1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22#include "tls.h"
23
24
25
26#define ALLOW_RSA_NULL_SHA256 0
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66#define TLS_DEBUG 0
67#define TLS_DEBUG_HASH 0
68#define TLS_DEBUG_DER 0
69#define TLS_DEBUG_FIXED_SECRETS 0
70#if 0
71# define dump_raw_out(...) dump_hex(__VA_ARGS__)
72#else
73# define dump_raw_out(...) ((void)0)
74#endif
75#if 0
76# define dump_raw_in(...) dump_hex(__VA_ARGS__)
77#else
78# define dump_raw_in(...) ((void)0)
79#endif
80
81#if TLS_DEBUG
82# define dbg(...) fprintf(stderr, __VA_ARGS__)
83#else
84# define dbg(...) ((void)0)
85#endif
86
87#if TLS_DEBUG_DER
88# define dbg_der(...) fprintf(stderr, __VA_ARGS__)
89#else
90# define dbg_der(...) ((void)0)
91#endif
92
93
94
95#define TLS_MAJ 3
96#define TLS_MIN 3
97
98#define RECORD_TYPE_CHANGE_CIPHER_SPEC 20
99#define RECORD_TYPE_ALERT 21
100#define RECORD_TYPE_HANDSHAKE 22
101#define RECORD_TYPE_APPLICATION_DATA 23
102
103#define HANDSHAKE_HELLO_REQUEST 0
104#define HANDSHAKE_CLIENT_HELLO 1
105#define HANDSHAKE_SERVER_HELLO 2
106#define HANDSHAKE_HELLO_VERIFY_REQUEST 3
107#define HANDSHAKE_NEW_SESSION_TICKET 4
108#define HANDSHAKE_CERTIFICATE 11
109#define HANDSHAKE_SERVER_KEY_EXCHANGE 12
110#define HANDSHAKE_CERTIFICATE_REQUEST 13
111#define HANDSHAKE_SERVER_HELLO_DONE 14
112#define HANDSHAKE_CERTIFICATE_VERIFY 15
113#define HANDSHAKE_CLIENT_KEY_EXCHANGE 16
114#define HANDSHAKE_FINISHED 20
115
116#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
117
118#define SSL_NULL_WITH_NULL_NULL 0x0000
119#define SSL_RSA_WITH_NULL_MD5 0x0001
120#define SSL_RSA_WITH_NULL_SHA 0x0002
121#define SSL_RSA_WITH_RC4_128_MD5 0x0004
122#define SSL_RSA_WITH_RC4_128_SHA 0x0005
123#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007
124#define SSL_RSA_WITH_3DES_EDE_CBC_SHA 0x000A
125
126#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
127#define SSL_DH_anon_WITH_RC4_128_MD5 0x0018
128#define SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B
129#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
130#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
131#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
132#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
133#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
134#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
135#define TLS_RSA_WITH_NULL_SHA256 0x003B
136#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
137#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
138#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
139#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
140#define TLS_PSK_WITH_AES_128_CBC_SHA 0x008C
141#define TLS_PSK_WITH_AES_256_CBC_SHA 0x008D
142#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x0090
143#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x0091
144#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
145#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
146#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
147#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
148#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
149#define TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6
150#define TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7
151#define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE
152#define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF
153#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
154#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
155#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
156#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
157#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
158#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
159#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
160#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
161#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
162#define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
163#define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
164#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
165#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
166#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025
167#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026
168#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
169#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
