int tls_change_cipher ( struct tls_connection *tls,
963  struct tls_cipherspec *pending,
964  struct tls_cipherspec *active ) {
965 
966  /* Sanity check */
967  if ( pending->suite == &tls_cipher_suite_null ) {
968  DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
969  return -ENOTSUP_NULL;
970  }
971 
972  tls_clear_cipher ( tls, active );
973  memswap ( active, pending, sizeof ( *active ) );
974  return 0;
975 }
976 
977 /******************************************************************************
978  *
979  * Signature and hash algorithms
980  *
981  ******************************************************************************
982  */
983 
984 /** Number of supported signature and hash algorithms */
985 #define TLS_NUM_SIG_HASH_ALGORITHMS \
986  table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
987 
988 /**
989  * Find TLS signature and hash algorithm
990  *
991  * @v pubkey Public-key algorithm
992  * @v digest Digest algorithm
993  * @ret sig_hash Signature and hash algorithm, or NULL
994  */
995 static struct tls_signature_hash_algorithm *
997  struct digest_algorithm *digest ) {
998  struct tls_signature_hash_algorithm *sig_hash;
999 
1000  /* Identify signature and hash algorithm */
1002  if ( ( sig_hash->pubkey == pubkey ) &&
1003  ( sig_hash->digest == digest ) ) {
1004  return sig_hash;
1005  }
1006  }
1007 
1008  return NULL;
1009 }
1010 
1011 /**
1012  * Find TLS signature algorithm
1013  *
1014  * @v code Signature and hash algorithm identifier
1015  * @ret pubkey Public key algorithm, or NULL
1016  */
1017 static struct pubkey_algorithm *
1019  struct tls_signature_hash_algorithm *sig_hash;
1020 
1021  /* Identify signature and hash algorithm */
1023  if ( sig_hash->code.signature == code.signature )
1024  return sig_hash->pubkey;
1025  }
1026 
1027  return NULL;
1028 }
1029 
1030 /**
1031  * Find TLS hash algorithm
1032  *
1033  * @v code Signature and hash algorithm identifier
1034  * @ret digest Digest algorithm, or NULL
1035  */
1036 static struct digest_algorithm *
1038  struct tls_signature_hash_algorithm *sig_hash;
1039 
1040  /* Identify signature and hash algorithm */
1042  if ( sig_hash->code.hash == code.hash )
1043  return sig_hash->digest;
1044  }
1045 
1046  return NULL;
1047 }
1048 
1049 /******************************************************************************
1050  *
1051  * Ephemeral Elliptic Curve Diffie-Hellman key exchange
1052  *
1053  ******************************************************************************
1054  */
1055 
1056 /** Number of supported named curves */
1057 #define TLS_NUM_NAMED_CURVES table_num_entries ( TLS_NAMED_CURVES )
1058 
1059 /**
1060  * Identify named curve
1061  *
1062  * @v named_curve Named curve specification
1063  * @ret curve Named curve, or NULL
1064  */
1065 static struct tls_named_curve *
1066 tls_find_named_curve ( unsigned int named_curve ) {
1067  struct tls_named_curve *curve;
1068 
1069  /* Identify named curve */
1071  if ( curve->code == named_curve )
1072  return curve;
1073  }
1074 
1075  return NULL;
1076 }
1077 
1078 /******************************************************************************
1079  *
1080  * Record handling
1081  *
1082  ******************************************************************************
1083  */
1084 
1085 /**
1086  * Resume TX state machine
1087  *
1088  * @v tls TLS connection
1089  */
1090 static void tls_tx_resume ( struct tls_connection *tls ) {
1091  process_add ( &tls->process );
1092 }
1093 
1094 /**
1095  * Resume TX state machine for all connections within a session
1096  *
1097  * @v session TLS session
1098  */
1099 static void tls_tx_resume_all ( struct tls_session *session ) {
1100  struct tls_connection *tls;
1101 
1102  list_for_each_entry ( tls, &session->conn, list )
1103  tls_tx_resume ( tls );
1104 }
1105 
1106 /**
1107  * Restart negotiation
1108  *
1109  * @v tls TLS connection
1110  */
1111 static void tls_restart ( struct tls_connection *tls ) {
1112 
1113  /* Sanity check */
1114  assert ( ! tls->tx_pending );
1115  assert ( ! is_pending ( &tls->client_negotiation ) );
1116  assert ( ! is_pending ( &tls->server_negotiation ) );
1117  assert ( ! is_pending ( &tls->validation ) );
1118 
1119  /* (Re)start negotiation */
1121  tls_tx_resume ( tls );
1122  pending_get ( &tls->client_negotiation );
1123  pending_get ( &tls->server_negotiation );
1124 }
1125 
1126 /**
1127  * Transmit Handshake record
1128  *
1129  * @v tls TLS connection
1130  * @v data Plaintext record
1131  * @v len Length of plaintext record
1132  * @ret rc Return status code
1133  */
1134 static int tls_send_handshake ( struct tls_connection *tls,
1135  const void *data, size_t len ) {
1136 
1137  /* Add to handshake digest */
1138  tls_add_handshake ( tls, data, len );
1139 
1140  /* Send record */
1141  return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
1142 }
1143 
1144 /**
1145  * Digest or transmit Client Hello record
1146  *
1147  * @v tls TLS connection
1148  * @v action Action to take on Client Hello record
1149  * @ret rc Return status code
1150  */
1151 static int tls_client_hello ( struct tls_connection *tls,
1152  int ( * action ) ( struct tls_connection *tls,
1153  const void *data,
1154  size_t len ) ) {
1155  struct tls_session *session = tls->session;
1156  size_t name_len = strlen ( session->name );
1157  struct {
1158  uint16_t type;
1159  uint16_t len;
1160  struct {
1161  uint16_t len;
1162  struct {
1163  uint8_t type;
1164  uint16_t len;
1165  uint8_t name[name_len];
1166  } __attribute__ (( packed )) list[1];
1167  } __attribute__ (( packed )) data;
1168  } __attribute__ (( packed )) *server_name_ext;
1169  struct {
1170  uint16_t type;
1171  uint16_t len;
1172  struct {
1173  uint8_t max;
1174  } __attribute__ (( packed )) data;
1175  } __attribute__ (( packed )) *max_fragment_length_ext;
1176  struct {
1177  uint16_t type;
1178  uint16_t len;
1179  struct {
1180  uint16_t len;
1181  struct tls_signature_hash_id
1183  } __attribute__ (( packed )) data;
1184  } __attribute__ (( packed )) *signature_algorithms_ext;
1185  struct {
1186  uint16_t type;
1187  uint16_t len;
1188  struct {
1189  uint8_t len;
1191  sizeof ( tls->verify.client ) :0 ];
1192  } __attribute__ (( packed )) data;
1193  } __attribute__ (( packed )) *renegotiation_info_ext;
1194  struct {
1195  uint16_t type;
1196  uint16_t len;
1197  struct {
1198  uint8_t data[session->ticket_len];
1199  } __attribute__ (( packed )) data;
1200  } __attribute__ (( packed )) *session_ticket_ext;
1201  struct {
1202  uint16_t type;
1203  uint16_t len;
1204  struct {
1205  uint16_t len;
1207  } __attribute__ (( packed )) data;
1208  } __attribute__ (( packed )) *named_curve_ext;
1209  struct {
1210  typeof ( *server_name_ext ) server_name;
1211  typeof ( *max_fragment_length_ext ) max_fragment_length;
1212  typeof ( *signature_algorithms_ext ) signature_algorithms;
1213  typeof ( *renegotiation_info_ext ) renegotiation_info;
1214  typeof ( *session_ticket_ext ) session_ticket;
1215  typeof ( *named_curve_ext )
1216  named_curve[TLS_NUM_NAMED_CURVES ? 1 : 0];
1217  } __attribute__ (( packed )) *extensions;
1218  struct {
1219  uint32_t type_length;
1220  uint16_t version;
1221  uint8_t random[32];
1222  uint8_t session_id_len;
1223  uint8_t session_id[tls->session_id_len];
1224  uint16_t cipher_suite_len;
1225  uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
1226  uint8_t compression_methods_len;
1227  uint8_t compression_methods[1];
1228  uint16_t extensions_len;
1229  typeof ( *extensions ) extensions;
1230  } __attribute__ (( packed )) hello;
1231  struct tls_cipher_suite *suite;
1232  struct tls_signature_hash_algorithm *sighash;
1233  struct tls_named_curve *curve;
1234  unsigned int i;
1235 
1236  /* Construct record */
1237  memset ( &hello, 0, sizeof ( hello ) );
1238  hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
1239  htonl ( sizeof ( hello ) -
1240  sizeof ( hello.type_length ) ) );
1241  hello.version = htons ( TLS_VERSION_MAX );
1242  memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
1243  hello.session_id_len = tls->session_id_len;
1244  memcpy ( hello.session_id, tls->session_id,
1245  sizeof ( hello.session_id ) );
1246  hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1247  i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
1248  hello.cipher_suites[i++] = suite->code;
1249  hello.compression_methods_len = sizeof ( hello.compression_methods );
1250  hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1251  extensions = &hello.extensions;
1252 
1253  /* Construct server name extension */
1254  server_name_ext = &extensions->server_name;
1255  server_name_ext->type = htons ( TLS_SERVER_NAME );
1256  server_name_ext->len = htons ( sizeof ( server_name_ext->data ) );
1257  server_name_ext->data.len
1258  = htons ( sizeof ( server_name_ext->data.list ) );
1259  server_name_ext->data.list[0].type = TLS_SERVER_NAME_HOST_NAME;
1260  server_name_ext->data.list[0].len
1261  = htons ( sizeof ( server_name_ext->data.list[0].name ) );
1262  memcpy ( server_name_ext->data.list[0].name, session->name,
1263  sizeof ( server_name_ext->data.list[0].name ) );
1264 
1265  /* Construct maximum fragment length extension */
1266  max_fragment_length_ext = &extensions->max_fragment_length;
1267  max_fragment_length_ext->type = htons ( TLS_MAX_FRAGMENT_LENGTH );
1268  max_fragment_length_ext->len
1269  = htons ( sizeof ( max_fragment_length_ext->data ) );
1270  max_fragment_length_ext->data.max = TLS_MAX_FRAGMENT_LENGTH_4096;
1271 
1272  /* Construct supported signature algorithms extension */
1273  signature_algorithms_ext = &extensions->signature_algorithms;
1274  signature_algorithms_ext->type = htons ( TLS_SIGNATURE_ALGORITHMS );
1275  signature_algorithms_ext->len
1276  = htons ( sizeof ( signature_algorithms_ext->data ) );
1277  signature_algorithms_ext->data.len
1278  = htons ( sizeof ( signature_algorithms_ext->data.code ) );
1279  i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
1280  signature_algorithms_ext->data.code[i++] = sighash->code;
1281 
1282  /* Construct renegotiation information extension */
1283  renegotiation_info_ext = &extensions->renegotiation_info;
1284  renegotiation_info_ext->type = htons ( TLS_RENEGOTIATION_INFO );
1285  renegotiation_info_ext->len
1286  = htons ( sizeof ( renegotiation_info_ext->data ) );
1287  renegotiation_info_ext->data.len
1288  = sizeof ( renegotiation_info_ext->data.data );
1289  memcpy ( renegotiation_info_ext->data.data, tls->verify.client,
1290  sizeof ( renegotiation_info_ext->data.data ) );
1291 
1292  /* Construct session ticket extension */
1293  session_ticket_ext = &extensions->session_ticket;
1294  session_ticket_ext->type = htons ( TLS_SESSION_TICKET );
1295  session_ticket_ext->len
1296  = htons ( sizeof ( session_ticket_ext->data ) );
1297  memcpy ( session_ticket_ext->data.data, session->ticket,
1298  sizeof ( session_ticket_ext->data.data ) );
1299 
1300  /* Construct named curves extension, if applicable */
1301  if ( sizeof ( extensions->named_curve ) ) {
1302  named_curve_ext = &extensions->named_curve[0];
1303  named_curve_ext->type = htons ( TLS_NAMED_CURVE );
1304  named_curve_ext->len
1305  = htons ( sizeof ( named_curve_ext->data ) );
1306  named_curve_ext->data.len
1307  = htons ( sizeof ( named_curve_ext->data.code ) );
1309  named_curve_ext->data.code[i++] = curve->code;
1310  }
1311 
1312  return action ( tls, &hello, sizeof ( hello ) );
1313 }
1314 
1315 /**
1316  * Transmit Client Hello record
1317  *
1318  * @v tls TLS connection
1319  * @ret rc Return status code
1320  */
1321 static int tls_send_client_hello ( struct tls_connection *tls ) {
1322 
1323  return tls_client_hello ( tls, tls_send_handshake );
1324 }
1325 
1326 /**
1327  * Transmit Certificate record
1328  *
1329  * @v tls TLS connection
1330  * @ret rc Return status code
1331  */
1332 static int tls_send_certificate ( struct tls_connection *tls ) {
1333  struct {
1334  tls24_t length;
1335  uint8_t data[0];
1336  } __attribute__ (( packed )) *certificate;
1337  struct {
1338  uint32_t type_length;
1339  tls24_t length;
1340  typeof ( *certificate ) certificates[0];
1341  } __attribute__ (( packed )) *certificates;
1342  struct x509_link *link;
1343  struct x509_certificate *cert;
1344  size_t len;
1345  int rc;
1346 
1347  /* Calculate length of client certificates */
1348  len = 0;
1349  list_for_each_entry ( link, &tls->certs->links, list ) {
1350  cert = link->cert;
1351  len += ( sizeof ( *certificate ) + cert->raw.len );
1352  DBGC ( tls, "TLS %p sending client certificate %s\n",
1353  tls, x509_name ( cert ) );
1354  }
1355 
1356  /* Allocate storage for Certificate record (which may be too
1357  * large for the stack).