170#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029
171#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A
172
173#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
174#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
175#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
176#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E
177#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
178#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
179#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
180#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032
181#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035
182#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036
183#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
184#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038
185
186
187
188#define TLS_RSA_WITH_AES_128_CCM 0xC09C
189#define TLS_RSA_WITH_AES_256_CCM 0xC09D
190#define TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E
191#define TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F
192#define TLS_RSA_WITH_AES_128_CCM_8 0xC0A0
193#define TLS_RSA_WITH_AES_256_CCM_8 0xC0A1
194#define TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2
195#define TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3
196#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
197#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD
198#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
199#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF
200#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8
201#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
202#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA
203
204#define TLS_AES_128_GCM_SHA256 0x1301
205#define TLS_AES_256_GCM_SHA384 0x1302
206#define TLS_CHACHA20_POLY1305_SHA256 0x1303
207#define TLS_AES_128_CCM_SHA256 0x1304
208
209
210#define TLS_MAX_CRYPTBLOCK_SIZE 16
211#define TLS_MAX_OUTBUF (1 << 14)
212
213enum {
214 SHA_INSIZE = 64,
215 SHA1_OUTSIZE = 20,
216 SHA256_OUTSIZE = 32,
217
218 AES128_KEYSIZE = 16,
219 AES256_KEYSIZE = 32,
220
221 RSA_PREMASTER_SIZE = 48,
222
223 RECHDR_LEN = 5,
224
225
226 OUTBUF_PFX = 8 + AES_BLOCK_SIZE,
227 OUTBUF_SFX = TLS_MAX_MAC_SIZE + TLS_MAX_CRYPTBLOCK_SIZE,
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263 MAX_INBUF = RECHDR_LEN + (1 << 14) + 2048,
264
265
266 NEED_EC_KEY = 1 << 0,
267 GOT_CERT_RSA_KEY_ALG = 1 << 1,
268 GOT_CERT_ECDSA_KEY_ALG = 1 << 2,
269 GOT_EC_KEY = 1 << 3,
270 ENCRYPTION_AESGCM = 1 << 4,
271 ENCRYPT_ON_WRITE = 1 << 5,
272};
273
274struct record_hdr {
275 uint8_t type;
276 uint8_t proto_maj, proto_min;
277 uint8_t len16_hi, len16_lo;
278};
279
280struct tls_handshake_data {
281
282 md5sha_ctx_t handshake_hash_ctx;
283
284 uint8_t client_and_server_rand32[2 * 32];
285 uint8_t master_secret[48];
286
287
288
289 psRsaKey_t server_rsa_pub_key;
290 uint8_t ecc_pub_key32[32];
291
292
293
294
295};
296
297
298static unsigned get24be(const uint8_t *p)
299{
300 return 0x100*(0x100*p[0] + p[1]) + p[2];
301}
302
303#if TLS_DEBUG
304
305# if TLS_DEBUG_HASH
306static unsigned sha_peek(md5sha_ctx_t *ctx, void *buffer)
307{
308 md5sha_ctx_t ctx_copy = *ctx;
309 return sha_end(&ctx_copy, buffer);
310}
311# endif
312
313static void dump_hex(const char *fmt, const void *vp, int len)
314{
315 char hexbuf[32 * 1024 + 4];
316 const uint8_t *p = vp;
317
318 bin2hex(hexbuf, (void*)p, len)[0] = '\0';
319 dbg(fmt, hexbuf);
320}
321
322static void dump_tls_record(const void *vp, int len)
323{
324 const uint8_t *p = vp;
325
326 while (len > 0) {
327 unsigned xhdr_len;
328 if (len < RECHDR_LEN) {
329 dump_hex("< |%s|\n", p, len);
330 return;
331 }
332 xhdr_len = 0x100*p[3] + p[4];
333 dbg("< hdr_type:%u ver:%u.%u len:%u", p[0], p[1], p[2], xhdr_len);
334 p += RECHDR_LEN;
335 len -= RECHDR_LEN;
336 if (len >= 4 && p[-RECHDR_LEN] == RECORD_TYPE_HANDSHAKE) {
337 unsigned len24 = get24be(p + 1);
338 dbg(" type:%u len24:%u", p[0], len24);
339 }
340 if (xhdr_len > len)
341 xhdr_len = len;
342 dump_hex(" |%s|\n", p, xhdr_len);
343 p += xhdr_len;
344 len -= xhdr_len;
345 }
346}
347#else
348# define dump_hex(...) ((void)0)
349# define dump_tls_record(...) ((void)0)
350#endif
351
352void FAST_FUNC tls_get_random(void *buf, unsigned len)
353{
354 if (len != open_read_close("/dev/urandom", buf, len))
355 xfunc_die();
356}
357
358static void xorbuf3(void *dst, const void *src1, const void *src2, unsigned count)