1358  */
1359  certificates = zalloc ( sizeof ( *certificates ) + len );
1360  if ( ! certificates )
1361  return -ENOMEM_CERTIFICATE;
1362 
1363  /* Populate record */
1364  certificates->type_length =
1366  htonl ( sizeof ( *certificates ) + len -
1367  sizeof ( certificates->type_length ) ) );
1368  tls_set_uint24 ( &certificates->length, len );
1369  certificate = &certificates->certificates[0];
1370  list_for_each_entry ( link, &tls->certs->links, list ) {
1371  cert = link->cert;
1372  tls_set_uint24 ( &certificate->length, cert->raw.len );
1373  memcpy ( certificate->data, cert->raw.data, cert->raw.len );
1374  certificate = ( ( ( void * ) certificate->data ) +
1375  cert->raw.len );
1376  }
1377 
1378  /* Transmit record */
1379  rc = tls_send_handshake ( tls, certificates,
1380  ( sizeof ( *certificates ) + len ) );
1381 
1382  /* Free record */
1383  free ( certificates );
1384 
1385  return rc;
1386 }
1387 
1388 /**
1389  * Transmit Client Key Exchange record using public key exchange
1390  *
1391  * @v tls TLS connection
1392  * @ret rc Return status code
1393  */
1395  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1396  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
1397  size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
1398  struct {
1399  uint16_t version;
1400  uint8_t random[46];
1401  } __attribute__ (( packed )) pre_master_secret;
1402  struct {
1403  uint32_t type_length;
1404  uint16_t encrypted_pre_master_secret_len;
1405  uint8_t encrypted_pre_master_secret[max_len];
1406  } __attribute__ (( packed )) key_xchg;
1407  size_t unused;
1408  int len;
1409  int rc;
1410 
1411  /* Generate pre-master secret */
1412  pre_master_secret.version = htons ( TLS_VERSION_MAX );
1413  if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
1414  ( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
1415  return rc;
1416  }
1417 
1418  /* Generate master secret */
1419  tls_generate_master_secret ( tls, &pre_master_secret,
1420  sizeof ( pre_master_secret ) );
1421 
1422  /* Encrypt pre-master secret using server's public key */
1423  memset ( &key_xchg, 0, sizeof ( key_xchg ) );
1424  len = pubkey_encrypt ( pubkey, cipherspec->pubkey_ctx,
1425  &pre_master_secret, sizeof ( pre_master_secret ),
1426  key_xchg.encrypted_pre_master_secret );
1427  if ( len < 0 ) {
1428  rc = len;
1429  DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
1430  tls, strerror ( rc ) );
1431  return rc;
1432  }
1433  unused = ( max_len - len );
1434  key_xchg.type_length =
1436  htonl ( sizeof ( key_xchg ) -
1437  sizeof ( key_xchg.type_length ) - unused ) );
1438  key_xchg.encrypted_pre_master_secret_len =
1439  htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) -
1440  unused );
1441 
1442  return tls_send_handshake ( tls, &key_xchg,
1443  ( sizeof ( key_xchg ) - unused ) );
1444 }
1445 
1446 /** Public key exchange algorithm */
1448  .name = "pubkey",
1450 };
1451 
1452 /**
1453  * Verify Diffie-Hellman parameter signature
1454  *
1455  * @v tls TLS connection
1456  * @v param_len Diffie-Hellman parameter length
1457  * @ret rc Return status code
1458  */
1459 static int tls_verify_dh_params ( struct tls_connection *tls,
1460  size_t param_len ) {
1461  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1462  struct pubkey_algorithm *pubkey;
1463  struct digest_algorithm *digest;
1464  int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
1465  const struct {
1466  struct tls_signature_hash_id sig_hash[use_sig_hash];
1468  uint8_t signature[0];
1469  } __attribute__ (( packed )) *sig;
1470  const void *data;
1471  size_t remaining;
1472  int rc;
1473 
1474  /* Signature follows parameters */
1475  assert ( param_len <= tls->server_key_len );
1476  data = ( tls->server_key + param_len );
1477  remaining = ( tls->server_key_len - param_len );
1478 
1479  /* Parse signature from ServerKeyExchange */
1480  sig = data;
1481  if ( ( sizeof ( *sig ) > remaining ) ||
1482  ( ntohs ( sig->signature_len ) > ( remaining -
1483  sizeof ( *sig ) ) ) ) {
1484  DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1485  tls );
1486  DBGC_HDA ( tls, 0, tls->server_key, tls->server_key_len );
1487  return -EINVAL_KEY_EXCHANGE;
1488  }
1489 
1490  /* Identify signature and hash algorithm */
1491  if ( use_sig_hash ) {
1492  pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
1493  digest = tls_signature_hash_digest ( sig->sig_hash[0] );
1494  if ( ( ! pubkey ) || ( ! digest ) ) {
1495  DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
1496  "signature and hash algorithm\n", tls );
1497  return -ENOTSUP_SIG_HASH;
1498  }
1499  if ( pubkey != cipherspec->suite->pubkey ) {
1500  DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
1501  "signature algorithm %s (expected %s)\n", tls,
1502  pubkey->name, cipherspec->suite->pubkey->name );
1503  return -EPERM_KEY_EXCHANGE;
1504  }
1505  } else {
1506  pubkey = cipherspec->suite->pubkey;
1508  }
1509 
1510  /* Verify signature */
1511  {
1512  const void *signature = sig->signature;
1513  size_t signature_len = ntohs ( sig->signature_len );
1516 
1517  /* Calculate digest */
1518  digest_init ( digest, ctx );
1519  digest_update ( digest, ctx, &tls->client_random,
1520  sizeof ( tls->client_random ) );
1521  digest_update ( digest, ctx, tls->server_random,
1522  sizeof ( tls->server_random ) );
1523  digest_update ( digest, ctx, tls->server_key, param_len );
1524  digest_final ( digest, ctx, hash );
1525 
1526  /* Verify signature */
1527  if ( ( rc = pubkey_verify ( pubkey, cipherspec->pubkey_ctx,
1528  digest, hash, signature,
1529  signature_len ) ) != 0 ) {
1530  DBGC ( tls, "TLS %p ServerKeyExchange failed "
1531  "verification\n", tls );
1532  DBGC_HDA ( tls, 0, tls->server_key,
1533  tls->server_key_len );
1534  return -EPERM_KEY_EXCHANGE;
1535  }
1536  }
1537 
1538  return 0;
1539 }
1540 
1541 /**
1542  * Transmit Client Key Exchange record using DHE key exchange
1543  *
1544  * @v tls TLS connection
1545  * @ret rc Return status code
1546  */
1548  uint8_t private[ sizeof ( tls->client_random.random ) ];
1549  const struct {
1550  uint16_t len;
1551  uint8_t data[0];
1552  } __attribute__ (( packed )) *dh_val[3];
1553  const void *data;
1554  size_t remaining;
1555  size_t frag_len;
1556  size_t param_len;
1557  unsigned int i;
1558  int rc;
1559 
1560  /* Parse ServerKeyExchange */
1561  data = tls->server_key;
1562  remaining = tls->server_key_len;
1563  for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
1564  dh_val[i] = data;
1565  if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
1566  ( ntohs ( dh_val[i]->len ) > ( remaining -
1567  sizeof ( *dh_val[i] ) ) )){
1568  DBGC ( tls, "TLS %p received underlength "
1569  "ServerKeyExchange\n", tls );
1570  DBGC_HDA ( tls, 0, tls->server_key,
1571  tls->server_key_len );
1573  goto err_header;
1574  }
1575  frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
1576  data += frag_len;
1577  remaining -= frag_len;
1578  }
1579  param_len = ( tls->server_key_len - remaining );
1580 
1581  /* Verify parameter signature */
1582  if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1583  goto err_verify;
1584 
1585  /* Generate Diffie-Hellman private key */
1586  if ( ( rc = tls_generate_random ( tls, private,
1587  sizeof ( private ) ) ) != 0 ) {
1588  goto err_random;
1589  }
1590 
1591  /* Construct pre-master secret and ClientKeyExchange record */
1592  {
1593  typeof ( dh_val[0] ) dh_p = dh_val[0];
1594  typeof ( dh_val[1] ) dh_g = dh_val[1];
1595  typeof ( dh_val[2] ) dh_ys = dh_val[2];
1596  size_t len = ntohs ( dh_p->len );
1597  struct {
1598  uint32_t type_length;
1599  uint16_t dh_xs_len;
1600  uint8_t dh_xs[len];
1601  } __attribute__ (( packed )) *key_xchg;
1602  struct {
1603  uint8_t pre_master_secret[len];
1604  typeof ( *key_xchg ) key_xchg;
1605  } *dynamic;
1606  uint8_t *pre_master_secret;
1607 
1608  /* Allocate space */
1609  dynamic = malloc ( sizeof ( *dynamic ) );
1610  if ( ! dynamic ) {
1611  rc = -ENOMEM;
1612  goto err_alloc;
1613  }
1614  pre_master_secret = dynamic->pre_master_secret;
1615  key_xchg = &dynamic->key_xchg;
1616  key_xchg->type_length =
1618  htonl ( sizeof ( *key_xchg ) -
1619  sizeof ( key_xchg->type_length ) ) );
1620  key_xchg->dh_xs_len = htons ( len );
1621 
1622  /* Calculate pre-master secret and client public value */
1623  if ( ( rc = dhe_key ( dh_p->data, len,
1624  dh_g->data, ntohs ( dh_g->len ),
1625  dh_ys->data, ntohs ( dh_ys->len ),
1626  private, sizeof ( private ),
1627  key_xchg->dh_xs,
1628  pre_master_secret ) ) != 0 ) {
1629  DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
1630  tls, strerror ( rc ) );
1631  goto err_dhe_key;
1632  }
1633 
1634  /* Strip leading zeroes from pre-master secret */
1635  while ( len && ( ! *pre_master_secret ) ) {
1636  pre_master_secret++;
1637  len--;
1638  }
1639 
1640  /* Generate master secret */
1641  tls_generate_master_secret ( tls, pre_master_secret, len );
1642 
1643  /* Transmit Client Key Exchange record */
1644  if ( ( rc = tls_send_handshake ( tls, key_xchg,
1645  sizeof ( *key_xchg ) ) ) !=0){
1646  goto err_send_handshake;
1647  }
1648 
1649  err_send_handshake:
1650  err_dhe_key:
1651  free ( dynamic );
1652  }
1653  err_alloc:
1654  err_random:
1655  err_verify:
1656  err_header:
1657  return rc;
1658 }
1659 
1660 /** Ephemeral Diffie-Hellman key exchange algorithm */
1662  .name = "dhe",
1664 };
1665 
1666 /**
1667  * Transmit Client Key Exchange record using ECDHE key exchange
1668  *
1669  * @v tls TLS connection
1670  * @ret rc Return status code
1671  */
1673  struct tls_named_curve *curve;
1674  const struct {
1675  uint8_t curve_type;
1676  uint16_t named_curve;
1677  uint8_t public_len;
1678  uint8_t public[0];
1679  } __attribute__ (( packed )) *ecdh;
1680  size_t param_len;
1681  int rc;
1682 
1683  /* Parse ServerKeyExchange record */
1684  ecdh = tls->server_key;
1685  if ( ( sizeof ( *ecdh ) > tls->server_key_len ) ||
1686  ( ecdh->public_len > ( tls->server_key_len - sizeof ( *ecdh ) ))){
1687  DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1688  tls );
1689  DBGC_HDA ( tls, 0, tls->server_key, tls->server_key_len );
1690  return -EINVAL_KEY_EXCHANGE;
1691  }
1692  param_len = ( sizeof ( *ecdh ) + ecdh->public_len );
1693 
1694  /* Verify parameter signature */
1695  if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1696  return rc;
1697 
1698  /* Identify named curve */
1699  if ( ecdh->curve_type != TLS_NAMED_CURVE_TYPE ) {
1700  DBGC ( tls, "TLS %p unsupported curve type %d\n",
1701  tls, ecdh->curve_type );
1702  DBGC_HDA ( tls, 0, tls->server_key, tls->server_key_len );
1703  return -ENOTSUP_CURVE;
1704  }
1705  curve = tls_find_named_curve ( ecdh->named_curve );
1706  if ( ! curve ) {
1707  DBGC ( tls, "TLS %p unsupported named curve %d\n",
1708  tls, ntohs ( ecdh->named_curve ) );
1709  DBGC_HDA ( tls, 0, tls->server_key, tls->server_key_len );
1710  return -ENOTSUP_CURVE;
1711  }
1712 
1713  /* Check key length */
1714  if ( ecdh->public_len != curve->curve->keysize ) {
1715  DBGC ( tls, "TLS %p invalid %s key\n",
1716  tls, curve->curve->name );
1717  DBGC_HDA ( tls, 0, tls->server_key, tls->server_key_len );
1718  return -EINVAL_KEY_EXCHANGE;
1719  }
1720 
1721  /* Construct pre-master secret and ClientKeyExchange record */
1722  {
1723  size_t len = curve->curve->keysize;
1724  uint8_t private[len];
1725  uint8_t pre_master_secret[len];
1726  struct {
1727  uint32_t type_length;
1728  uint8_t public_len;
1729  uint8_t public[len];
1730  } __attribute__ (( packed )) key_xchg;
1731 
1732  /* Generate ephemeral private key */
1733  if ( ( rc = tls_generate_random ( tls, private,
1734  sizeof ( private ) ) ) != 0){
1735  return rc;
1736  }
1737 
1738  /* Calculate pre-master secret */
1739  if ( ( rc = elliptic_multiply ( curve->curve,
1740  ecdh->public, private,
1741  pre_master_secret ) ) != 0 ) {
1742  DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
1743  tls, strerror ( rc ) );
1744  return rc;
1745  }
1746 
1747  /* Generate master secret */
1748  tls_generate_master_secret ( tls, pre_master_secret, len );
1749 
1750  /* Generate Client Key Exchange record */
1751  key_xchg.type_length =
1753  htonl ( sizeof ( key_xchg ) -
1754  sizeof ( key_xchg.type_length ) ) );
1755  key_xchg.public_len = len;
1756  if ( ( rc = elliptic_multiply ( curve->curve, NULL, private,
1757  key_xchg.public ) ) != 0 ) {
1758  DBGC ( tls, "TLS %p could not generate ECDHE key: %s\n",
1759  tls, strerror ( rc ) );
1760  return rc;
1761  }
1762 
1763  /* Transmit Client Key Exchange record */
1764  if ( ( rc = tls_send_handshake ( tls, &key_xchg,
1765  sizeof ( key_xchg ) ) ) !=0){
1766  return rc;
1767  }
1768  }
1769 
1770  return 0;
1771 }
1772 
1773 /** Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm */
1775  .name = "ecdhe",
1777 };
1778 
1779 /**
1780  * Transmit Client Key Exchange record
1781  *
1782  * @v tls TLS connection
1783  * @ret rc Return status code
1784  */
1785 static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
1786  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
1787  struct tls_cipher_suite *suite = cipherspec->suite;
1788  int rc;
1789 
1790  /* Transmit Client Key Exchange record via key exchange algorithm */
1791  if ( ( rc = suite->exchange->exchange ( tls ) ) != 0 ) {
1792  DBGC ( tls, "TLS %p could not exchange keys: %s\n",
1793  tls, strerror ( rc ) );
1794  return rc;
1795  }
1796 
1797  /* Generate keys from master secret */
1798  if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
1799  DBGC ( tls, "TLS %p could not generate keys: %s\n",
1800  tls, strerror ( rc ) );
1801  return rc;
1802  }
1803 
1804  return 0;
1805 }
1806 
1807 /**
1808  * Transmit Certificate Verify record
1809  *
1810  * @v tls TLS connection
1811  * @ret rc Return status code
1812  */
1813 static int tls_send_certificate_verify ( struct tls_connection *tls ) {
1814  struct digest_algorithm *digest = tls->handshake_digest;
1815  struct x509_certificate *cert = x509_first ( tls->certs );
1816  struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
1817  struct asn1_cursor *key = privkey_cursor ( tls->key );
1818  uint8_t digest_out[ digest->digestsize ];
1819  uint8_t ctx[ pubkey->ctxsize ];
1820  struct tls_signature_hash_algorithm *sig_hash = NULL;
1821  int rc;
1822 
1823  /* Generate digest to be signed */
1824  tls_verify_handshake ( tls, digest_out );
1825 
1826  /* Initialise public-key algorithm */
1827  if ( ( rc = pubkey_init ( pubkey, ctx, key->data, key->len ) ) != 0 ) {
1828  DBGC ( tls, "TLS %p could not initialise %s client private "
1829  "key: %s\n", tls, pubkey->name, strerror ( rc ) );
1830  goto err_pubkey_init;
1831  }
1832 
1833  /* TLSv1.2 and later use explicit algorithm identifiers */
1834  if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
1835  sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
1836  if ( ! sig_hash ) {
1837  DBGC ( tls, "TLS %p could not identify (%s,%s) "
1838  "signature and hash algorithm\n", tls,
1839  pubkey->name, digest->name );
1840  rc = -ENOTSUP_SIG_HASH;
1841  goto err_sig_hash;
1842  }
1843  }
1844 
1845  /* Generate and transmit record */
1846  {
1847  size_t max_len = pubkey_max_len ( pubkey, ctx );
1848  int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
1849  struct {
1850  uint32_t type_length;
1851  struct tls_signature_hash_id sig_hash[use_sig_hash];
1854  } __attribute__ (( packed )) certificate_verify;
1855  size_t unused;
1856  int len;
1857 
1858  /* Sign digest */
1859  len = pubkey_sign ( pubkey, ctx, digest, digest_out,
1860  certificate_verify.signature );
1861  if ( len < 0 ) {
1862  rc = len;
1863  DBGC ( tls, "TLS %p could not sign %s digest using %s "
1864  "client private key: %s\n", tls, digest->name,
1865  pubkey->name, strerror ( rc ) );
1866  goto err_pubkey_sign;
1867  }
1868  unused = ( max_len - len );
1869 
1870  /* Construct Certificate Verify record */
1871  certificate_verify.type_length =
1873  htonl ( sizeof ( certificate_verify ) -
1874  sizeof ( certificate_verify.type_length ) -
1875  unused ) );
1876  if ( use_sig_hash ) {
1877  memcpy ( &certificate_verify.sig_hash[0],
1878  &sig_hash->code,
1879  sizeof ( certificate_verify.sig_hash[0] ) );
1880  }
1881  certificate_verify.signature_len =
1882  htons ( sizeof ( certificate_verify.signature ) -
1883  unused );
1884 
1885  /* Transmit record */
1886  rc = tls_send_handshake ( tls, &certificate_verify,
1887  ( sizeof ( certificate_verify ) - unused ) );
1888  }
1889 
1890  err_pubkey_sign:
1891  err_sig_hash:
1892  pubkey_final ( pubkey, ctx );
1893  err_pubkey_init:
1894  return rc;
1895 }
1896 
1897 /**