359{
360 uint8_t *d = dst;
361 const uint8_t *s1 = src1;
362 const uint8_t* s2 = src2;
363 while (count--)
364 *d++ = *s1++ ^ *s2++;
365}
366
367void FAST_FUNC xorbuf(void *dst, const void *src, unsigned count)
368{
369 xorbuf3(dst, dst, src, count);
370}
371
372void FAST_FUNC xorbuf_aligned_AES_BLOCK_SIZE(void *dst, const void *src)
373{
374 unsigned long *d = dst;
375 const unsigned long *s = src;
376 d[0] ^= s[0];
377#if ULONG_MAX <= 0xffffffffffffffff
378 d[1] ^= s[1];
379 #if ULONG_MAX == 0xffffffff
380 d[2] ^= s[2];
381 d[3] ^= s[3];
382 #endif
383#endif
384}
385
386#if !TLS_DEBUG_HASH
387# define hash_handshake(tls, fmt, buffer, len) \
388 hash_handshake(tls, buffer, len)
389#endif
390static void hash_handshake(tls_state_t *tls, const char *fmt, const void *buffer, unsigned len)
391{
392 md5sha_hash(&tls->hsd->handshake_hash_ctx, buffer, len);
393#if TLS_DEBUG_HASH
394 {
395 uint8_t h[TLS_MAX_MAC_SIZE];
396 dump_hex(fmt, buffer, len);
397 dbg(" (%u bytes) ", (int)len);
398 len = sha_peek(&tls->hsd->handshake_hash_ctx, h);
399 if (ENABLE_FEATURE_TLS_SHA1 && len == SHA1_OUTSIZE)
400 dump_hex("sha1:%s\n", h, len);
401 else
402 if (len == SHA256_OUTSIZE)
403 dump_hex("sha256:%s\n", h, len);
404 else
405 dump_hex("sha???:%s\n", h, len);
406 }
407#endif
408}
409
410#if !ENABLE_FEATURE_TLS_SHA1
411# define TLS_MAC_SIZE(tls) SHA256_OUTSIZE
412#else
413# define TLS_MAC_SIZE(tls) (tls)->MAC_size
414#endif
415
416
417
418
419
420
421
422
423
424
425
426typedef struct hmac_precomputed {
427 md5sha_ctx_t hashed_key_xor_ipad;
428 md5sha_ctx_t hashed_key_xor_opad;
429} hmac_precomputed_t;
430
431typedef void md5sha_begin_func(md5sha_ctx_t *ctx) FAST_FUNC;
432#if !ENABLE_FEATURE_TLS_SHA1
433#define hmac_begin(pre,key,key_size,begin) \
434 hmac_begin(pre,key,key_size)
435#define begin sha256_begin
436#endif
437static void hmac_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size, md5sha_begin_func *begin)
438{
439 uint8_t key_xor_ipad[SHA_INSIZE];
440 uint8_t key_xor_opad[SHA_INSIZE];
441
442 unsigned i;
443
444
445
446
447
448 if (key_size > SHA_INSIZE) {
449 bb_error_msg_and_die("HMAC key>64");
450
451
452
453
454
455
456
457
458
459
460
461 }
462
463 for (i = 0; i < key_size; i++) {
464 key_xor_ipad[i] = key[i] ^ 0x36;
465 key_xor_opad[i] = key[i] ^ 0x5c;
466 }
467 for (; i < SHA_INSIZE; i++) {
468 key_xor_ipad[i] = 0x36;
469 key_xor_opad[i] = 0x5c;
470 }
471
472 begin(&pre->hashed_key_xor_ipad);
473 begin(&pre->hashed_key_xor_opad);
474 md5sha_hash(&pre->hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
475 md5sha_hash(&pre->hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
476}
477#undef begin
478
479static unsigned hmac_sha_precomputed_v(
480 hmac_precomputed_t *pre,
481 uint8_t *out,
482 va_list va)
483{
484 uint8_t *text;
485 unsigned len;
486
487
488
489
490
491 while ((text = va_arg(va, uint8_t*)) != NULL) {
492 unsigned text_size = va_arg(va, unsigned);
493 md5sha_hash(&pre->hashed_key_xor_ipad, text, text_size);
494 }
495 len = sha_end(&pre->hashed_key_xor_ipad, out);
496
497
498 md5sha_hash(&pre->hashed_key_xor_opad, out, len);
499 return sha_end(&pre->hashed_key_xor_opad, out);
500}
501
502static unsigned hmac_sha_precomputed(hmac_precomputed_t *pre_init, uint8_t *out, ...)
503{
504 hmac_precomputed_t pre;
505 va_list va;
506 unsigned len;
507
508 va_start(va, out);
509 pre = *pre_init;
510 len = hmac_sha_precomputed_v(&pre, out, va);
511 va_end(va);
512 return len;
513}
514
515#if !ENABLE_FEATURE_TLS_SHA1
516#define hmac(tls,out,key,key_size,...) \
517 hmac(out,key,key_size, __VA_ARGS__)
518#endif
519static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
520{
521 hmac_precomputed_t pre;
522 va_list va;
523 unsigned len;
524
525 va_start(va, key_size);
526
527 hmac_begin(&pre, key, key_size,
528 (ENABLE_FEATURE_TLS_SHA1 && tls->MAC_size == SHA1_OUTSIZE)
529 ? sha1_begin
530 : sha256_begin
531 );
532 len = hmac_sha_precomputed_v(&pre, out, va);
533
534 va_end(va);
535 return len;
536}
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576static void prf_hmac_sha256(
577 uint8_t *outbuf, unsigned outbuf_size,
578 uint8_t *secret, unsigned secret_size,
579 const char *label,
580 uint8_t *seed, unsigned seed_size)
581{
582 hmac_precomputed_t pre;
583 uint8_t a[TLS_MAX_MAC_SIZE];
584 uint8_t *out_p = outbuf;
585 unsigned label_size = strlen(label);
586 unsigned MAC_size = SHA256_OUTSIZE;