1898  * Transmit Change Cipher record
1899  *
1900  * @v tls TLS connection
1901  * @ret rc Return status code
1902  */
1903 static int tls_send_change_cipher ( struct tls_connection *tls ) {
1904  static const struct {
1905  uint8_t spec;
1906  } __attribute__ (( packed )) change_cipher = {
1907  .spec = TLS_CHANGE_CIPHER_SPEC,
1908  };
1909 
1911  &change_cipher, sizeof ( change_cipher ) );
1912 }
1913 
1914 /**
1915  * Transmit Finished record
1916  *
1917  * @v tls TLS connection
1918  * @ret rc Return status code
1919  */
1920 static int tls_send_finished ( struct tls_connection *tls ) {
1921  struct digest_algorithm *digest = tls->handshake_digest;
1922  struct {
1923  uint32_t type_length;
1924  uint8_t verify_data[ sizeof ( tls->verify.client ) ];
1925  } __attribute__ (( packed )) finished;
1926  uint8_t digest_out[ digest->digestsize ];
1927  int rc;
1928 
1929  /* Construct client verification data */
1930  tls_verify_handshake ( tls, digest_out );
1931  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1932  tls->verify.client, sizeof ( tls->verify.client ),
1933  "client finished", digest_out, sizeof ( digest_out ) );
1934 
1935  /* Construct record */
1936  memset ( &finished, 0, sizeof ( finished ) );
1937  finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
1938  htonl ( sizeof ( finished ) -
1939  sizeof ( finished.type_length ) ) );
1940  memcpy ( finished.verify_data, tls->verify.client,
1941  sizeof ( finished.verify_data ) );
1942 
1943  /* Transmit record */
1944  if ( ( rc = tls_send_handshake ( tls, &finished,
1945  sizeof ( finished ) ) ) != 0 )
1946  return rc;
1947 
1948  /* Mark client as finished */
1949  pending_put ( &tls->client_negotiation );
1950 
1951  return 0;
1952 }
1953 
1954 /**
1955  * Receive new Change Cipher record
1956  *
1957  * @v tls TLS connection
1958  * @v iobuf I/O buffer
1959  * @ret rc Return status code
1960  */
1961 static int tls_new_change_cipher ( struct tls_connection *tls,
1962  struct io_buffer *iobuf ) {
1963  const struct {
1964  uint8_t spec;
1965  } __attribute__ (( packed )) *change_cipher = iobuf->data;
1966  size_t len = iob_len ( iobuf );
1967  int rc;
1968 
1969  /* Sanity check */
1970  if ( ( sizeof ( *change_cipher ) != len ) ||
1971  ( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
1972  DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
1973  DBGC_HD ( tls, change_cipher, len );
1974  return -EINVAL_CHANGE_CIPHER;
1975  }
1976  iob_pull ( iobuf, sizeof ( *change_cipher ) );
1977 
1978  /* Change receive cipher spec */
1979  if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
1980  &tls->rx_cipherspec ) ) != 0 ) {
1981  DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
1982  tls, strerror ( rc ) );
1983  return rc;
1984  }
1985  tls->rx_seq = ~( ( uint64_t ) 0 );
1986 
1987  return 0;
1988 }
1989 
1990 /**
1991  * Receive new Alert record
1992  *
1993  * @v tls TLS connection
1994  * @v iobuf I/O buffer
1995  * @ret rc Return status code
1996  */
1997 static int tls_new_alert ( struct tls_connection *tls,
1998  struct io_buffer *iobuf ) {
1999  const struct {
2000  uint8_t level;
2001  uint8_t description;
2002  char next[0];
2003  } __attribute__ (( packed )) *alert = iobuf->data;
2004  size_t len = iob_len ( iobuf );
2005 
2006  /* Sanity check */
2007  if ( sizeof ( *alert ) != len ) {
2008  DBGC ( tls, "TLS %p received overlength Alert\n", tls );
2009  DBGC_HD ( tls, alert, len );
2010  return -EINVAL_ALERT;
2011  }
2012  iob_pull ( iobuf, sizeof ( *alert ) );
2013 
2014  /* Handle alert */
2015  switch ( alert->level ) {
2016  case TLS_ALERT_WARNING:
2017  DBGC ( tls, "TLS %p received warning alert %d\n",
2018  tls, alert->description );
2019  return 0;
2020  case TLS_ALERT_FATAL:
2021  DBGC ( tls, "TLS %p received fatal alert %d\n",
2022  tls, alert->description );
2023  return -EPERM_ALERT;
2024  default:
2025  DBGC ( tls, "TLS %p received unknown alert level %d"
2026  "(alert %d)\n", tls, alert->level, alert->description );
2027  return -EIO_ALERT;
2028  }
2029 }
2030 
2031 /**
2032  * Receive new Hello Request handshake record
2033  *
2034  * @v tls TLS connection
2035  * @v data Plaintext handshake record
2036  * @v len Length of plaintext handshake record
2037  * @ret rc Return status code
2038  */
2039 static int tls_new_hello_request ( struct tls_connection *tls,
2040  const void *data __unused,
2041  size_t len __unused ) {
2042 
2043  /* Ignore if a handshake is in progress */
2044  if ( ! tls_ready ( tls ) ) {
2045  DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
2046  return 0;
2047  }
2048 
2049  /* Fail unless server supports secure renegotiation */
2050  if ( ! tls->secure_renegotiation ) {
2051  DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
2052  tls );
2053  return -EPERM_RENEG_INSECURE;
2054  }
2055 
2056  /* Restart negotiation */
2057  tls_restart ( tls );
2058 
2059  return 0;
2060 }
2061 
2062 /**
2063  * Receive new Server Hello handshake record
2064  *
2065  * @v tls TLS connection
2066  * @v data Plaintext handshake record
2067  * @v len Length of plaintext handshake record
2068  * @ret rc Return status code
2069  */
2070 static int tls_new_server_hello ( struct tls_connection *tls,
2071  const void *data, size_t len ) {
2072  const struct {
2073  uint16_t version;
2074  uint8_t random[32];
2075  uint8_t session_id_len;
2076  uint8_t session_id[0];
2077  } __attribute__ (( packed )) *hello_a = data;
2078  const uint8_t *session_id;
2079  const struct {
2080  uint16_t cipher_suite;
2081  uint8_t compression_method;
2082  char next[0];
2083  } __attribute__ (( packed )) *hello_b;
2084  const struct {
2085  uint16_t len;
2086  uint8_t data[0];
2087  } __attribute__ (( packed )) *exts;
2088  const struct {
2089  uint16_t type;
2090  uint16_t len;
2091  uint8_t data[0];
2092  } __attribute__ (( packed )) *ext;
2093  const struct {
2094  uint8_t len;
2095  uint8_t data[0];
2096  } __attribute__ (( packed )) *reneg = NULL;
2097  uint16_t version;
2098  size_t exts_len;
2099  size_t ext_len;
2100  size_t remaining;
2101  int rc;
2102 
2103  /* Parse header */
2104  if ( ( sizeof ( *hello_a ) > len ) ||
2105  ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
2106  ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
2107  hello_a->session_id_len ) ) ) {
2108  DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
2109  DBGC_HD ( tls, data, len );
2110  return -EINVAL_HELLO;
2111  }
2112  session_id = hello_a->session_id;
2113  hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
2114 
2115  /* Parse extensions, if present */
2116  remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
2117  sizeof ( *hello_b ) );
2118  if ( remaining ) {
2119 
2120  /* Parse extensions length */
2121  exts = ( ( void * ) hello_b->next );
2122  if ( ( sizeof ( *exts ) > remaining ) ||
2123  ( ( exts_len = ntohs ( exts->len ) ) >
2124  ( remaining - sizeof ( *exts ) ) ) ) {
2125  DBGC ( tls, "TLS %p received underlength extensions\n",
2126  tls );
2127  DBGC_HD ( tls, data, len );
2128  return -EINVAL_HELLO;
2129  }
2130 
2131  /* Parse extensions */
2132  for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
2133  remaining ;
2134  ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
2135  remaining -= ( sizeof ( *ext ) + ext_len ) ) {
2136 
2137  /* Parse extension length */
2138  if ( ( sizeof ( *ext ) > remaining ) ||
2139  ( ( ext_len = ntohs ( ext->len ) ) >
2140  ( remaining - sizeof ( *ext ) ) ) ) {
2141  DBGC ( tls, "TLS %p received underlength "
2142  "extension\n", tls );
2143  DBGC_HD ( tls, data, len );
2144  return -EINVAL_HELLO;
2145  }
2146 
2147  /* Record known extensions */
2148  switch ( ext->type ) {
2149  case htons ( TLS_RENEGOTIATION_INFO ) :
2150  reneg = ( ( void * ) ext->data );
2151  if ( ( sizeof ( *reneg ) > ext_len ) ||
2152  ( reneg->len >
2153  ( ext_len - sizeof ( *reneg ) ) ) ) {
2154  DBGC ( tls, "TLS %p received "
2155  "underlength renegotiation "
2156  "info\n", tls );
2157  DBGC_HD ( tls, data, len );
2158  return -EINVAL_HELLO;
2159  }
2160  break;
2161  }
2162  }
2163  }
2164 
2165  /* Check and store protocol version */
2166  version = ntohs ( hello_a->version );
2167  if ( version < TLS_VERSION_MIN ) {
2168  DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
2169  tls, ( version >> 8 ), ( version & 0xff ) );
2170  return -ENOTSUP_VERSION;
2171  }
2172  if ( version > tls->version ) {
2173  DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
2174  "protocol version %d.%d\n",
2175  tls, ( version >> 8 ), ( version & 0xff ) );
2176  return -EPROTO_VERSION;
2177  }
2178  tls->version = version;
2179  DBGC ( tls, "TLS %p using protocol version %d.%d\n",
2180  tls, ( version >> 8 ), ( version & 0xff ) );
2181 
2182  /* Select cipher suite */
2183  if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
2184  return rc;
2185 
2186  /* Add preceding Client Hello to handshake digest */
2187  if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
2188  return rc;
2189 
2190  /* Copy out server random bytes */
2191  memcpy ( &tls->server_random, &hello_a->random,
2192  sizeof ( tls->server_random ) );
2193 
2194  /* Check session ID */
2195  if ( hello_a->session_id_len &&
2196  ( hello_a->session_id_len == tls->session_id_len ) &&
2197  ( memcmp ( session_id, tls->session_id,
2198  tls->session_id_len ) == 0 ) ) {
2199 
2200  /* Session ID match: reuse master secret */
2201  DBGC ( tls, "TLS %p resuming session ID:\n", tls );
2202  DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
2203  if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
2204  return rc;
2205 
2206  } else {
2207 
2208  /* Record new session ID, if present */
2209  if ( hello_a->session_id_len &&
2210  ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
2211  tls->session_id_len = hello_a->session_id_len;
2212  memcpy ( tls->session_id, session_id,
2213  tls->session_id_len );
2214  DBGC ( tls, "TLS %p new session ID:\n", tls );
2215  DBGC_HDA ( tls, 0, tls->session_id,
2216  tls->session_id_len );
2217  }
2218  }
2219 
2220  /* Handle secure renegotiation */
2221  if ( tls->secure_renegotiation ) {
2222 
2223  /* Secure renegotiation is expected; verify data */
2224  if ( ( reneg == NULL ) ||
2225  ( reneg->len != sizeof ( tls->verify ) ) ||
2226  ( memcmp ( reneg->data, &tls->verify,
2227  sizeof ( tls->verify ) ) != 0 ) ) {
2228  DBGC ( tls, "TLS %p server failed secure "
2229  "renegotiation\n", tls );
2230  return -EPERM_RENEG_VERIFY;
2231  }
2232 
2233  } else if ( reneg != NULL ) {
2234 
2235  /* Secure renegotiation is being enabled */
2236  if ( reneg->len != 0 ) {
2237  DBGC ( tls, "TLS %p server provided non-empty initial "
2238  "renegotiation\n", tls );
2239  return -EPERM_RENEG_VERIFY;
2240  }
2241  tls->secure_renegotiation = 1;
2242  }
2243 
2244  return 0;
2245 }
2246 
2247 /**
2248  * Receive New Session Ticket handshake record
2249  *
2250  * @v tls TLS connection
2251  * @v data Plaintext handshake record
2252  * @v len Length of plaintext handshake record
2253  * @ret rc Return status code
2254  */
2255 static int tls_new_session_ticket ( struct tls_connection *tls,
2256  const void *data, size_t len ) {
2257  const struct {
2259  uint16_t len;
2260  uint8_t ticket[0];
2261  } __attribute__ (( packed )) *new_session_ticket = data;
2262  size_t ticket_len;
2263 
2264  /* Parse header */
2265  if ( sizeof ( *new_session_ticket ) > len ) {
2266  DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
2267  tls );
2268  DBGC_HD ( tls, data, len );
2269  return -EINVAL_TICKET;
2270  }
2271  ticket_len = ntohs ( new_session_ticket->len );
2272  if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
2273  DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
2274  tls );
2275  DBGC_HD ( tls, data, len );
2276  return -EINVAL_TICKET;
2277  }
2278 
2279  /* Free any unapplied new session ticket */
2280  free ( tls->new_session_ticket );
2281  tls->new_session_ticket = NULL;
2282  tls->new_session_ticket_len = 0;
2283 
2284  /* Record ticket */
2285  tls->new_session_ticket = malloc ( ticket_len );
2286  if ( ! tls->new_session_ticket )
2287  return -ENOMEM;
2288  memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
2289  ticket_len );
2290  tls->new_session_ticket_len = ticket_len;
2291  DBGC ( tls, "TLS %p new session ticket:\n", tls );
2292  DBGC_HDA ( tls, 0, tls->new_session_ticket,
2293  tls->new_session_ticket_len );
2294 
2295  return 0;
2296 }
2297 
2298 /**
2299  * Parse certificate chain
2300  *
2301  * @v tls TLS connection
2302  * @v data Certificate chain
2303  * @v len Length of certificate chain
2304  * @ret rc Return status code
2305  */
2306 static int tls_parse_chain ( struct tls_connection *tls,
2307  const void *data, size_t len ) {
2308  size_t remaining = len;
2309  int rc;
2310 
2311  /* Free any existing certificate chain */
2312  x509_chain_put ( tls->chain );
2313  tls->chain = NULL;
2314 
2315  /* Create certificate chain */
2316  tls->chain = x509_alloc_chain();
2317  if ( ! tls->chain ) {
2318  rc = -ENOMEM_CHAIN;
2319  goto err_alloc_chain;
2320  }
2321 
2322  /* Add certificates to chain */
2323  while ( remaining ) {
2324  const struct {
2325  tls24_t length;
2326  uint8_t data[0];
2327  } __attribute__ (( packed )) *certificate = data;
2328  size_t certificate_len;
2329  size_t record_len;
2330  struct x509_certificate *cert;
2331 
2332  /* Parse header */
2333  if ( sizeof ( *certificate ) > remaining ) {
2334  DBGC ( tls, "TLS %p underlength certificate:\n", tls );
2335  DBGC_HDA ( tls, 0, data, remaining );
2337  goto err_underlength;
2338  }
2339  certificate_len = tls_uint24 ( &certificate->length );
2340  if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
2341  DBGC ( tls, "TLS %p overlength certificate:\n", tls );
2342  DBGC_HDA ( tls, 0, data, remaining );
2344  goto err_overlength;
2345  }
2346  record_len = ( sizeof ( *certificate ) + certificate_len );
2347 
2348  /* Add certificate to chain */
2349  if ( ( rc = x509_append_raw ( tls->chain, certificate->data,
2350  certificate_len ) ) != 0 ) {
2351  DBGC ( tls, "TLS %p could not append certificate: %s\n",
2352  tls, strerror ( rc ) );
2353  DBGC_HDA ( tls, 0, data, remaining );
2354  goto err_parse;
2355  }
2356  cert = x509_last ( tls->chain );
2357  DBGC ( tls, "TLS %p found certificate %s\n",
2358  tls, x509_name ( cert ) );
2359 
2360  /* Move to next certificate in list */
2361  data += record_len;
2362  remaining -= record_len;
2363  }
2364 
2365  return 0;
2366 
2367  err_parse:
2368  err_overlength:
2369  err_underlength:
2370  x509_chain_put ( tls->chain );
2371  tls->chain = NULL;
2372  err_alloc_chain:
2373  return rc;
2374 }
2375 
2376 /**
2377  * Receive new Certificate handshake record
2378  *
2379  * @v tls TLS connection
2380  * @v data Plaintext handshake record
2381  * @v len Length of plaintext handshake record
2382  * @ret rc Return status code
2383  */
2384 static int tls_new_certificate ( struct tls_connection *tls,
2385  const void *data, size_t len ) {
2386  const struct {
2387  tls24_t length;
2388  uint8_t certificates[0];
2389  } __attribute__ (( packed )) *certificate = data;
2390  size_t certificates_len;
2391  int rc;
2392 
2393  /* Parse header */
2394  if ( sizeof ( *certificate ) > len ) {
2395  DBGC ( tls, "TLS %p received underlength Server Certificate\n",
2396  tls );
2397  DBGC_HD ( tls, data, len );
2398  return -EINVAL_CERTIFICATES;
2399  }
2400  certificates_len = tls_uint24 ( &certificate->length );
2401  if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
2402  DBGC ( tls, "TLS %p received overlength Server Certificate\n",
2403  tls );
2404  DBGC_HD ( tls, data, len );
2405  return -EINVAL_CERTIFICATES;
2406  }
2407 
2408  /* Parse certificate chain */
2409  if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
2410  certificates_len ) ) != 0 )
2411  return rc;
2412 
2413  return 0;
2414 }
2415 
2416 /**
2417  * Receive new Server Key Exchange handshake record
2418  *
2419  * @v tls TLS connection
2420  * @v data Plaintext handshake record
2421  * @v len Length of plaintext handshake record
2422  * @ret rc Return status code
2423  */
2425  const void *data, size_t len ) {
2426 
2427  /* Free any existing server key exchange record */
2428  free ( tls->server_key );
2429  tls->server_key_len = 0;
2430 
2431  /* Allocate copy of server key exchange record */
2432  tls->server_key = malloc ( len );
2433  if ( ! tls->server_key )
2434  return -ENOMEM;
2435 
2436  /* Store copy of server key exchange record for later
2437  * processing. We cannot verify the signature at this point
2438  * since the certificate validation will not yet have
2439  * completed.
2440  */
2441  memcpy ( tls->server_key, data, len );
2442  tls->server_key_len = len;
2443 
2444  return 0;
2445 }
2446 
2447 /**
2448  * Receive new Certificate Request handshake record
2449  *
2450  * @v tls TLS connection
2451  * @v data Plaintext handshake record
2452  * @v len Length of plaintext handshake record
2453  * @ret rc Return status code
2454  */
2456  const void *data __unused,
2457  size_t len __unused ) {
2458  struct x509_certificate *cert;
2459  int rc;
2460 
2461  /* We can only send a single certificate, so there is no point
2462  * in parsing the Certificate Request.
2463  */
2464 
2465  /* Free any existing client certificate chain */
2466  x509_chain_put ( tls->certs );
2467  tls->certs = NULL;
2468 
2469  /* Determine client certificate to be sent */
2470  cert = certstore_find_key ( tls->key );
2471  if ( ! cert ) {
2472  DBGC ( tls, "TLS %p could not find certificate corresponding "
2473  "to private key\n", tls );
2474  rc = -EPERM_CLIENT_CERT;
2475  goto err_find;
2476  }
2477  x509_get ( cert );
2478  DBGC ( tls, "TLS %p selected client certificate %s\n",
2479  tls, x509_name ( cert ) );
2480 
2481  /* Create client certificate chain */
2482  tls->certs = x509_alloc_chain();
2483  if ( ! tls->certs ) {
2484  rc = -ENOMEM;
2485  goto err_alloc;
2486  }
2487 
2488  /* Append client certificate to chain */
2489  if ( ( rc = x509_append ( tls->certs, cert ) ) != 0 )
2490  goto err_append;
2491 
2492  /* Append any relevant issuer certificates */
2493  if ( ( rc = x509_auto_append ( tls->certs, &certstore ) ) != 0 )
2494  goto err_auto_append;
2495 
2496  /* Drop local reference to client certificate */
2497  x509_put ( cert );
2498 
2499  return 0;
2500 
2501  err_auto_append:
2502  err_append:
2503  x509_chain_put ( tls->certs );
2504  tls->certs = NULL;
2505  err_alloc:
2506  x509_put ( cert );
2507  err_find:
2508  return rc;
2509 }
2510 
2511 /**
2512  * Receive new Server Hello Done handshake record
2513  *
2514  * @v tls TLS connection
2515  * @v data Plaintext handshake record
2516  * @v len Length of plaintext handshake record
2517  * @ret rc Return status code
2518  */
2520  const void *data, size_t len ) {
2521  const struct {
2522  char next[0];
2523  } __attribute__ (( packed )) *hello_done = data;
2524  int rc;
2525 
2526  /* Sanity check */
2527  if ( sizeof ( *hello_done ) != len ) {
2528  DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
2529  tls );
2530  DBGC_HD ( tls, data, len );
2531  return -EINVAL_HELLO_DONE;
2532  }
2533 
2534  /* Begin certificate validation */
2535  if ( ( rc = create_validator ( &tls->validator, tls->chain,
2536  tls->root ) ) != 0 ) {
2537  DBGC ( tls, "TLS %p could not start certificate validation: "
2538  "%s\n", tls, strerror ( rc ) );
2539  return rc;
2540  }
2541  pending_get ( &tls->validation );
2542 
2543  return 0;
2544 }
2545 
2546 /**
2547  * Receive new Finished handshake record
2548  *
2549  * @v tls TLS connection
2550  * @v data Plaintext handshake record
2551  * @v len Length of plaintext handshake record
2552  * @ret rc Return status code
2553  */
2554 static int tls_new_finished ( struct tls_connection *tls,
2555  const void *data, size_t len ) {
2556  struct tls_session *session = tls->session;
2557  struct digest_algorithm *digest = tls->handshake_digest;
2558  const struct {
2559  uint8_t verify_data[ sizeof ( tls->verify.server ) ];
2560  char next[0];
2561  } __attribute__ (( packed )) *finished = data;
2562  uint8_t digest_out[ digest->digestsize ];
2563 
2564  /* Sanity check */
2565  if ( sizeof ( *finished ) != len ) {
2566  DBGC ( tls, "TLS %p received overlength Finished\n", tls );
2567  DBGC_HD ( tls, data, len );
2568  return -EINVAL_FINISHED;
2569  }
2570 
2571  /* Verify data */
2572  tls_verify_handshake ( tls, digest_out );
2573  tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
2574  tls->verify.server, sizeof ( tls->verify.server ),
2575  "server finished", digest_out, sizeof ( digest_out ) );
2576  if ( memcmp ( tls->verify.server, finished->verify_data,
2577  sizeof ( tls->verify.server ) ) != 0 ) {
2578  DBGC ( tls, "TLS %p verification failed\n", tls );
2579  return -EPERM_VERIFY;
2580  }
2581 
2582  /* Mark server as finished */
2583  pending_put ( &tls->server_negotiation );
2584 
2585  /* If we are resuming a session (i.e. if the server Finished
2586  * arrives before the client Finished is sent), then schedule
2587  * transmission of Change Cipher and Finished.
2588  */
2589  if ( is_pending ( &tls->client_negotiation ) ) {
2591  tls_tx_resume ( tls );
2592  }
2593 
2594  /* Record session ID, ticket, and master secret, if applicable */
2595  if ( tls->session_id_len || tls->new_session_ticket_len ) {
2596  memcpy ( session->master_secret, tls->master_secret,
2597  sizeof ( session->master_secret ) );
2598  }
2599  if ( tls->session_id_len ) {
2600  session->id_len = tls->session_id_len;
2601  memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
2602  }
2603  if ( tls->new_session_ticket_len ) {
2604  free ( session->ticket );
2605  session->ticket = tls->new_session_ticket;
2606  session->ticket_len = tls->new_session_ticket_len;
2607  tls->new_session_ticket = NULL;
2608  tls->new_session_ticket_len = 0;
2609  }
2610 
2611  /* Move to end of session's connection list and allow other
2612  * connections to start making progress.
2613  */
2614  list_del ( &tls->list );
2615  list_add_tail ( &tls->list, &session->conn );
2617 
2618  /* Send notification of a window change */
2619  xfer_window_changed ( &tls->plainstream );
2620 
2621  return 0;
2622 }
2623 
2624 /**
2625  * Receive new Handshake record
2626  *
2627  * @v tls TLS connection
2628  * @v iobuf I/O buffer
2629  * @ret rc Return status code
2630  */
2631 static int tls_new_handshake ( struct tls_connection *tls,
2632  struct io_buffer *iobuf ) {
2633  size_t remaining;
2634  int rc;
2635 
2636  while ( ( remaining = iob_len ( iobuf ) ) ) {
2637  const struct {
2638  uint8_t type;
2639  tls24_t length;
2640  uint8_t payload[0];
2641  } __attribute__ (( packed )) *handshake = iobuf->data;
2642  const void *payload;
2643  size_t payload_len;
2644  size_t record_len;
2645 
2646  /* Parse header */
2647  if ( sizeof ( *handshake ) > remaining ) {
2648  /* Leave remaining fragment unconsumed */
2649  break;
2650  }
2651  payload_len = tls_uint24 ( &handshake->length );
2652  if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
2653  /* Leave remaining fragment unconsumed */
2654  break;
2655  }
2656  payload = &handshake->payload;
2657  record_len = ( sizeof ( *handshake ) + payload_len );
2658 
2659  /* Handle payload */
2660  switch ( handshake->type ) {
2661  case TLS_HELLO_REQUEST:
2662  rc = tls_new_hello_request ( tls, payload,
2663  payload_len );
2664  break;
2665  case TLS_SERVER_HELLO:
2666  rc = tls_new_server_hello ( tls, payload, payload_len );
2667  break;
2669  rc = tls_new_session_ticket ( tls, payload,
2670  payload_len );
2671  break;
2672  case TLS_CERTIFICATE:
2673  rc = tls_new_certificate ( tls, payload, payload_len );
2674  break;
2676  rc = tls_new_server_key_exchange ( tls, payload,
2677  payload_len );
2678  break;
2680  rc = tls_new_certificate_request ( tls, payload,
2681  payload_len );
2682  break;
2683  case TLS_SERVER_HELLO_DONE:
2684  rc = tls_new_server_hello_done ( tls, payload,
2685  payload_len );
2686  break;
2687  case TLS_FINISHED:
2688  rc = tls_new_finished ( tls, payload, payload_len );
2689  break;
2690  default:
2691  DBGC ( tls, "TLS %p ignoring handshake type %d\n",
2692  tls, handshake->type );
2693  rc = 0;
2694  break;
2695  }
2696 
2697  /* Add to handshake digest (except for Hello Requests,
2698  * which are explicitly excluded).
2699  */
2700  if ( handshake->type != TLS_HELLO_REQUEST )
2701  tls_add_handshake ( tls, handshake, record_len );
2702 
2703  /* Abort on failure */
2704  if ( rc != 0 )
2705  return rc;
2706 
2707  /* Move to next handshake record */
2708  iob_pull ( iobuf, record_len );
2709  }
2710 
2711  return 0;
2712 }
2713 
2714 /**
2715  * Receive new unknown record
2716  *
2717  * @v tls TLS connection
2718  * @v iobuf I/O buffer
2719  * @ret rc Return status code
2720  */
2721 static int tls_new_unknown ( struct tls_connection *tls __unused,
2722  struct io_buffer *iobuf ) {
2723 
2724  /* RFC4346 says that we should just ignore unknown record types */
2725  iob_pull ( iobuf, iob_len ( iobuf ) );
2726  return 0;
2727 }
2728 
2729 /**
2730  * Receive new data record
2731  *
2732  * @v tls TLS connection
2733  * @v rx_data List of received data buffers
2734  * @ret rc Return status code
2735  */
2736 static int tls_new_data ( struct tls_connection *tls,
2737  struct list_head *rx_data ) {
2738  struct io_buffer *iobuf;
2739  int rc;
2740 
2741  /* Fail unless we are ready to receive data */
2742  if ( ! tls_ready ( tls ) )
2743  return -ENOTCONN;
2744 
2745  /* Deliver each I/O buffer in turn */
2746  while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
2747  list ) ) ) {
2748  list_del ( &iobuf->list );
2749  if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
2750  iobuf ) ) != 0 ) {
2751  DBGC ( tls, "TLS %p could not deliver data: "
2752  "%s\n", tls, strerror ( rc ) );
2753  return rc;
2754  }
2755  }
2756 
2757  return 0;
2758 }
2759 
2760 /**
2761  * Receive new record
2762  *
2763  * @v tls TLS connection
2764  * @v type Record type
2765  * @v rx_data List of received data buffers
2766  * @ret rc Return status code
2767  */
2768 static int tls_new_record ( struct tls_connection *tls, unsigned int type,
2769  struct list_head *rx_data ) {
2770  int ( * handler ) ( struct tls_connection *tls,
2771  struct io_buffer *iobuf );
2772  struct io_buffer *tmp = NULL;
2773  struct io_buffer **iobuf;
2774  int rc;
2775 
2776  /* Deliver data records as-is to the plainstream interface */
2777  if ( type == TLS_TYPE_DATA )
2778  return tls_new_data ( tls, rx_data );
2779 
2780  /* Determine handler and fragment buffer */
2781  iobuf = &tmp;
2782  switch ( type ) {
2784  handler = tls_new_change_cipher;
2785  break;
2786  case TLS_TYPE_ALERT:
2787  handler = tls_new_alert;
2788  break;
2789  case TLS_TYPE_HANDSHAKE:
2790  handler = tls_new_handshake;
2791  iobuf = &tls->rx_handshake;
2792  break;
2793  default:
2794  DBGC ( tls, "TLS %p unknown record type %d\n", tls, type );
2795  handler = tls_new_unknown;
2796  break;
2797  }
2798 
2799  /* Merge into a single I/O buffer */
2800  if ( *iobuf )
2801  list_add ( &(*iobuf)->list, rx_data );
2802  *iobuf = iob_concatenate ( rx_data );
2803  if ( ! *iobuf ) {
2804  DBGC ( tls, "TLS %p could not concatenate non-data record "
2805  "type %d\n", tls, type );
2806  rc = -ENOMEM_RX_CONCAT;
2807  goto err_concatenate;
2808  }
2809 
2810  /* Handle record */
2811  if ( ( rc = handler ( tls, *iobuf ) ) != 0 )
2812  goto err_handle;
2813 
2814  /* Discard I/O buffer if empty */
2815  if ( ! iob_len ( *iobuf ) ) {
2816  free_iob ( *iobuf );
2817  *iobuf = NULL;
2818  }
2819 
2820  /* Sanity check */
2821  assert ( tmp == NULL );
2822 
2823  return 0;
2824 
2825  err_handle:
2826  free_iob ( *iobuf );
2827  *iobuf = NULL;
2828  err_concatenate:
2829  return rc;
2830 }
2831 
2832 /******************************************************************************
2833  *
2834  * Record encryption/decryption
2835  *
2836  ******************************************************************************
2837  */
2838 
2839 /**
2840  * Initialise HMAC
2841  *
2842  * @v cipherspec Cipher specification
2843  * @v ctx Context
2844  * @v authhdr Authentication header
2845  */
2846 static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
2847  struct tls_auth_header *authhdr ) {
2848  struct tls_cipher_suite *suite = cipherspec->suite;
2849  struct digest_algorithm *digest = suite->digest;
2850 
2851  hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
2852  hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
2853 }
2854 
2855 /**
2856  * Update HMAC
2857  *
2858  * @v cipherspec Cipher specification
2859  * @v ctx Context
2860  * @v data Data
2861  * @v len Length of data
2862  */
2863 static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
2864  const void *data, size_t len ) {
2865  struct digest_algorithm *digest = cipherspec->suite->digest;
2866 
2867  hmac_update ( digest, ctx, data, len );
2868 }
2869 
2870 /**
2871  * Finalise HMAC
2872  *
2873  * @v cipherspec Cipher specification
2874  * @v ctx Context
2875  * @v mac HMAC to fill in
2876  */
2877 static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
2878  void *hmac ) {
2879  struct digest_algorithm *digest = cipherspec->suite->digest;
2880 
2881  hmac_final ( digest, ctx, hmac );
2882 }
2883 
2884 /**
2885  * Calculate HMAC
2886  *
2887  * @v cipherspec Cipher specification
2888  * @v authhdr Authentication header
2889  * @v data Data
2890  * @v len Length of data
2891  * @v mac HMAC to fill in
2892  */
2893 static void tls_hmac ( struct tls_cipherspec *cipherspec,
2894  struct tls_auth_header *authhdr,
2895  const void *data, size_t len, void *hmac ) {
2896  struct digest_algorithm *digest = cipherspec->suite->digest;
2897  uint8_t ctx[ hmac_ctxsize ( digest ) ];
2898 
2899  tls_hmac_init ( cipherspec, ctx, authhdr );
2900  tls_hmac_update ( cipherspec, ctx, data, len );
2901  tls_hmac_final ( cipherspec, ctx, hmac );
2902 }
2903 
2904 /**
2905  * Calculate HMAC over list of I/O buffers
2906  *
2907  * @v cipherspec Cipher specification
2908  * @v authhdr Authentication header
2909  * @v list List of I/O buffers
2910  * @v mac HMAC to fill in
2911  */
2912 static void tls_hmac_list ( struct tls_cipherspec *cipherspec,
2913  struct tls_auth_header *authhdr,
2914  struct list_head *list, void *hmac ) {
2915  struct digest_algorithm *digest = cipherspec->suite->digest;
2916  uint8_t ctx[ hmac_ctxsize ( digest ) ];
2917  struct io_buffer *iobuf;
2918 
2919  tls_hmac_init ( cipherspec, ctx, authhdr );
2920  list_for_each_entry ( iobuf, list, list ) {
2921  tls_hmac_update ( cipherspec, ctx, iobuf->data,
2922  iob_len ( iobuf ) );
2923  }
2924  tls_hmac_final ( cipherspec, ctx, hmac );
2925 }
2926 
2927 /**
2928  * Send plaintext record
2929  *
2930  * @v tls TLS connection
2931  * @v type Record type
2932  * @v data Plaintext record
2933  * @v len Length of plaintext record
2934  * @ret rc Return status code
2935  */
2936 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
2937  const void *data, size_t len ) {
2938  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
2939  struct tls_cipher_suite *suite = cipherspec->suite;