587
588
589#define SEED label, label_size, seed, seed_size
590#define A a, MAC_size
591
592 hmac_begin(&pre, secret, secret_size, sha256_begin);
593
594
595 hmac_sha_precomputed(&pre, a, SEED, NULL);
596
597 for (;;) {
598
599 if (outbuf_size <= MAC_size) {
600
601
602 hmac_sha_precomputed(&pre, a, A, SEED, NULL);
603 memcpy(out_p, a, outbuf_size);
604 return;
605 }
606
607 hmac_sha_precomputed(&pre, out_p, A, SEED, NULL);
608 out_p += MAC_size;
609 outbuf_size -= MAC_size;
610
611 hmac_sha_precomputed(&pre, a, A, NULL);
612 }
613#undef A
614#undef SECRET
615#undef SEED
616}
617
618static void bad_record_die(tls_state_t *tls, const char *expected, int len)
619{
620 bb_error_msg("got bad TLS record (len:%d) while expecting %s", len, expected);
621 if (len > 0) {
622 uint8_t *p = tls->inbuf;
623 if (len > 99)
624 len = 99;
625 do {
626 fprintf(stderr, " %02x", *p++);
627 len--;
628 } while (len != 0);
629 fputc('\n', stderr);
630 }
631 xfunc_die();
632}
633
634static void tls_error_die(tls_state_t *tls, int line)
635{
636 dump_tls_record(tls->inbuf, tls->ofs_to_buffered + tls->buffered_size);
637 bb_error_msg_and_die("tls error at line %d cipher:%04x", line, tls->cipher_id);
638}
639#define tls_error_die(tls) tls_error_die(tls, __LINE__)
640
641#if 0
642static void tls_free_inbuf(tls_state_t *tls)
643{
644 if (tls->buffered_size == 0) {
645 free(tls->inbuf);
646 tls->inbuf_size = 0;
647 tls->inbuf = NULL;
648 }
649}
650#endif
651
652static void tls_free_outbuf(tls_state_t *tls)
653{
654 free(tls->outbuf);
655 tls->outbuf_size = 0;
656 tls->outbuf = NULL;
657}
658
659static void *tls_get_outbuf(tls_state_t *tls, int len)
660{
661 if (len > TLS_MAX_OUTBUF)
662 xfunc_die();
663 len += OUTBUF_PFX + OUTBUF_SFX;
664 if (tls->outbuf_size < len) {
665 tls->outbuf_size = len;
666 tls->outbuf = xrealloc(tls->outbuf, len);
667 }
668 return tls->outbuf + OUTBUF_PFX;
669}
670
671static void *tls_get_zeroed_outbuf(tls_state_t *tls, int len)
672{
673 void *record = tls_get_outbuf(tls, len);
674 memset(record, 0, len);
675 return record;
676}
677
678static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, unsigned type)
679{
680 uint8_t *buf = tls->outbuf + OUTBUF_PFX;
681 struct record_hdr *xhdr;
682 uint8_t padding_length;
683
684 xhdr = (void*)(buf - RECHDR_LEN);
685 if (!ALLOW_RSA_NULL_SHA256
686 || tls->cipher_id != TLS_RSA_WITH_NULL_SHA256
687 ) {
688 xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCK_SIZE);
689 }
690
691 xhdr->type = type;
692 xhdr->proto_maj = TLS_MAJ;
693 xhdr->proto_min = TLS_MIN;
694
695 xhdr->len16_hi = size >> 8;
696 xhdr->len16_lo = size & 0xff;
697
698
699 hmac(tls, buf + size,
700 tls->client_write_MAC_key, TLS_MAC_SIZE(tls),
701 &tls->write_seq64_be, sizeof(tls->write_seq64_be),
702 xhdr, RECHDR_LEN,
703 buf, size,
704 NULL
705 );
706 tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));
707
708 size += TLS_MAC_SIZE(tls);
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743 if (ALLOW_RSA_NULL_SHA256
744 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
745 ) {
746
747 xhdr->len16_hi = size >> 8;
748 xhdr->len16_lo = size & 0xff;
749 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
750 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
751 dbg("wrote %u bytes (NULL crypt, SHA256 hash)\n", size);
752 return;
753 }
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791 tls_get_random(buf - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
792 dbg("before crypt: 5 hdr + %u data + %u hash bytes\n",
793 size - TLS_MAC_SIZE(tls), TLS_MAC_SIZE(tls));
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811 padding_length = (~size) & (AES_BLOCK_SIZE - 1);
812 do {
813 buf[size++] = padding_length;
814 } while ((size & (AES_BLOCK_SIZE - 1)) != 0);
815
816
817 aes_cbc_encrypt(
818 &tls->aes_encrypt,
819 buf - AES_BLOCK_SIZE,
820 buf, size,
821 buf
822 );
823
824
825 dbg("writing 5 + %u IV + %u encrypted bytes, padding_length:0x%02x\n",
826 AES_BLOCK_SIZE, size, padding_length);
827 size += AES_BLOCK_SIZE;
828 xhdr->len16_hi = size >> 8;
829 xhdr->len16_lo = size & 0xff;
830 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
831 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
832 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size);
833}
834
835
836
837
838
839
840
841
842
843
844
845static void xwrite_encrypted_aesgcm(tls_state_t *tls, unsigned size, unsigned type)
846{