2940  struct cipher_algorithm *cipher = suite->cipher;
2941  struct digest_algorithm *digest = suite->digest;
2942  struct {
2943  uint8_t fixed[suite->fixed_iv_len];
2944  uint8_t record[suite->record_iv_len];
2945  } __attribute__ (( packed )) iv;
2946  struct tls_auth_header authhdr;
2947  struct tls_header *tlshdr;
2948  void *plaintext;
2949  size_t plaintext_len;
2950  struct io_buffer *ciphertext;
2951  size_t ciphertext_len;
2952  size_t padding_len;
2954  void *tmp;
2955  int rc;
2956 
2957  /* Construct initialisation vector */
2958  memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
2959  if ( ( rc = tls_generate_random ( tls, iv.record,
2960  sizeof ( iv.record ) ) ) != 0 ) {
2961  goto err_random;
2962  }
2963 
2964  /* Construct authentication data */
2965  authhdr.seq = cpu_to_be64 ( tls->tx_seq );
2966  authhdr.header.type = type;
2967  authhdr.header.version = htons ( tls->version );
2968  authhdr.header.length = htons ( len );
2969 
2970  /* Calculate padding length */
2971  plaintext_len = ( len + suite->mac_len );
2972  if ( is_block_cipher ( cipher ) ) {
2973  padding_len = ( ( ( cipher->blocksize - 1 ) &
2974  -( plaintext_len + 1 ) ) + 1 );
2975  } else {
2976  padding_len = 0;
2977  }
2978  plaintext_len += padding_len;
2979 
2980  /* Allocate plaintext */
2981  plaintext = malloc ( plaintext_len );
2982  if ( ! plaintext ) {
2983  DBGC ( tls, "TLS %p could not allocate %zd bytes for "
2984  "plaintext\n", tls, plaintext_len );
2986  goto err_plaintext;
2987  }
2988 
2989  /* Assemble plaintext */
2990  tmp = plaintext;
2991  memcpy ( tmp, data, len );
2992  tmp += len;
2993  if ( suite->mac_len )
2994  tls_hmac ( cipherspec, &authhdr, data, len, mac );
2995  memcpy ( tmp, mac, suite->mac_len );
2996  tmp += suite->mac_len;
2997  memset ( tmp, ( padding_len - 1 ), padding_len );
2998  tmp += padding_len;
2999  assert ( tmp == ( plaintext + plaintext_len ) );
3000  DBGC2 ( tls, "Sending plaintext data:\n" );
3001  DBGC2_HD ( tls, plaintext, plaintext_len );
3002 
3003  /* Set initialisation vector */
3004  cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
3005 
3006  /* Process authentication data, if applicable */
3007  if ( is_auth_cipher ( cipher ) ) {
3008  cipher_encrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
3009  NULL, sizeof ( authhdr ) );
3010  }
3011 
3012  /* Allocate ciphertext */
3013  ciphertext_len = ( sizeof ( *tlshdr ) + sizeof ( iv.record ) +
3014  plaintext_len + cipher->authsize );
3015  ciphertext = xfer_alloc_iob ( &tls->cipherstream, ciphertext_len );
3016  if ( ! ciphertext ) {
3017  DBGC ( tls, "TLS %p could not allocate %zd bytes for "
3018  "ciphertext\n", tls, ciphertext_len );
3020  goto err_ciphertext;
3021  }
3022 
3023  /* Assemble ciphertext */
3024  tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
3025  tlshdr->type = type;
3026  tlshdr->version = htons ( tls->version );
3027  tlshdr->length = htons ( ciphertext_len - sizeof ( *tlshdr ) );
3028  memcpy ( iob_put ( ciphertext, sizeof ( iv.record ) ), iv.record,
3029  sizeof ( iv.record ) );
3030  cipher_encrypt ( cipher, cipherspec->cipher_ctx, plaintext,
3031  iob_put ( ciphertext, plaintext_len ), plaintext_len );
3032  cipher_auth ( cipher, cipherspec->cipher_ctx,
3033  iob_put ( ciphertext, cipher->authsize ) );
3034  assert ( iob_len ( ciphertext ) == ciphertext_len );
3035 
3036  /* Free plaintext as soon as possible to conserve memory */
3037  free ( plaintext );
3038  plaintext = NULL;
3039 
3040  /* Send ciphertext */
3041  if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
3042  iob_disown ( ciphertext ) ) ) != 0 ) {
3043  DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
3044  tls, strerror ( rc ) );
3045  goto err_deliver;
3046  }
3047 
3048  /* Update TX state machine to next record */
3049  tls->tx_seq += 1;
3050 
3051  assert ( plaintext == NULL );
3052  assert ( ciphertext == NULL );
3053  return 0;
3054 
3055  err_deliver:
3056  free_iob ( ciphertext );
3057  err_ciphertext:
3058  free ( plaintext );
3059  err_plaintext:
3060  err_random:
3061  return rc;
3062 }
3063 
3064 /**
3065  * Verify block padding
3066  *
3067  * @v tls TLS connection
3068  * @v iobuf Last received I/O buffer
3069  * @ret len Padding length, or negative error
3070  * @ret rc Return status code
3071  */
3072 static int tls_verify_padding ( struct tls_connection *tls,
3073  struct io_buffer *iobuf ) {
3074  uint8_t *padding;
3075  unsigned int pad;
3076  unsigned int i;
3077  size_t len;
3078 
3079  /* Extract and verify padding */
3080  padding = ( iobuf->tail - 1 );
3081  pad = *padding;
3082  len = ( pad + 1 );
3083  if ( len > iob_len ( iobuf ) ) {
3084  DBGC ( tls, "TLS %p received underlength padding\n", tls );
3085  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3086  return -EINVAL_PADDING;
3087  }
3088  for ( i = 0 ; i < pad ; i++ ) {
3089  if ( *(--padding) != pad ) {
3090  DBGC ( tls, "TLS %p received bad padding\n", tls );
3091  DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3092  return -EINVAL_PADDING;
3093  }
3094  }
3095 
3096  return len;
3097 }
3098 
3099 /**
3100  * Receive new ciphertext record
3101  *
3102  * @v tls TLS connection
3103  * @v tlshdr Record header
3104  * @v rx_data List of received data buffers
3105  * @ret rc Return status code
3106  */
3107 static int tls_new_ciphertext ( struct tls_connection *tls,
3108  struct tls_header *tlshdr,
3109  struct list_head *rx_data ) {
3110  struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
3111  struct tls_cipher_suite *suite = cipherspec->suite;
3112  struct cipher_algorithm *cipher = suite->cipher;
3113  struct digest_algorithm *digest = suite->digest;
3114  size_t len = ntohs ( tlshdr->length );
3115  struct {
3116  uint8_t fixed[suite->fixed_iv_len];
3117  uint8_t record[suite->record_iv_len];
3118  } __attribute__ (( packed )) iv;
3119  struct tls_auth_header authhdr;
3120  uint8_t verify_mac[digest->digestsize];
3121  uint8_t verify_auth[cipher->authsize];
3122  struct io_buffer *first;
3123  struct io_buffer *last;
3124  struct io_buffer *iobuf;
3125  void *mac;
3126  void *auth;
3127  size_t check_len;
3128  int pad_len;
3129  int rc;
3130 
3131  /* Locate first and last data buffers */
3132  assert ( ! list_empty ( rx_data ) );
3133  first = list_first_entry ( rx_data, struct io_buffer, list );
3134  last = list_last_entry ( rx_data, struct io_buffer, list );
3135 
3136  /* Extract initialisation vector */
3137  if ( iob_len ( first ) < sizeof ( iv.record ) ) {
3138  DBGC ( tls, "TLS %p received underlength IV\n", tls );
3139  DBGC_HD ( tls, first->data, iob_len ( first ) );
3140  return -EINVAL_IV;
3141  }
3142  memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3143  memcpy ( iv.record, first->data, sizeof ( iv.record ) );
3144  iob_pull ( first, sizeof ( iv.record ) );
3145  len -= sizeof ( iv.record );
3146 
3147  /* Extract unencrypted authentication tag */
3148  if ( iob_len ( last ) < cipher->authsize ) {
3149  DBGC ( tls, "TLS %p received underlength authentication tag\n",
3150  tls );
3151  DBGC_HD ( tls, last->data, iob_len ( last ) );
3152  return -EINVAL_MAC;
3153  }
3154  iob_unput ( last, cipher->authsize );
3155  len -= cipher->authsize;
3156  auth = last->tail;
3157 
3158  /* Construct authentication data */
3159  authhdr.seq = cpu_to_be64 ( tls->rx_seq );
3160  authhdr.header.type = tlshdr->type;
3161  authhdr.header.version = tlshdr->version;
3162  authhdr.header.length = htons ( len );
3163 
3164  /* Set initialisation vector */
3165  cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
3166 
3167  /* Process authentication data, if applicable */
3168  if ( is_auth_cipher ( cipher ) ) {
3169  cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
3170  NULL, sizeof ( authhdr ) );
3171  }
3172 
3173  /* Decrypt the received data */
3174  check_len = 0;
3175  list_for_each_entry ( iobuf, &tls->rx_data, list ) {
3176  cipher_decrypt ( cipher, cipherspec->cipher_ctx,
3177  iobuf->data, iobuf->data, iob_len ( iobuf ) );
3178  check_len += iob_len ( iobuf );
3179  }
3180  assert ( check_len == len );
3181 
3182  /* Strip block padding, if applicable */
3183  if ( is_block_cipher ( cipher ) ) {
3184  pad_len = tls_verify_padding ( tls, last );
3185  if ( pad_len < 0 ) {
3186  /* Assume zero padding length to avoid timing attacks */
3187  pad_len = 0;
3188  }
3189  iob_unput ( last, pad_len );
3190  len -= pad_len;
3191  }
3192 
3193  /* Extract decrypted MAC */
3194  if ( iob_len ( last ) < suite->mac_len ) {
3195  DBGC ( tls, "TLS %p received underlength MAC\n", tls );
3196  DBGC_HD ( tls, last->data, iob_len ( last ) );
3197  return -EINVAL_MAC;
3198  }
3199  iob_unput ( last, suite->mac_len );
3200  len -= suite->mac_len;
3201  mac = last->tail;
3202 
3203  /* Dump received data */
3204  DBGC2 ( tls, "Received plaintext data:\n" );
3205  check_len = 0;
3206  list_for_each_entry ( iobuf, rx_data, list ) {
3207  DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3208  check_len += iob_len ( iobuf );
3209  }
3210  assert ( check_len == len );
3211 
3212  /* Generate MAC */
3213  authhdr.header.length = htons ( len );
3214  if ( suite->mac_len )
3215  tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );
3216 
3217  /* Generate authentication tag */
3218  cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );
3219 
3220  /* Verify MAC */
3221  if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
3222  DBGC ( tls, "TLS %p failed MAC verification\n", tls );
3223  return -EINVAL_MAC;
3224  }
3225 
3226  /* Verify authentication tag */
3227  if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
3228  DBGC ( tls, "TLS %p failed authentication tag verification\n",
3229  tls );
3230  return -EINVAL_MAC;
3231  }
3232 
3233  /* Process plaintext record */
3234  if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
3235  return rc;
3236 
3237  return 0;
3238 }
3239 
3240 /******************************************************************************
3241  *
3242  * Plaintext stream operations
3243  *
3244  ******************************************************************************
3245  */
3246 
3247 /**
3248  * Check flow control window
3249  *
3250  * @v tls TLS connection
3251  * @ret len Length of window
3252  */
3253 static size_t tls_plainstream_window ( struct tls_connection *tls ) {
3254 
3255  /* Block window unless we are ready to accept data */
3256  if ( ! tls_ready ( tls ) )
3257  return 0;
3258 
3259  return xfer_window ( &tls->cipherstream );
3260 }
3261 
3262 /**
3263  * Deliver datagram as raw data
3264  *
3265  * @v tls TLS connection
3266  * @v iobuf I/O buffer
3267  * @v meta Data transfer metadata
3268  * @ret rc Return status code
3269  */
3270 static int tls_plainstream_deliver ( struct tls_connection *tls,
3271  struct io_buffer *iobuf,
3272  struct xfer_metadata *meta __unused ) {
3273  int rc;
3274 
3275  /* Refuse unless we are ready to accept data */
3276  if ( ! tls_ready ( tls ) ) {
3277  rc = -ENOTCONN;
3278  goto done;
3279  }
3280 
3281  if ( ( rc = tls_send_plaintext ( tls, TLS_TYPE_DATA, iobuf->data,
3282  iob_len ( iobuf ) ) ) != 0 )
3283  goto done;
3284 
3285  done:
3286  free_iob ( iobuf );
3287  return rc;
3288 }
3289 
3290 /**
3291  * Report job progress
3292  *
3293  * @v tls TLS connection
3294  * @v progress Progress report to fill in
3295  * @ret ongoing_rc Ongoing job status code (if known)
3296  */
3297 static int tls_progress ( struct tls_connection *tls,
3298  struct job_progress *progress ) {
3299 
3300  /* Return cipherstream or validator progress as applicable */
3301  if ( is_pending ( &tls->validation ) ) {
3302  return job_progress ( &tls->validator, progress );
3303  } else {
3304  return job_progress ( &tls->cipherstream, progress );
3305  }
3306 }
3307 
3308 /** TLS plaintext stream interface operations */
3310  INTF_OP ( xfer_deliver, struct tls_connection *,
3312  INTF_OP ( xfer_window, struct tls_connection *,
3315  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
3316 };
3317 
3318 /** TLS plaintext stream interface descriptor */
3320  INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
3321  tls_plainstream_ops, cipherstream );
3322 
3323 /******************************************************************************
3324  *
3325  * Ciphertext stream operations
3326  *
3327  ******************************************************************************
3328  */
3329 
3330 /**
3331  * Handle received TLS header
3332  *
3333  * @v tls TLS connection
3334  * @ret rc Returned status code
3335  */
3336 static int tls_newdata_process_header ( struct tls_connection *tls ) {
3337  struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
3338  struct cipher_algorithm *cipher = cipherspec->suite->cipher;
3339  size_t iv_len = cipherspec->suite->record_iv_len;
3340  size_t data_len = ntohs ( tls->rx_header.length );
3341  size_t remaining = data_len;
3342  size_t frag_len;
3343  size_t reserve;
3344  struct io_buffer *iobuf;
3345  struct io_buffer *tmp;
3346  int rc;
3347 
3348  /* Sanity check */
3349  assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
3350 
3351  /* Calculate alignment reservation at start of first data buffer */
3352  reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
3353  remaining += reserve;
3354 
3355  /* Allocate data buffers now that we know the length */
3356  assert ( list_empty ( &tls->rx_data ) );
3357  while ( remaining ) {
3358 
3359  /* Calculate fragment length. Ensure that no block is
3360  * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
3361  * allocation length if necessary).
3362  */
3363  frag_len = remaining;
3364  if ( frag_len > TLS_RX_BUFSIZE )
3365  frag_len = TLS_RX_BUFSIZE;
3366  remaining -= frag_len;
3367  if ( remaining < TLS_RX_MIN_BUFSIZE ) {
3368  frag_len += remaining;
3369  remaining = 0;
3370  }
3371 
3372  /* Allocate buffer */
3373  iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
3374  if ( ! iobuf ) {
3375  DBGC ( tls, "TLS %p could not allocate %zd of %zd "
3376  "bytes for receive buffer\n", tls,
3377  remaining, data_len );
3378  rc = -ENOMEM_RX_DATA;
3379  goto err;
3380  }
3381 
3382  /* Ensure tailroom is exactly what we asked for. This
3383  * will result in unaligned I/O buffers when the
3384  * fragment length is unaligned, which can happen only
3385  * before we switch to using a block cipher.
3386  */
3387  iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
3388 
3389  /* Ensure first buffer length will be aligned to a
3390  * multiple of the cipher alignment size after
3391  * stripping the record IV.
3392  */
3393  iob_reserve ( iobuf, reserve );
3394  reserve = 0;
3395 
3396  /* Add I/O buffer to list */
3397  list_add_tail ( &iobuf->list, &tls->rx_data );
3398  }
3399 
3400  /* Move to data state */
3401  tls->rx_state = TLS_RX_DATA;
3402 
3403  return 0;
3404 
3405  err:
3406  list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
3407  list_del ( &iobuf->list );
3408  free_iob ( iobuf );
3409  }
3410  return rc;
3411 }
3412 
3413 /**
3414  * Handle received TLS data payload
3415  *
3416  * @v tls TLS connection
3417  * @ret rc Returned status code
3418  */
3419 static int tls_newdata_process_data ( struct tls_connection *tls ) {
3420  struct io_buffer *iobuf;
3421  int rc;
3422 
3423  /* Move current buffer to end of list */
3424  iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
3425  list_del ( &iobuf->list );
3426  list_add_tail ( &iobuf->list, &tls->rx_data );
3427 
3428  /* Continue receiving data if any space remains */
3429  iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
3430  if ( iob_tailroom ( iobuf ) )
3431  return 0;
3432 
3433  /* Process record */
3434  if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
3435  &tls->rx_data ) ) != 0 )
3436  return rc;
3437 
3438  /* Increment RX sequence number */
3439  tls->rx_seq += 1;
3440 
3441  /* Return to header state */
3442  assert ( list_empty ( &tls->rx_data ) );
3443  tls->rx_state = TLS_RX_HEADER;
3444  iob_unput ( &tls->rx_header_iobuf, sizeof ( tls->rx_header ) );
3445 
3446  return 0;
3447 }
3448 
3449 /**
3450  * Check flow control window
3451  *
3452  * @v tls TLS connection
3453  * @ret len Length of window
3454  */
3455 static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
3456 
3457  /* Open window until we are ready to accept data */
3458  if ( ! tls_ready ( tls ) )
3459  return -1UL;
3460 
3461  return xfer_window ( &tls->plainstream );
3462 }
3463 
3464 /**
3465  * Receive new ciphertext
3466  *
3467  * @v tls TLS connection
3468  * @v iobuf I/O buffer
3469  * @v meta Data transfer metadat
3470  * @ret rc Return status code
3471  */
3472 static int tls_cipherstream_deliver ( struct tls_connection *tls,
3473  struct io_buffer *iobuf,
3474  struct xfer_metadata *xfer __unused ) {
3475  size_t frag_len;
3476  int ( * process ) ( struct tls_connection *tls );
3477  struct io_buffer *dest;
3478  int rc;
3479 
3480  while ( iob_len ( iobuf ) ) {
3481 
3482  /* Select buffer according to current state */
3483  switch ( tls->rx_state ) {
3484  case TLS_RX_HEADER:
3485  dest = &tls->rx_header_iobuf;
3487  break;
3488  case TLS_RX_DATA:
3489  dest = list_first_entry ( &tls->rx_data,
3490  struct io_buffer, list );
3491  assert ( dest != NULL );
3493  break;
3494  default:
3495  assert ( 0 );
3496  rc = -EINVAL_RX_STATE;
3497  goto done;
3498  }
3499 
3500  /* Copy data portion to buffer */
3501  frag_len = iob_len ( iobuf );
3502  if ( frag_len > iob_tailroom ( dest ) )
3503  frag_len = iob_tailroom ( dest );
3504  memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
3505  iob_pull ( iobuf, frag_len );
3506 
3507  /* Process data if buffer is now full */
3508  if ( iob_tailroom ( dest ) == 0 ) {
3509  if ( ( rc = process ( tls ) ) != 0 ) {
3510  tls_close ( tls, rc );
3511  goto done;
3512  }
3513  }
3514  }
3515  rc = 0;
3516 
3517  done:
3518  free_iob ( iobuf );
3519  return rc;
3520 }
3521 
3522 /** TLS ciphertext stream interface operations */
3524  INTF_OP ( xfer_deliver, struct tls_connection *,
3526  INTF_OP ( xfer_window, struct tls_connection *,
3529  tls_tx_resume ),
3530  INTF_OP ( intf_close, struct tls_connection *, tls_close ),
3531 };
3532 
3533 /** TLS ciphertext stream interface descriptor */
3535  INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
3536  tls_cipherstream_ops, plainstream );
3537 
3538 /******************************************************************************
3539  *
3540  * Certificate validator
3541  *
3542  ******************************************************************************
3543  */
3544 
3545 /**
3546  * Handle certificate validation completion
3547  *
3548  * @v tls TLS connection
3549  * @v rc Reason for completion
3550  */
3551 static void tls_validator_done ( struct tls_connection *tls, int rc ) {
3552  struct tls_session *session = tls->session;
3553  struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
3554  struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
3555  struct x509_certificate *cert;
3556 
3557  /* Mark validation as complete */
3558  pending_put ( &tls->validation );
3559 
3560  /* Close validator interface */
3561  intf_restart ( &tls->validator, rc );
3562 
3563  /* Check for validation failure */
3564  if ( rc != 0 ) {
3565  DBGC ( tls, "TLS %p certificate validation failed: %s\n",
3566  tls, strerror ( rc ) );
3567  goto err;
3568  }
3569  DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
3570 
3571  /* Extract first certificate */
3572  cert = x509_first ( tls->chain );
3573  assert ( cert != NULL );
3574 
3575  /* Verify server name */
3576  if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
3577  DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
3578  tls, session->name, strerror ( rc ) );
3579  goto err;
3580  }
3581 
3582  /* Initialise public key algorithm */
3583  if ( ( rc = pubkey_init ( pubkey, cipherspec->pubkey_ctx,
3584  cert->subject.public_key.raw.data,
3585  cert->subject.public_key.raw.len ) ) != 0 ) {
3586  DBGC ( tls, "TLS %p cannot initialise public key: %s\n",
3587  tls, strerror ( rc ) );
3588  goto err;
3589  }
3590 
3591  /* Schedule Client Key Exchange, Change Cipher, and Finished */
3594  TLS_TX_FINISHED );
3595  if ( tls->certs ) {
3596  tls->tx_pending |= ( TLS_TX_CERTIFICATE |
3598  }
3599  tls_tx_resume ( tls );
3600 
3601  return;
3602 
3603  err:
3604  tls_close ( tls, rc );
3605  return;
3606 }
3607 
3608 /** TLS certificate validator interface operations */
3611 };
3612 
3613 /** TLS certificate validator interface descriptor */
3616 
3617 /******************************************************************************
3618  *
3619  * Controlling process
3620  *
3621  ******************************************************************************
3622  */
3623 
3624 /**
3625  * TLS TX state machine
3626  *
3627  * @v tls TLS connection
3628  */
3629 static void tls_tx_step ( struct tls_connection *tls ) {
3630  struct tls_session *session = tls->session;
3631  struct tls_connection *conn;
3632  int rc;
3633 
3634  /* Wait for cipherstream to become ready */
3635  if ( ! xfer_window ( &tls->cipherstream ) )
3636  return;
3637 
3638  /* Send first pending transmission */
3639  if ( tls->tx_pending & TLS_TX_CLIENT_HELLO ) {
3640  /* Serialise server negotiations within a session, to
3641  * provide a consistent view of session IDs and
3642  * session tickets.
3643  */
3644  list_for_each_entry ( conn, &session->conn, list ) {
3645  if ( conn == tls )
3646  break;
3647  if ( is_pending ( &conn->server_negotiation ) )
3648  return;
3649  }
3650  /* Record or generate session ID and associated master secret */
3651  if ( session->id_len ) {
3652  /* Attempt to resume an existing session */
3653  memcpy ( tls->session_id, session->id,
3654  sizeof ( tls->session_id ) );
3655  tls->session_id_len = session->id_len;
3656  memcpy ( tls->master_secret, session->master_secret,
3657  sizeof ( tls->master_secret ) );
3658  } else {
3659  /* No existing session: use a random session ID */
3660  assert ( sizeof ( tls->session_id ) ==
3661  sizeof ( tls->client_random ) );
3662  memcpy ( tls->session_id, &tls->client_random,
3663  sizeof ( tls->session_id ) );
3664  tls->session_id_len = sizeof ( tls->session_id );
3665  }
3666  /* Send Client Hello */
3667  if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
3668  DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
3669  tls, strerror ( rc ) );
3670  goto err;
3671  }
3673  } else if ( tls->tx_pending & TLS_TX_CERTIFICATE ) {
3674  /* Send Certificate */
3675  if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
3676  DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
3677  tls, strerror ( rc ) );
3678  goto err;
3679  }
3680  tls->tx_pending &= ~TLS_TX_CERTIFICATE;
3681  } else if ( tls->tx_pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
3682  /* Send Client Key Exchange */
3683  if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
3684  DBGC ( tls, "TLS %p could not send Client Key "
3685  "Exchange: %s\n", tls, strerror ( rc ) );
3686  goto err;
3687  }
3689  } else if ( tls->tx_pending & TLS_TX_CERTIFICATE_VERIFY ) {
3690  /* Send Certificate Verify */
3691  if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
3692  DBGC ( tls, "TLS %p could not send Certificate "
3693  "Verify: %s\n", tls, strerror ( rc ) );
3694  goto err;
3695  }
3697  } else if ( tls->tx_pending & TLS_TX_CHANGE_CIPHER ) {
3698  /* Send Change Cipher, and then change the cipher in use */
3699  if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
3700  DBGC ( tls, "TLS %p could not send Change Cipher: "
3701  "%s\n", tls, strerror ( rc ) );
3702  goto err;
3703  }
3704  if ( ( rc = tls_change_cipher ( tls,
3705  &tls->tx_cipherspec_pending,
3706  &tls->tx_cipherspec )) != 0 ){
3707  DBGC ( tls, "TLS %p could not activate TX cipher: "
3708  "%s\n", tls, strerror ( rc ) );
3709  goto err;
3710  }
3711  tls->tx_seq = 0;
3713  } else if ( tls->tx_pending & TLS_TX_FINISHED ) {
3714  /* Send Finished */
3715  if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
3716  DBGC ( tls, "TLS %p could not send Finished: %s\n",
3717  tls, strerror ( rc ) );
3718  goto err;
3719  }
3720  tls->tx_pending &= ~TLS_TX_FINISHED;
3721  }
3722 
3723  /* Reschedule process if pending transmissions remain,
3724  * otherwise send notification of a window change.
3725  */
3726  if ( tls->tx_pending ) {
3727  tls_tx_resume ( tls );
3728  } else {
3729  xfer_window_changed ( &tls->plainstream );
3730  }
3731 
3732  return;
3733 
3734  err:
3735  tls_close ( tls, rc );
3736 }
3737 
3738 /** TLS TX process descriptor */
3741 
3742 /******************************************************************************
3743  *
3744  * Session management
3745  *
3746  ******************************************************************************
3747  */
3748 
3749 /**
3750  * Find or create session for TLS connection
3751  *
3752  * @v tls TLS connection
3753  * @v name Server name
3754  * @ret rc Return status code
3755  */
3756 static int tls_session ( struct tls_connection *tls, const char *name ) {
3757  struct tls_session *session;
3758  char *name_copy;
3759  int rc;
3760 
3761  /* Find existing matching session, if any */
3762  list_for_each_entry ( session, &tls_sessions, list ) {
3763  if ( ( strcmp ( name, session->name ) == 0 ) &&
3764  ( tls->root == session->root ) &&
3765  ( tls->key == session->key ) ) {
3766  ref_get ( &session->refcnt );
3767  tls->session = session;
3768  DBGC ( tls, "TLS %p joining session %s\n", tls, name );
3769  return 0;
3770  }
3771  }
3772 
3773  /* Create new session */
3774  session = zalloc ( sizeof ( *session ) + strlen ( name )
3775  + 1 /* NUL */ );
3776  if ( ! session ) {
3777  rc = -ENOMEM;
3778  goto err_alloc;
3779  }
3780  ref_init ( &session->refcnt, free_tls_session );
3781  name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
3782  strcpy ( name_copy, name );
3783  session->name = name_copy;
3784  session->root = x509_root_get ( tls->root );
3785  session->key = privkey_get ( tls->key );
3786  INIT_LIST_HEAD ( &session->conn );
3787  list_add ( &session->list, &tls_sessions );
3788 
3789  /* Record session */
3790  tls->session = session;
3791 
3792  DBGC ( tls, "TLS %p created session %s\n", tls, name );
3793  return 0;
3794 
3795  ref_put ( &session->refcnt );
3796  err_alloc:
3797  return rc;
3798 }
3799 
3800 /******************************************************************************
3801  *
3802  * Instantiator
3803  *
3804  ******************************************************************************
3805  */
3806 
3807 /**
3808  * Add TLS on an interface
3809  *
3810  * @v xfer Data transfer interface
3811  * @v name Host name
3812  * @v root Root of trust (or NULL to use default)
3813  * @v key Private key (or NULL to use default)
3814  * @ret rc Return status code
3815  */
3816 int add_tls ( struct interface *xfer, const char *name,
3817  struct x509_root *root, struct private_key *key ) {
3818  struct tls_connection *tls;
3819  int rc;
3820 
3821  /* Allocate and initialise TLS structure */
3822  tls = malloc ( sizeof ( *tls ) );
3823  if ( ! tls ) {
3824  rc = -ENOMEM;
3825  goto err_alloc;
3826  }
3827  memset ( tls, 0, sizeof ( *tls ) );
3828  ref_init ( &tls->refcnt, free_tls );
3829  INIT_LIST_HEAD ( &tls->list );
3830  intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
3832  intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt );
3834  &tls->refcnt );
3835  tls->key = privkey_get ( key ? key : &private_key );
3836  tls->root = x509_root_get ( root ? root : &root_certificates );
3837  tls->version = TLS_VERSION_MAX;
3838  tls_clear_cipher ( tls, &tls->tx_cipherspec );
3839  tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
3840  tls_clear_cipher ( tls, &tls->rx_cipherspec );
3841  tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
3842  tls_clear_handshake ( tls );
3843  tls->client_random.gmt_unix_time = time ( NULL );
3844  iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
3845  sizeof ( tls->rx_header ) );
3846  INIT_LIST_HEAD ( &tls->rx_data );
3847  if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
3848  ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
3849  goto err_random;
3850  }
3851  if ( ( rc = tls_session ( tls, name ) ) != 0 )
3852  goto err_session;
3853  list_add_tail ( &tls->list, &tls->session->conn );
3854 
3855  /* Start negotiation */
3856  tls_restart ( tls );
3857 
3858  /* Attach to parent interface, mortalise self, and return */
3859  intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
3860  ref_put ( &tls->refcnt );
3861  return 0;
3862 
3863  err_session:
3864  err_random:
3865  ref_put ( &tls->refcnt );
3866  err_alloc:
3867  return rc;
3868 }
3869 
3870 /* Drag in objects via add_tls() */
3872 
3873 /* Drag in crypto configuration */
3874 REQUIRE_OBJECT ( config_crypto );
Transport Layer Security Protocol.
#define cpu_to_be16(value)
Definition: byteswap.h:109
struct tls_verify_data verify
Verification data.
Definition: tls.h:397
void * memswap(void *first, void *second, size_t len)
Swap memory regions.
Definition: string.c:153
static void free_tls(struct refcnt *refcnt)
Free TLS connection.
Definition: tls.c:376
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition: x509.h:291
A process.
Definition: process.h:17
#define iob_pull(iobuf, len)
Definition: iobuf.h:102
static int tls_send_certificate(struct tls_connection *tls)
Transmit Certificate record.
Definition: tls.c:1332
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
#define __attribute__(x)
Definition: compiler.h:10
An object interface operation.
Definition: interface.h:17
u16 length
Definition: sky2.h:9
#define EPERM_CLIENT_CERT
Definition: tls.c:173
size_t blocksize
Block size.
Definition: crypto.h:59
struct digest_algorithm * digest
Digest algorithm.
Definition: tls.h:264
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:50
uint64_t seq
Sequence number.
Definition: tls.h:144
#define EINVAL_PADDING
Definition: tls.c:93
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
static void tls_tx_resume_all(struct tls_session *session)
Resume TX state machine for all connections within a session.
Definition: tls.c:1099
const char * name
Definition: ath9k_hw.c:1984
void xfer_window_changed(struct interface *intf)
Report change of flow control window.
Definition: xfer.c:146
unsigned short uint16_t
Definition: stdint.h:11
void intf_close(struct interface *intf, int rc)
Close an object interface.
Definition: interface.c:249
struct x509_chain * chain
Server certificate chain.
Definition: tls.h:402
An MD5+SHA1 context.
Definition: tls.h:293
static void tls_validator_done(struct tls_connection *tls, int rc)
Handle certificate validation completion.
Definition: tls.c:3551
static void privkey_put(struct private_key *key)
Drop reference to private key.
Definition: privkey.h:41
void intf_restart(struct interface *intf, int rc)
Shut down and restart an object interface.
Definition: interface.c:343
struct tls_cipher_suite tls_cipher_suite_null
Null cipher suite.
Definition: tls.c:822
static int tls_select_cipher(struct tls_connection *tls, unsigned int cipher_suite)
Select next cipher suite.
Definition: tls.c:918
struct pending_operation client_negotiation
Client security negotiation pending operation.
Definition: tls.h:407
#define iob_put(iobuf, len)
Definition: iobuf.h:120
#define va_end(ap)
Definition: stdarg.h:9
struct process process
TX process.