847#define COUNTER(v) (*(uint32_t*)(v + 12))
848
849 uint8_t aad[13 + 3] ALIGNED_long;
850 uint8_t nonce[12 + 4] ALIGNED_long;
851 uint8_t scratch[AES_BLOCK_SIZE] ALIGNED_long;
852 uint8_t authtag[AES_BLOCK_SIZE] ALIGNED_long;
853 uint8_t *buf;
854 struct record_hdr *xhdr;
855 unsigned remaining;
856 unsigned cnt;
857 uint64_t t64;
858
859 buf = tls->outbuf + OUTBUF_PFX;
860 dump_hex("xwrite_encrypted_aesgcm plaintext:%s\n", buf, size);
861
862 xhdr = (void*)(buf - 8 - RECHDR_LEN);
863 xhdr->type = type;
864
865 aad[8] = type;
866 aad[9] = TLS_MAJ;
867 aad[10] = TLS_MIN;
868 aad[11] = size >> 8;
869
870 COUNTER(aad) = SWAP_LE32(size & 0xff);
871
872 memcpy(nonce, tls->client_write_IV, 4);
873 t64 = tls->write_seq64_be;
874 move_to_unaligned64(nonce + 4, t64);
875 move_to_unaligned64(aad, t64);
876 move_to_unaligned64(buf - 8, t64);
877
878 tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(t64));
879
880 cnt = 1;
881 remaining = size;
882 while (remaining != 0) {
883 unsigned n;
884
885 cnt++;
886 COUNTER(nonce) = htonl(cnt);
887 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
888 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
889 xorbuf(buf, scratch, n);
890 buf += n;
891 remaining -= n;
892 }
893
894 aesgcm_GHASH(tls->H, aad, tls->outbuf + OUTBUF_PFX, size, authtag );
895 COUNTER(nonce) = htonl(1);
896 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
897 xorbuf_aligned_AES_BLOCK_SIZE(authtag, scratch);
898
899 memcpy(buf, authtag, sizeof(authtag));
900
901
902 xhdr = (void*)(tls->outbuf + OUTBUF_PFX - 8 - RECHDR_LEN);
903 size += 8 + sizeof(authtag);
904
905 xhdr->proto_maj = TLS_MAJ;
906 xhdr->proto_min = TLS_MIN;
907 xhdr->len16_hi = size >> 8;
908 xhdr->len16_lo = size & 0xff;
909 size += RECHDR_LEN;
910 dump_raw_out(">> %s\n", xhdr, size);
911 xwrite(tls->ofd, xhdr, size);
912 dbg("wrote %u bytes\n", size);
913#undef COUNTER
914}
915
916static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
917{
918 if (!(tls->flags & ENCRYPTION_AESGCM)) {
919 xwrite_encrypted_and_hmac_signed(tls, size, type);
920 return;
921 }
922 xwrite_encrypted_aesgcm(tls, size, type);
923}
924
925static void xwrite_handshake_record(tls_state_t *tls, unsigned size)
926{
927 uint8_t *buf = tls->outbuf + OUTBUF_PFX;
928 struct record_hdr *xhdr = (void*)(buf - RECHDR_LEN);
929
930 xhdr->type = RECORD_TYPE_HANDSHAKE;
931 xhdr->proto_maj = TLS_MAJ;
932 xhdr->proto_min = TLS_MIN;
933 xhdr->len16_hi = size >> 8;
934 xhdr->len16_lo = size & 0xff;
935 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
936 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
937 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size);
938}
939
940static void xwrite_and_update_handshake_hash(tls_state_t *tls, unsigned size)
941{
942 if (!(tls->flags & ENCRYPT_ON_WRITE)) {
943 uint8_t *buf;
944
945 xwrite_handshake_record(tls, size);
946
947 buf = tls->outbuf + OUTBUF_PFX;
948 hash_handshake(tls, ">> hash:%s", buf, size);
949 return;
950 }
951 xwrite_encrypted(tls, size, RECORD_TYPE_HANDSHAKE);
952}
953
954static int tls_has_buffered_record(tls_state_t *tls)
955{
956 int buffered = tls->buffered_size;
957 struct record_hdr *xhdr;
958 int rec_size;
959
960 if (buffered < RECHDR_LEN)
961 return 0;
962 xhdr = (void*)(tls->inbuf + tls->ofs_to_buffered);
963 rec_size = RECHDR_LEN + (0x100 * xhdr->len16_hi + xhdr->len16_lo);
964 if (buffered < rec_size)
965 return 0;
966 return rec_size;
967}
968
969static const char *alert_text(int code)
970{
971 switch (code) {
972 case 20: return "bad MAC";
973 case 50: return "decode error";
974 case 51: return "decrypt error";
975 case 40: return "handshake failure";
976 case 112: return "unrecognized name";
977 }
978 return itoa(code);
979}
980
981static void tls_aesgcm_decrypt(tls_state_t *tls, uint8_t *buf, int size)
982{
983#define COUNTER(v) (*(uint32_t*)(v + 12))
984
985
986 uint8_t nonce[12 + 4] ALIGNED_long;
987 uint8_t scratch[AES_BLOCK_SIZE] ALIGNED_long;
988
989 unsigned remaining;
990 unsigned cnt;
991
992
993
994
995
996
997
998
999
1000 memcpy(nonce, tls->server_write_IV, 4);
1001 memcpy(nonce + 4, buf, 8);
1002
1003 cnt = 1;
1004 remaining = size;
1005 while (remaining != 0) {
1006 unsigned n;
1007
1008 cnt++;
1009 COUNTER(nonce) = htonl(cnt);
1010 aes_encrypt_one_block(&tls->aes_decrypt, nonce, scratch);
1011 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
1012 xorbuf3(buf, scratch, buf + 8, n);
1013 buf += n;
1014 remaining -= n;
1015 }
1016
1017
1018
1019
1020
1021
1022
1023#undef COUNTER
1024}
1025
1026static int tls_xread_record(tls_state_t *tls, const char *expected)
1027{
1028 struct record_hdr *xhdr;
1029 int sz;
1030 int total;
1031 int target;
1032
1033 again:
1034 dbg("ofs_to_buffered:%u buffered_size:%u\n", tls->ofs_to_buffered, tls->buffered_size);
1035 total = tls->buffered_size;
1036 if (total != 0) {
1037 memmove(tls->inbuf, tls->inbuf + tls->ofs_to_buffered, total);
1038
1039
1040 }
1041 errno = 0;
1042 target = MAX_INBUF;
1043 for (;;) {
1044 int rem;
1045
1046 if (total >= RECHDR_LEN && target == MAX_INBUF) {
1047 xhdr = (void*)tls->inbuf;
1048 target = RECHDR_LEN + (0x100 * xhdr->len16_hi + xhdr->len16_lo);
1049
1050 if (target > MAX_INBUF
1051 || xhdr->proto_maj != TLS_MAJ
1052 || xhdr->proto_min != TLS_MIN
1053 ) {
1054 sz = total < target ? total : target;
1055 bad_record_die(tls, expected, sz);
1056 }
1057 dbg("xhdr type:%d ver:%d.%d len:%d\n",
1058 xhdr->type, xhdr->proto_maj, xhdr->proto_min,
1059 0x100 * xhdr->len16_hi + xhdr->len16_lo
1060 );
1061 }
1062
1063 if (total - target >= 0)
1064 break;
1065
1066 rem = tls->inbuf_size - total;
1067 if (rem == 0) {
1068 tls->inbuf_size += MAX_INBUF / 8;
1069 if (tls->inbuf_size > MAX_INBUF)
1070 tls->inbuf_size = MAX_INBUF;
1071 dbg("inbuf_size:%d\n", tls->inbuf_size);
1072 rem = tls->inbuf_size - total;
1073 tls->inbuf = xrealloc(tls->inbuf, tls->inbuf_size);
1074 }
1075 sz = safe_read(tls->ifd, tls->inbuf + total, rem);
1076 if (sz <= 0) {
1077 if (sz == 0 && total == 0) {
1078
1079 dbg("EOF (without TLS shutdown) from peer\n");
1080 tls->buffered_size = 0;
1081 goto end;
1082 }
1083 bb_perror_msg_and_die("short read, have only %d", total);
1084 }
1085 dump_raw_in("<< %s\n", tls->inbuf + total, sz);
1086 total += sz;
1087 }
1088 tls->buffered_size = total - target;
1089 tls->ofs_to_buffered = target;
1090
1091
1092
1093 sz = target - RECHDR_LEN;
1094
1095
1096 if (tls->min_encrypted_len_on_read != 0) {
1097 if (sz < (int)tls->min_encrypted_len_on_read)
1098 bb_error_msg_and_die("bad encrypted len:%u", sz);
1099
1100 if (tls->flags & ENCRYPTION_AESGCM) {
1101
1102 uint8_t *p = tls->inbuf + RECHDR_LEN;
1103
1104 sz -= 8 + AES_BLOCK_SIZE;
1105 tls_aesgcm_decrypt(tls, p, sz);
1106 dbg("encrypted size:%u\n", sz);
1107 } else
1108 if (tls->min_encrypted_len_on_read > TLS_MAC_SIZE(tls)) {
1109
1110 uint8_t *p = tls->inbuf + RECHDR_LEN;
1111 int padding_len;
1112
1113 if (sz & (AES_BLOCK_SIZE-1))
1114 bb_error_msg_and_die("bad encrypted len:%u", sz);
1115
1116
1117 sz -= AES_BLOCK_SIZE;
1118 aes_cbc_decrypt(
1119 &tls->aes_decrypt,
1120 p,
1121 p + AES_BLOCK_SIZE, sz,
1122 p
1123 );
1124 padding_len = p[sz - 1];
1125 dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len);
1126 padding_len++;
1127 sz -= TLS_MAC_SIZE(tls) + padding_len;
1128 } else {
1129
1130
1131 sz -= tls->min_encrypted_len_on_read;
1132 }
1133 }
1134 if (sz < 0)
1135 bb_error_msg_and_die("encrypted data too short");
1136
1137
1138
1139 xhdr = (void*)tls->inbuf;
1140 if (xhdr->type == RECORD_TYPE_ALERT && sz >= 2) {
1141 uint8_t *p = tls->inbuf + RECHDR_LEN;
1142 dbg("ALERT size:%d level:%d description:%d\n", sz, p[0], p[1]);
1143 if (p[0] == 2) {
1144 bb_error_msg_and_die("TLS %s from peer (alert code %d): %s",
1145 "error",
1146 p[1], alert_text(p[1])
1147 );
1148 }
1149 if (p[0] == 1) {
1150 if (p[1] == 0) {
1151 dbg("EOF (TLS encoded) from peer\n");
1152 sz = 0;
1153 goto end;
1154 }
1155
1156
1157
1158
1159
1160
1161
1162 goto again;
1163 }
1164
1165 sz = 0;
1166 goto end;
1167 }
1168
1169
1170
1171
1172 if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE
1173
1174
1175 ) {
1176 hash_handshake(tls, "<< hash:%s", tls->inbuf + RECHDR_LEN, sz);
1177 }
1178 end:
1179 dbg("got block len:%u\n", sz);
1180 return sz;
1181}
1182
1183static void binary_to_pstm(pstm_int *pstm_n, uint8_t *bin_ptr, unsigned len)
1184{
1185 pstm_init_for_read_unsigned_bin( NULL, pstm_n, len);
1186 pstm_read_unsigned_bin(pstm_n, bin_ptr, len);
1187
1188}
1189
1190
1191
1192
1193static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end)
1194{
1195 unsigned len, len1;
1196
1197 if (end - der < 2)
1198 xfunc_die();
1199
1200
1201
1202 len = der[1];
1203 if (len >= 0x80) {
1204
1205
1206 if (len == 0x80 || end - der < (int)(len - 0x7e)) {
1207
1208
1209 xfunc_die();
1210 }
1211
1212 len1 = der[2];