Definition: tls.h:418
#define TLS_NUM_CIPHER_SUITES
Number of supported cipher suites.
Definition: tls.c:830
Data transfer metadata.
Definition: xfer.h:22
void intf_shutdown(struct interface *intf, int rc)
Shut down an object interface.
Definition: interface.c:278
static void tls_tx_resume(struct tls_connection *tls)
Resume TX state machine.
Definition: tls.c:1090
static int tls_new_ciphertext(struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
Receive new ciphertext record.
Definition: tls.c:3107
static int tls_newdata_process_header(struct tls_connection *tls)
Handle received TLS header.
Definition: tls.c:3336
#define TLS_RENEGOTIATION_INFO
Definition: tls.h:139
int xfer_deliver_iob(struct interface *intf, struct io_buffer *iobuf)
Deliver datagram as I/O buffer without metadata.
Definition: xfer.c:255
struct x509_certificate * certstore_find_key(struct private_key *key)
Find certificate in store corresponding to a private key.
Definition: certstore.c:119
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
#define max(x, y)
Definition: ath.h:39
struct tls_session * session
Session.
Definition: tls.h:349
static struct tls_named_curve * tls_find_named_curve(unsigned int named_curve)
Identify named curve.
Definition: tls.c:1066
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:258
struct tls_key_exchange_algorithm * exchange
Key exchange algorithm.
Definition: tls.h:189
struct io_buffer rx_header_iobuf
Current received record header (static I/O buffer)
Definition: tls.h:427
uint8_t record_iv_len
Record initialisation vector length.
Definition: tls.h:205
static unsigned long tls_uint24(const tls24_t *field24)
Extract 24-bit field value.
Definition: tls.c:230
static void tls_restart(struct tls_connection *tls)
Restart negotiation.
Definition: tls.c:1111
#define TLS_NUM_NAMED_CURVES
Number of supported named curves.
Definition: tls.c:1057
int dhe_key(const void *modulus, size_t len, const void *generator, size_t generator_len, const void *partner, size_t partner_len, const void *private, size_t private_len, void *public, void *shared)
Calculate Diffie-Hellman key.
Definition: dhe.c:53
static struct pubkey_algorithm * tls_signature_hash_pubkey(struct tls_signature_hash_id code)
Find TLS signature algorithm.
Definition: tls.c:1018
u8 sig
Definition: CIB_PRM.h:43
struct stp_switch root
Root switch.
Definition: stp.h:26
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
uint32_t next
Next descriptor address.
Definition: myson.h:18
uint16_t spec
ENA specification version.
Definition: ena.h:26
struct list_head links
List of links.
Definition: x509.h:203
static struct tls_cipher_suite * tls_find_cipher_suite(unsigned int cipher_suite)
Identify cipher suite.
Definition: tls.c:839
#define EPERM_KEY_EXCHANGE
Definition: tls.c:185
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
Error codes.
struct refcnt refcnt
Reference counter.
Definition: tls.h:346
#define EINVAL_HELLO
Definition: tls.c:65
uint64_t rx_seq
RX sequence number.
Definition: tls.h:421
uint8_t type
Content type.
Definition: tls.h:33
static void tls_verify_handshake(struct tls_connection *tls, void *out)
Calculate handshake verification hash.
Definition: tls.c:806
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition: x509.c:1569
static int rbg_generate(const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate bits using RBG.
Definition: rbg.h:36
static int tls_send_client_key_exchange_pubkey(struct tls_connection *tls)
Transmit Client Key Exchange record using public key exchange.
Definition: tls.c:1394
I/O buffers.
static int tls_cipherstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
Receive new ciphertext.
Definition: tls.c:3472
uint16_t max_len
Maximum length (in bytes)
Definition: ntlm.h:18
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:146
struct io_buffer * alloc_iob_raw(size_t len, size_t align, size_t offset)
Allocate I/O buffer with specified alignment and offset.
Definition: iobuf.c:48
static int tls_add_handshake(struct tls_connection *tls, const void *data, size_t len)
Add handshake record to verification hash.
Definition: tls.c:790
#define ENOTSUP_CURVE
Definition: tls.c:161
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1668
static void tls_generate_master_secret(struct tls_connection *tls, const void *pre_master_secret, size_t pre_master_secret_len)
Generate master secret.
Definition: tls.c:636
static LIST_HEAD(tls_sessions)
List of TLS session.
size_t alignsize
Alignment size.
Definition: crypto.h:71
#define ENOTSUP_VERSION
Definition: tls.c:157
static struct interface_operation tls_plainstream_ops[]
TLS plaintext stream interface operations.
Definition: tls.c:3309
void pending_put(struct pending_operation *pending)
Mark an operation as no longer pending.
Definition: pending.c:58
#define TLS_CLIENT_HELLO
Definition: tls.h:69
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:230
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
size_t new_session_ticket_len
Length of new session ticket.
Definition: tls.h:359
#define ENOMEM_RX_CONCAT
Definition: tls.c:141
A process descriptor.
Definition: process.h:31
#define TLS_VERSION_TLS_1_2
TLS version 1.2.
Definition: tls.h:47
#define TLS_CERTIFICATE
Definition: tls.h:72
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1643
static struct private_key * privkey_get(struct private_key *key)
Get reference to private key.
Definition: privkey.h:30
uint8_t server_random[32]
Server random bytes.
Definition: tls.h:379
uint8_t session_id[32]
Session ID.
Definition: tls.h:353
FILE_LICENCE(GPL2_OR_LATER)
struct tls_header rx_header
Current received record header.
Definition: tls.h:425
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition: x509.c:1620
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:395
#define EINVAL_HELLO_DONE
Definition: tls.c:77
uint16_t length
Length of payload.
Definition: tls.h:40
struct x509_root * root
Root of trust.
Definition: tls.h:400
unsigned long long uint64_t
Definition: stdint.h:13
struct io_buffer * xfer_alloc_iob(struct interface *intf, size_t len)
Allocate I/O buffer.
Definition: xfer.c:158
struct eltorito_descriptor_fixed fixed
Fixed portion.
Definition: eltorito.h:13
struct pubkey_algorithm pubkey_null
Definition: crypto_null.c:135
#define EPROTO_VERSION
Definition: tls.c:189
#define EIO_ALERT
Definition: tls.c:113
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm
Public key exchange algorithm.
Definition: tls.c:1447
uint32_t data_len
Microcode data size (or 0 to indicate 2000 bytes)
Definition: ucode.h:26
static struct digest_algorithm * tls_signature_hash_digest(struct tls_signature_hash_id code)
Find TLS hash algorithm.
Definition: tls.c:1037
static struct interface_operation tls_validator_ops[]
TLS certificate validator interface operations.
Definition: tls.c:3609
#define ENOMEM_CHAIN
Definition: tls.c:125
#define va_copy(dest, src)
Definition: stdarg.h:10
#define ntohs(value)
Definition: byteswap.h:136
#define TLS_SERVER_HELLO_DONE
Definition: tls.h:75
#define PROC_DESC_ONCE(object_type, process, _step)
Define a process descriptor for a process that runs only once.
Definition: process.h:97
static void tls_close(struct tls_connection *tls, int rc)
Finish with TLS connection.
Definition: tls.c:415
#define TLS_CERTIFICATE_REQUEST
Definition: tls.h:74
TLS authentication header.
Definition: tls.h:142
u32 pad[9]
Padding.
Definition: ar9003_mac.h:90
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
static void md5_sha1_final(void *ctx, void *out)
Generate MD5+SHA1 digest.
Definition: tls.c:314
A TLS cipher specification.
Definition: tls.h:238
static void iob_populate(struct io_buffer *iobuf, void *data, size_t len, size_t max_len)
Create a temporary I/O buffer.
Definition: iobuf.h:190
#define EINVAL_CERTIFICATE
Definition: tls.c:69
static void free_tls_session(struct refcnt *refcnt)
Free TLS session.
Definition: tls.c:352
const char * name
Algorithm name.
Definition: tls.h:176
struct pubkey_algorithm * pubkey
Public-key encryption algorithm.
Definition: tls.h:191
static void md5_sha1_init(void *ctx)
Initialise MD5+SHA1 algorithm.
Definition: tls.c:287
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition: list.h:346
void process_del(struct process *process)
Remove process from process list.
Definition: process.c:79
#define htonl(value)
Definition: byteswap.h:133
size_t xfer_window(struct interface *intf)
Check flow control window.
Definition: xfer.c:116
static void void * auth
Definition: crypto.h:264
uint32_t a
Definition: md4.c:28
size_t ctxsize
Context size.
Definition: crypto.h:124
static void tls_hmac_final(struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
Finalise HMAC.
Definition: tls.c:2877
__be32 out[4]
Definition: CIB_PRM.h:36
static struct interface_descriptor tls_cipherstream_desc
TLS ciphertext stream interface descriptor.
Definition: tls.c:3534
A doubly-linked list entry (or list head)
Definition: list.h:18
#define TLS_MAX_FRAGMENT_LENGTH
Definition: tls.h:122
static int tls_send_handshake(struct tls_connection *tls, const void *data, size_t len)
Transmit Handshake record.
Definition: tls.c:1134
Data transfer interfaces.
size_t len
Length of data.
Definition: asn1.h:24
A reference counter.
Definition: refcnt.h:26
A certificate validator.
Definition: validator.c:64
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition: privkey.h:52
uint32_t pending
Pending events.
Definition: hyperv.h:12
static struct interface_descriptor tls_validator_desc
TLS certificate validator interface descriptor.
Definition: tls.c:3614
#define EINVAL_CHANGE_CIPHER
Definition: tls.c:57
Private key.
#define TLS_NAMED_CURVE
Definition: tls.h:129
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
static void tls_hmac_list(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, struct list_head *list, void *hmac)
Calculate HMAC over list of I/O buffers.
Definition: tls.c:2912
unsigned long tmp
Definition: linux_pci.h:53
#define ENOMEM_CONTEXT
Definition: tls.c:117
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:317
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:248
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition: list.h:333
enum tls_rx_state rx_state
RX state.
Definition: tls.h:423
size_t authsize
Authentication tag size.
Definition: crypto.h:73
#define EINVAL_MAC
Definition: tls.c:101
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
static int tls_send_client_key_exchange_ecdhe(struct tls_connection *tls)
Transmit Client Key Exchange record using ECDHE key exchange.
Definition: tls.c:1672
void * tail
End of data.
Definition: iobuf.h:50
static int tls_new_hello_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Hello Request handshake record.
Definition: tls.c:2039
#define ENOMEM
Not enough space.
Definition: errno.h:534
#define ENOTSUP_NULL
Definition: tls.c:149
#define iob_disown(iobuf)
Disown an I/O buffer.
Definition: iobuf.h:212
#define TLS_NAMED_CURVE_TYPE
TLS named curved type.
Definition: tls.h:219
uint8_t * handshake_ctx
Digest algorithm context used for handshake verification.
Definition: tls.h:389
struct tls_cipherspec tx_cipherspec
Current TX cipher specification.
Definition: tls.h:369
void * memcpy(void *dest, const void *src, size_t len) __nonnull
Certificate store.
#define va_arg(ap, type)
Definition: stdarg.h:8
static void tls_hmac_update_va(struct digest_algorithm *digest, void *ctx, va_list args)
Update HMAC with a list of ( data, len ) pairs.
Definition: tls.c:476
int(* exchange)(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.h:183
REQUIRE_OBJECT(config_crypto)
static int tls_newdata_process_data(struct tls_connection *tls)
Handle received TLS data payload.
Definition: tls.c:3419
int create_validator(struct interface *job, struct x509_chain *chain, struct x509_root *root)
Instantiate a certificate validator.
Definition: validator.c:757
#define TLS_TYPE_CHANGE_CIPHER
Change cipher content type.
Definition: tls.h:53
#define ENOTSUP_CIPHER
Definition: tls.c:145
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
Certificate validator.
static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm(struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
Find TLS signature and hash algorithm.
Definition: tls.c:996
An object interface.
Definition: interface.h:124
Keyed-Hashing for Message Authentication.
#define ENOMEM_RX_DATA
Definition: tls.c:137
struct ntlm_data session
Session key.
Definition: ntlm.h:24
#define TLS_RX_ALIGN
RX I/O buffer alignment.
Definition: tls.h:453
void * new_session_ticket
New session ticket.
Definition: tls.h:357
static int tls_progress(struct tls_connection *tls, struct job_progress *progress)
Report job progress.
Definition: tls.c:3297
static int tls_send_change_cipher(struct tls_connection *tls)
Transmit Change Cipher record.
Definition: tls.c:1903
void * cipher_ctx
Bulk encryption cipher context.
Definition: tls.h:246
static void tls_tx_step(struct tls_connection *tls)
TLS TX state machine.
Definition: tls.c:3629
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
#define TLS_SESSION_TICKET
Definition: tls.h:136
#define DBGC_HDA(...)
Definition: compiler.h:506
static int tls_new_session_ticket(struct tls_connection *tls, const void *data, size_t len)
Receive New Session Ticket handshake record.
Definition: tls.c:2255
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
struct tls_cipher_suite * suite
Cipher suite.
Definition: tls.h:240
struct x509_chain * certs
Client certificate chain (if used)
Definition: tls.h:393
static void tls_hmac_update(struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: tls.c:2863
#define EINVAL_FINISHED
Definition: tls.c:81
struct digest_algorithm * digest
MAC digest algorithm.
Definition: tls.h:195
static void tls_prf(struct tls_connection *tls, const void *secret, size_t secret_len, void *out, size_t out_len,...)
Generate secure pseudo-random data.
Definition: tls.c:560
struct pending_operation validation
Certificate validation pending operation.
Definition: tls.h:411
struct list_head list
List of connections within the same session.
Definition: tls.h:351
uint32_t gmt_unix_time
GMT Unix time.
Definition: tls.h:287
#define be16_to_cpu(value)
Definition: byteswap.h:115
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
uint8_t fixed_iv_len
Fixed initialisation vector length.
Definition: tls.h:203
A TLS cipher suite.
Definition: tls.h:187
char * strcpy(char *dest, const char *src)
Copy string.
Definition: string.c:326
#define TLS_SERVER_NAME
Definition: tls.h:118
A TLS signature algorithm.
Definition: tls.h:262
static int is_pending(struct pending_operation *pending)
Check if an operation is pending.
Definition: pending.h:24
#define EPERM_VERIFY
Definition: tls.c:169
static int tls_new_alert(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Alert record.
Definition: tls.c:1997
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition: x509.h:384
uint8_t master_secret[48]
Master secret.
Definition: tls.h:377
struct list_head list
List of sessions.
Definition: tls.h:319
static void tls_hmac_init(struct tls_cipherspec *cipherspec, void *ctx, struct tls_auth_header *authhdr)
Initialise HMAC.
Definition: tls.c:2846
#define TLS_ALERT_WARNING
Definition: tls.h:81
#define ENOMEM_TX_CIPHERTEXT
Definition: tls.c:133
static int tls_send_client_key_exchange(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition: tls.c:1785
static int tls_new_data(struct tls_connection *tls, struct list_head *rx_data)
Receive new data record.
Definition: tls.c:2736
static void struct digest_algorithm const void const void size_t signature_len
Definition: crypto.h:316
const char * name
Curve name.
Definition: crypto.h:201
#define EINVAL_RX_STATE
Definition: tls.c:97
static int tls_new_change_cipher(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Change Cipher record.
Definition: tls.c:1961
#define TLS_RX_BUFSIZE
RX I/O buffer size.
Definition: tls.h:442
static void * dest
Definition: strings.h:176
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition: list.h:458
#define cpu_to_le32(value)
Definition: byteswap.h:107
#define TLS_NAMED_CURVES
TLS named curve table.
Definition: tls.h:230
static struct digest_algorithm md5_sha1_algorithm
Hybrid MD5+SHA1 digest algorithm.
Definition: tls.c:323
RBG mechanism.
pseudo_bit_t value[0x00020]
Definition: arbel.h:13
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
void process_add(struct process *process)
Add process to process list.
Definition: process.c:59
int meta(WINDOW *, bool)
#define ENOTCONN
The socket is not connected.
Definition: errno.h:569
AES algorithm.
size_t keysize
Key size.
Definition: crypto.h:203
struct io_buffer * iob_concatenate(struct list_head *list)
Concatenate I/O buffers into a single buffer.
Definition: iobuf.c:243
An object interface descriptor.
Definition: interface.h:55
#define TLS_NUM_SIG_HASH_ALGORITHMS
Number of supported signature and hash algorithms.
Definition: tls.c:985
#define TLS_HELLO_REQUEST
Definition: tls.h:68
struct tls_header header
TLS header.
Definition: tls.h:146
#define iob_unput(iobuf, len)
Definition: iobuf.h:135
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:316
static int tls_send_plaintext(struct tls_connection *tls, unsigned int type, const void *data, size_t len)
Send plaintext record.