1213 if (len > 0x82) {
1214
1215 xfunc_die();
1216 }
1217 if (len == 0x82) {
1218 len1 = 0x100*len1 + der[3];
1219 der += 1;
1220 }
1221 der += 1;
1222 len = len1;
1223
1224
1225 }
1226 der += 2;
1227
1228 if (end - der < (int)len)
1229 xfunc_die();
1230 *bodyp = der;
1231
1232 return len;
1233}
1234
1235static uint8_t *enter_der_item(uint8_t *der, uint8_t **endp)
1236{
1237 uint8_t *new_der;
1238 unsigned len = get_der_len(&new_der, der, *endp);
1239 dbg_der("entered der @%p:0x%02x len:%u inner_byte @%p:0x%02x\n", der, der[0], len, new_der, new_der[0]);
1240
1241 *endp = new_der + len;
1242 return new_der;
1243}
1244
1245static uint8_t *skip_der_item(uint8_t *der, uint8_t *end)
1246{
1247 uint8_t *new_der;
1248 unsigned len = get_der_len(&new_der, der, end);
1249
1250 new_der += len;
1251 dbg_der("skipped der 0x%02x, next byte 0x%02x\n", der[0], new_der[0]);
1252 return new_der;
1253}
1254
1255static void der_binary_to_pstm(pstm_int *pstm_n, uint8_t *der, uint8_t *end)
1256{
1257 uint8_t *bin_ptr;
1258 unsigned len = get_der_len(&bin_ptr, der, end);
1259
1260 dbg_der("binary bytes:%u, first:0x%02x\n", len, bin_ptr[0]);
1261 binary_to_pstm(pstm_n, bin_ptr, len);
1262}
1263
1264static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
1265{
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357 uint8_t *end = der + len;
1358
1359
1360 der = enter_der_item(der, &end);
1361
1362
1363 der = enter_der_item(der, &end);
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377 if (der[0] == 0xa0)
1378 der = skip_der_item(der, end);
1379
1380
1381 der = skip_der_item(der, end);
1382 der = skip_der_item(der, end);
1383 der = skip_der_item(der, end);
1384 der = skip_der_item(der, end);
1385 der = skip_der_item(der, end);
1386
1387
1388 der = enter_der_item(der, &end);
1389 {
1390 static const uint8_t OID_RSA_KEY_ALG[] = {
1391 0x30,0x0d,
1392 0x06,0x09, 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
1393
1394 };
1395 static const uint8_t OID_ECDSA_KEY_ALG[] = {
1396 0x30,0x13,
1397 0x06,0x07, 0x2a,0x86,0x48,0xce,0x3d,0x02,0x01,
1398
1399
1400
1401
1402
1403
1404
1405 };
1406 if (memcmp(der, OID_RSA_KEY_ALG, sizeof(OID_RSA_KEY_ALG)) == 0) {
1407 dbg("RSA key\n");
1408 tls->flags |= GOT_CERT_RSA_KEY_ALG;
1409 } else
1410 if (memcmp(der, OID_ECDSA_KEY_ALG, sizeof(OID_ECDSA_KEY_ALG)) == 0) {
1411 dbg("ECDSA key\n");
1412
1413 } else
1414 bb_error_msg_and_die("not RSA or ECDSA cert");
1415 }
1416
1417 if (tls->flags & GOT_CERT_RSA_KEY_ALG) {
1418
1419
1420
1421 der = skip_der_item(der, end);
1422
1423
1424 der = enter_der_item(der, &end);
1425
1426 dbg("key bytes:%u, first:0x%02x\n", (int)(end - der), der[0]);
1427 if (end - der < 14)
1428 xfunc_die();
1429
1430
1431
1432
1433
1434
1435 if (*der != 0)
1436 xfunc_die();
1437 der++;
1438 der = enter_der_item(der, &end);
1439
1440 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.N, der, end);
1441 der = skip_der_item(der, end);
1442 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.e, der, end);
1443 tls->hsd->server_rsa_pub_key.size = pstm_unsigned_bin_size(&tls->hsd->server_rsa_pub_key.N);
1444 dbg("server_rsa_pub_key.size:%d\n", tls->hsd->server_rsa_pub_key.size);
1445 }
1446
1447
1448
1449
1450
1451}
1452
1453
1454
1455
1456static int tls_xread_handshake_block(tls_state_t *tls, int min_len)
1457{
1458 struct record_hdr *xhdr;
1459 int len = tls_xread_record(tls, "handshake record");
1460
1461 xhdr = (void*)tls->inbuf;
1462 if (len < min_len
1463 || xhdr->type != RECORD_TYPE_HANDSHAKE
1464 ) {
1465 bad_record_die(tls, "handshake record", len);
1466 }
1467 dbg("got HANDSHAKE\n");
1468 return len;
1469}
1470
1471static ALWAYS_INLINE void fill_handshake_record_hdr(void *buf, unsigned type, unsigned len)
1472{
1473 struct handshake_hdr {
1474 uint8_t type;
1475 uint8_t len24_hi, len24_mid, len24_lo;
1476 } *h = buf;
1477
1478 len -= 4;
1479 h->type = type;
1480 h->len24_hi = len >> 16;
1481 h->len24_mid = len >> 8;
1482 h->len24_lo = len & 0xff;
1483}
1484
1485static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1486{
1487#define NUM_CIPHERS (7 + 6 * ENABLE_FEATURE_TLS_SHA1 + ALLOW_RSA_NULL_SHA256)
1488 static const uint8_t ciphers[] = {
1489 0x00,2 + NUM_CIPHERS*2,
1490 0x00,0xFF,
1491
1492#if ENABLE_FEATURE_TLS_SHA1
1493 0xC0,0x09,
1494 0xC0,0x0A,
1495 0xC0,0x13,
1496 0xC0,0x14,
1497
1498
1499#endif
1500 0xC0,0x23,
1501
1502 0xC0,0x27,
1503
1504 0xC0,0x2B,
1505
1506