Definition: tls.c:2936
pseudo_bit_t hash[0x00010]
Hash algorithm.
Definition: arbel.h:13
struct tls_client_random client_random
Client random bytes.
Definition: tls.h:381
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 certificate.
Definition: x509.h:207
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
struct interface cipherstream
Ciphertext stream.
Definition: tls.h:364
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
#define DBGC2_HD(...)
Definition: compiler.h:524
static int tls_new_finished(struct tls_connection *tls, const void *data, size_t len)
Receive new Finished handshake record.
Definition: tls.c:2554
void * server_key
Server Key Exchange record (if any)
Definition: tls.h:383
struct x509_subject subject
Subject.
Definition: x509.h:236
uint8_t hash
Hash algorithm.
Definition: tls.h:256
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92
struct digest_algorithm digest_null
Definition: crypto_null.c:48
struct elliptic_curve * curve
Elliptic curve.
Definition: tls.h:224
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:155
static struct interface_operation tls_cipherstream_ops[]
TLS ciphertext stream interface operations.
Definition: tls.c:3523
Job progress.
Definition: job.h:15
#define INTF_OP(op_type, object_type, op_func)
Define an object interface operation.
Definition: interface.h:32
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
static int tls_new_server_hello(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello handshake record.
Definition: tls.c:2070
#define EINVAL_ALERT
Definition: tls.c:61
#define DBGC_HD(...)
Definition: compiler.h:507
#define for_each_table_entry(pointer, table)
Iterate through all entries within a linker table.
Definition: tables.h:385
uint8_t mac_len
MAC length.
Definition: tls.h:207
long int random(void)
Generate a pseudo-random number between 0 and 2147483647L or 2147483562?
Definition: random.c:31
void * pubkey_ctx
Public key encryption context.
Definition: tls.h:244
static size_t iob_tailroom(struct io_buffer *iobuf)
Calculate available space at end of an I/O buffer.
Definition: iobuf.h:175
int xfer_deliver(struct interface *intf, struct io_buffer *iobuf, struct xfer_metadata *meta)
Deliver datagram.
Definition: xfer.c:194
size_t strlen(const char *src)
Get length of string.
Definition: string.c:243
static int tls_verify_dh_params(struct tls_connection *tls, size_t param_len)
Verify Diffie-Hellman parameter signature.
Definition: tls.c:1459
An RSA digestInfo prefix.
Definition: rsa.h:42
unsigned char uint8_t
Definition: stdint.h:10
uint8_t signature
Signature algorithm.
Definition: tls.h:258
Data transfer interface opening.
#define TLS_ALERT_FATAL
Definition: tls.h:82
#define EPERM_RENEG_VERIFY
Definition: tls.c:181
#define TLS_SIG_HASH_ALGORITHMS
TLS signature hash algorithm table.
Definition: tls.h:276
REQUIRING_SYMBOL(add_tls)
struct private_key * key
Private key.
Definition: tls.h:391
uint16_t hello
Hello time.
Definition: stp.h:38
static int tls_change_cipher(struct tls_connection *tls, struct tls_cipherspec *pending, struct tls_cipherspec *active)
Activate next cipher suite.
Definition: tls.c:962
static void process_init_stopped(struct process *process, struct process_descriptor *desc, struct refcnt *refcnt)
Initialise process without adding to process list.
Definition: process.h:145
X.509 certificates.
u32 lifetime
For Lifetime-type KDEs, the lifetime in seconds.
Definition: wpa.h:54
size_t ctxsize
Context size.
Definition: crypto.h:53
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:258
uint32_t last
Length to read in last segment, or zero.
Definition: pccrc.h:30
unsigned int uint32_t
Definition: stdint.h:12
struct tls_cipherspec rx_cipherspec
Current RX cipher specification.
Definition: tls.h:373
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:583
static int tls_plainstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
Deliver datagram as raw data.
Definition: tls.c:3270
static int tls_new_certificate_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Certificate Request handshake record.
Definition: tls.c:2455
#define TLS_RX_MIN_BUFSIZE
Minimum RX I/O buffer size.
Definition: tls.h:450
struct cipher_algorithm cipher_null
Definition: crypto_null.c:83
u32 version
Driver version.
Definition: ath9k_hw.c:1983
Cryptographic configuration.
Job control interfaces.
struct tls_signature_hash_id code
Numeric code.
Definition: tls.h:268
#define TLS_NEW_SESSION_TICKET
Definition: tls.h:71
uint16_t ext
Extended status.
Definition: ena.h:20
struct tls_cipherspec tx_cipherspec_pending
Next TX cipher specification.
Definition: tls.h:371
#define TLS_VERSION_MAX
Maximum supported TLS version.
Definition: tls.h:50
#define TLS_SERVER_NAME_HOST_NAME
Definition: tls.h:119
uint8_t client[12]
Client verification data.
Definition: tls.h:152
An MD5+SHA1 digest.
Definition: tls.h:304
struct pending_operation server_negotiation
Server security negotiation pending operation.
Definition: tls.h:409
An X.509 root certificate list.
Definition: x509.h:366
A TLS header.
Definition: tls.h:28
#define __unused
Declare a variable or data structure as unused.
Definition: compiler.h:573
Date and time.
Pending operations.
long pad_len
Definition: bigint.h:30
#define TLS_TYPE_HANDSHAKE
Handshake content type.
Definition: tls.h:62
struct list_head rx_data
List of received data buffers.
Definition: tls.h:429
unsigned int tx_pending
TX pending transmissions.
Definition: tls.h:416
RSA public-key cryptography.
A TLS 24-bit integer.
Definition: tls.c:215
static struct interface_descriptor tls_plainstream_desc
TLS plaintext stream interface descriptor.
Definition: tls.c:3319
#define iob_reserve(iobuf, len)
Definition: iobuf.h:67
static int tls_generate_keys(struct tls_connection *tls)
Generate key material.
Definition: tls.c:664
void intf_insert(struct interface *intf, struct interface *upper, struct interface *lower)
Insert a filter interface.
Definition: interface.c:401
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
#define INTF_DESC(object_type, intf, operations)
Define an object interface descriptor.
Definition: interface.h:80
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
static int tls_version(struct tls_connection *tls, unsigned int version)
Check for TLS version.
Definition: tls.c:270
static int tls_send_certificate_verify(struct tls_connection *tls)
Transmit Certificate Verify record.
Definition: tls.c:1813
#define EPERM_RENEG_INSECURE
Definition: tls.c:177
struct digest_algorithm * handshake_digest
Digest algorithm used for handshake verification.
Definition: tls.h:387
uint8_t random[28]
Random data.
Definition: tls.h:289
static int tls_client_hello(struct tls_connection *tls, int(*action)(struct tls_connection *tls, const void *data, size_t len))
Digest or transmit Client Hello record.
Definition: tls.c:1151
#define ENOMEM_TX_PLAINTEXT
Definition: tls.c:129
static void tls_hmac(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, const void *data, size_t len, void *hmac)
Calculate HMAC.
Definition: tls.c:2893
struct list_head list
List of which this buffer is a member.
Definition: iobuf.h:40
#define EINVAL_IV
Definition: tls.c:89
uint8_t code
Response code.
Definition: scsi.h:16
static int tls_new_handshake(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Handshake record.
Definition: tls.c:2631
uint32_t len
Length.
Definition: ena.h:14
static int tls_parse_chain(struct tls_connection *tls, const void *data, size_t len)
Parse certificate chain.
Definition: tls.c:2306
struct interface validator
Certificate validator.
Definition: tls.h:404
A TLS session.
Definition: tls.h:315
uint32_t type
Operating system type.
Definition: ena.h:12
uint8_t unused[32]
Unused.
Definition: eltorito.h:15
int x509_auto_append(struct x509_chain *chain, struct x509_chain *certs)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1748
size_t ctxsize
Context size.
Definition: crypto.h:21
#define TLS_SERVER_KEY_EXCHANGE
Definition: tls.h:73
static struct process_descriptor tls_process_desc
TLS TX process descriptor.
Definition: tls.c:3739
static void const void * iv
Definition: crypto.h:238
#define DBGC2(...)
Definition: compiler.h:522
__builtin_va_list va_list
Definition: stdarg.h:6
int strcmp(const char *first, const char *second)
Compare strings.
Definition: string.c:173
size_t digestsize
Digest size.
Definition: crypto.h:25
SHA-1 algorithm.
const char * name
Algorithm name.
Definition: crypto.h:19
uint8_t sha1[SHA1_CTX_SIZE]
SHA-1 context.
Definition: tls.h:297
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:269
struct digest_algorithm * handshake
Handshake digest algorithm (for TLSv1.2 and above)
Definition: tls.h:197
static void alert(const char *fmt,...)
Print alert message.
Definition: settings_ui.c:324
void * data
Start of data.
Definition: iobuf.h:48
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition: x509.h:302
uint16_t low
Low word.
Definition: tls.c:219
Ephemeral Diffie-Hellman key exchange.
struct tls_cipherspec rx_cipherspec_pending
Next RX cipher specification.
Definition: tls.h:375
int job_progress(struct interface *intf, struct job_progress *progress)
Get job progress.
Definition: job.c:43
#define ENOMEM_CERTIFICATE
Definition: tls.c:121
uint16_t version
Protocol version.
Definition: tls.h:38
#define EPERM_ALERT
Definition: tls.c:165
A message digest algorithm.
Definition: crypto.h:17
uint16_t version
Protocol version.
Definition: tls.h:367
#define cpu_to_be64(value)
Definition: byteswap.h:111
uint8_t data[48]
Additional event data.
Definition: ena.h:22
static void tls_clear_handshake(struct tls_connection *tls)
Clear handshake digest algorithm.
Definition: tls.c:749
A cipher algorithm.
Definition: crypto.h:49
A private key.
Definition: privkey.h:16
uint8_t server[12]
Server verification data.
Definition: tls.h:154
struct io_buffer * rx_handshake
Received handshake fragment.
Definition: tls.h:431
A TLS key exchange algorithm.
Definition: tls.h:174
struct digest_algorithm * digest
Digest algorithm.
Definition: rsa.h:44
Root certificate store.
A TLS connection.
Definition: tls.h:344
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
static void tls_clear_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec)
uint8_t md5[MD5_CTX_SIZE]
MD5 context.
Definition: tls.h:295
#define EINVAL_TICKET
Definition: tls.c:105
#define INTF_DESC_PASSTHRU(object_type, intf, operations, passthru)
Define an object interface descriptor with pass-through interface.
Definition: interface.h:97
static void tls_set_uint24(tls24_t *field24, unsigned long value)
Set 24-bit field value.
Definition: tls.c:241
static int tls_new_record(struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
Receive new record.
Definition: tls.c:2768
struct cipher_algorithm * cipher
Bulk encryption cipher algorithm.
Definition: tls.h:193
struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm
Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm.
Definition: tls.c:1774
struct list_head conn
List of connections.
Definition: tls.h:340
static size_t tls_cipherstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:3455
int secure_renegotiation
Secure renegotiation flag.
Definition: tls.h:395
A TLS named curve.
Definition: tls.h:222
static int tls_send_finished(struct tls_connection *tls)
Transmit Finished record.
Definition: tls.c:1920
typeof(acpi_finder=acpi_find)
ACPI table finder.
Definition: acpi.c:45
#define EINVAL_KEY_EXCHANGE
Definition: tls.c:109
static int tls_new_certificate(struct tls_connection *tls, const void *data, size_t len)
Receive new Certificate handshake record.
Definition: tls.c:2384
struct pubkey_algorithm * pubkey
Public-key algorithm.
Definition: tls.h:266
static void tls_p_hash_va(struct tls_connection *tls, struct digest_algorithm *digest, const void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
Generate secure pseudo-random data using a single hash function.
Definition: tls.c:498
static int tls_session(struct tls_connection *tls, const char *name)
Find or create session for TLS connection.
Definition: tls.c:3756
void * dynamic
Dynamically-allocated storage.
Definition: tls.h:242
uint8_t high
High byte.
Definition: tls.c:217
static int tls_send_client_hello(struct tls_connection *tls)
Transmit Client Hello record.
Definition: tls.c:1321
#define va_start(ap, last)
Definition: stdarg.h:7
static int tls_generate_random(struct tls_connection *tls, void *data, size_t len)
Generate random data.
Definition: tls.c:453
struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix
RSA digestInfo prefix for MD5+SHA1 algorithm.
Definition: tls.c:334
#define EINVAL_CERTIFICATES
Definition: tls.c:73
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:222
#define TLS_MAX_FRAGMENT_LENGTH_4096
Definition: tls.h:126
static int tls_ready(struct tls_connection *tls)
Determine if TLS connection is ready for application data.
Definition: tls.c:253
const char * name
Server name.
Definition: tls.h:322
A TLS signature and hash algorithm identifier.
Definition: tls.h:254
static void intf_init(struct interface *intf, struct interface_descriptor *desc, struct refcnt *refcnt)
Initialise an object interface.
Definition: interface.h:203
const char * name
Algorithm name.
Definition: crypto.h:51
#define TLS_CERTIFICATE_VERIFY
Definition: tls.h:76
#define TLS_TYPE_DATA
Application data content type.
Definition: tls.h:65
#define ENOTSUP_SIG_HASH
Definition: tls.c:153
size_t session_id_len
Length of session ID.
Definition: tls.h:355
#define TLS_TYPE_ALERT
Alert content type.
Definition: tls.h:59
static int tls_verify_padding(struct tls_connection *tls, struct io_buffer *iobuf)
Verify block padding.
Definition: tls.c:3072
struct interface plainstream
Plaintext stream.
Definition: tls.h:362
#define TLS_VERSION_MIN
Minimum TLS version.
Definition: crypto.h:13
struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm
Ephemeral Diffie-Hellman key exchange algorithm.
Definition: tls.c:1661
uint64_t time
Current time.
Definition: ntlm.h:20
u8 signature
Signature.
Definition: CIB_PRM.h:35
MD5 algorithm.
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
SHA-256 algorithm.
static int tls_set_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
Set cipher suite.
Definition: tls.c:876
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
static int tls_select_handshake(struct tls_connection *tls, struct digest_algorithm *digest)
Select handshake digest algorithm.
Definition: tls.c:766
String functions.
#define tls_prf_label(tls, secret, secret_len, out, out_len, label,...)
Generate secure pseudo-random data.
Definition: tls.c:616
An ASN.1 object cursor.
Definition: asn1.h:20
#define TLS_CIPHER_SUITES
TLS cipher suite table.
Definition: tls.h:211
A public key algorithm.
Definition: crypto.h:120
#define htons(value)
Definition: byteswap.h:135
#define TLS_CLIENT_KEY_EXCHANGE
Definition: tls.h:77
void pending_get(struct pending_operation *pending)
Mark an operation as pending.
Definition: pending.c:45
struct bofm_section_header done
Definition: bofm_test.c:46
void * fixed_iv
Fixed initialisation vector.
Definition: tls.h:250
#define TLS_SERVER_HELLO
Definition: tls.h:70
uint32_t first
Length to skip in first segment.
Definition: pccrc.h:23
union @382 key
Sense key.
Definition: crypto.h:284
static int tls_new_server_hello_done(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello Done handshake record.
Definition: tls.c:2519
#define TLS_FINISHED
Definition: tls.h:78
int add_tls(struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key)
Add TLS on an interface.
Definition: tls.c:3816
static void md5_sha1_update(void *ctx, const void *data, size_t len)
Accumulate data with MD5+SHA1 algorithm.
Definition: tls.c:301
#define TLS_SIGNATURE_ALGORITHMS
Definition: tls.h:133
static int tls_new_server_key_exchange(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Key Exchange handshake record.
Definition: tls.c:2424
const char * name
Algorithm name.
Definition: crypto.h:122
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:286
static size_t tls_plainstream_window(struct tls_connection *tls)
Check flow control window.
Definition: tls.c:3253
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106
static int tls_send_client_key_exchange_dhe(struct tls_connection *tls)
Transmit Client Key Exchange record using DHE key exchange.
Definition: tls.c:1547
uint16_t code
Numeric code (in network-endian order)
Definition: tls.h:199
static int tls_new_unknown(struct tls_connection *tls __unused, struct io_buffer *iobuf)
Receive new unknown record.
Definition: tls.c:2721
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257
void * mac_secret
MAC secret.
Definition: tls.h:248
uint64_t tx_seq
TX sequence number.
Definition: tls.h:414
void * memset(void *dest, int character, size_t len) __nonnull
size_t server_key_len
Server Key Exchange record length.
Definition: tls.h:385
A persistent I/O buffer.
Definition: iobuf.h:33
#define TLS_CHANGE_CIPHER_SPEC
Change cipher spec magic byte.
Definition: tls.h:56
uint8_t key_len
Key length.
Definition: tls.h:201