1507 0xC0,0x2F,
1508
1509
1510#if ENABLE_FEATURE_TLS_SHA1
1511
1512
1513#endif
1514
1515
1516#if ENABLE_FEATURE_TLS_SHA1
1517 0x00,0x2F,
1518 0x00,0x35,
1519#endif
1520 0x00,0x3C,
1521 0x00,0x3D,
1522 0x00,0x9C,
1523
1524#if ALLOW_RSA_NULL_SHA256
1525 0x00,0x3B,
1526#endif
1527 0x01,0x00,
1528 };
1529 static const uint8_t supported_groups[] = {
1530 0x00,0x0a,
1531 0x00,0x04,
1532 0x00,0x02,
1533 0x00,0x1d,
1534
1535
1536
1537 };
1538
1539
1540
1541
1542
1543
1544
1545 struct client_hello {
1546 uint8_t type;
1547 uint8_t len24_hi, len24_mid, len24_lo;
1548 uint8_t proto_maj, proto_min;
1549 uint8_t rand32[32];
1550 uint8_t session_id_len;
1551
1552 uint8_t cipherid_len16_hi, cipherid_len16_lo;
1553 uint8_t cipherid[2 + NUM_CIPHERS*2];
1554 uint8_t comprtypes_len;
1555 uint8_t comprtypes[1];
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576 };
1577 struct client_hello *record;
1578 uint8_t *ptr;
1579 int len;
1580 int ext_len;
1581 int sni_len = sni ? strnlen(sni, 127 - 5) : 0;
1582
1583 ext_len = 0;
1584
1585 ext_len += sizeof(supported_groups);
1586 if (sni_len)
1587 ext_len += 9 + sni_len;
1588
1589
1590 len = sizeof(*record) + 2 + ext_len;
1591 record = tls_get_zeroed_outbuf(tls, len);
1592
1593 fill_handshake_record_hdr(record, HANDSHAKE_CLIENT_HELLO, len);
1594 record->proto_maj = TLS_MAJ;
1595 record->proto_min = TLS_MIN;
1596 tls_get_random(record->rand32, sizeof(record->rand32));
1597 if (TLS_DEBUG_FIXED_SECRETS)
1598 memset(record->rand32, 0x11, sizeof(record->rand32));
1599
1600
1601 BUILD_BUG_ON(sizeof(ciphers) != 2 + 2 + NUM_CIPHERS*2 + 2);
1602 memcpy(&record->cipherid_len16_hi, ciphers, sizeof(ciphers));
1603
1604 ptr = (void*)(record + 1);
1605 *ptr++ = ext_len >> 8;
1606 *ptr++ = ext_len;
1607 if (sni_len) {
1608
1609
1610
1611 ptr[3] = sni_len + 5;
1612
1613 ptr[5] = sni_len + 3;
1614
1615
1616 ptr[8] = sni_len;
1617 ptr = mempcpy(&ptr[9], sni, sni_len);
1618 }
1619 memcpy(ptr, supported_groups, sizeof(supported_groups));
1620
1621 tls->hsd = xzalloc(sizeof(*tls->hsd));
1622
1623 memcpy(tls->hsd->client_and_server_rand32, record->rand32, sizeof(record->rand32));
1624
1625
1626
1627
1628 dbg(">> CLIENT_HELLO\n");
1629
1630
1631
1632 sha256_begin(&tls->hsd->handshake_hash_ctx);
1633 xwrite_and_update_handshake_hash(tls, len);
1634
1635
1636
1637
1638}
1639
1640static void get_server_hello(tls_state_t *tls)
1641{
1642 struct server_hello {
1643 struct record_hdr xhdr;
1644 uint8_t type;
1645 uint8_t len24_hi, len24_mid, len24_lo;
1646 uint8_t proto_maj, proto_min;
1647 uint8_t rand32[32];
1648 uint8_t session_id_len;
1649 uint8_t session_id[32];
1650 uint8_t cipherid_hi, cipherid_lo;
1651 uint8_t comprtype;
1652
1653 };
1654
1655 struct server_hello *hp;
1656 uint8_t *cipherid;
1657 uint8_t cipherid1;
1658 int len, len24;
1659
1660 len = tls_xread_handshake_block(tls, 74 - 32);
1661
1662 hp = (void*)tls->inbuf;
1663
1664
1665
1666 if (hp->type != HANDSHAKE_SERVER_HELLO
1667 || hp->len24_hi != 0
1668 || hp->len24_mid != 0
1669
1670 || hp->proto_maj != TLS_MAJ
1671 || hp->proto_min != TLS_MIN
1672 ) {
1673 bad_record_die(tls, "'server hello'", len);
1674 }
1675
1676 cipherid = &hp->cipherid_hi;
1677 len24 = hp->len24_lo;
1678 if (hp->session_id_len != 32) {
1679 if (hp->session_id_len != 0)
1680 bad_record_die(tls, "'server hello'", len);
1681
1682
1683
1684
1685
1686 cipherid -= 32;
1687 len24 += 32;
1688 }
1689
1690 if (len24 < 70)
1691 bad_record_die(tls, "'server hello'", len);
1692 dbg("<< SERVER_HELLO\n");
1693
1694 memcpy(tls->hsd->client_and_server_rand32 + 32, hp->rand32, sizeof(hp->rand32));
1695
1696
1697#if 0
1698#if ENABLE_FEATURE_TLS_SHA1
1699 0xC0,0x09,
1700 0xC0,0x0A,
1701 0xC0,0x13,
1702 0xC0,0x14,
1703
1704
1705#endif
1706 0xC0,0x23,
1707
1708 0xC0,0x27,
1709
1710 0xC0,0x2B,
1711
1712
1713 0xC0,0x2F,
1714
1715
1716#if ENABLE_FEATURE_TLS_SHA1
1717
1718
1719#endif
1720
1721
1722#if ENABLE_FEATURE_TLS_SHA1
1723 0x00,0x2F,
1724 0x00,0x35,
1725#endif
1726 0x00,0x3C,
1727 0x00,0x3D,
1728 0x00,0x9C,
1729
1730#if ALLOW_RSA_NULL_SHA256
1731 0x00,0x3B,
1732#endif
1733#endif
1734 cipherid1 = cipherid[1];
1735 tls->cipher_id = 0x100 * cipherid[0] + cipherid1;
1736 tls->key_size = AES256_KEYSIZE;
1737 tls->MAC_size = SHA256_OUTSIZE;
1738
1739 if (cipherid[0] == 0xC0) {
1740
1741 tls->flags |= NEED_EC_KEY;
1742 if (cipherid1 & 1) {
1743
1744 tls->key_size = AES128_KEYSIZE;
1745 }
1746 if (ENABLE_FEATURE_TLS_SHA1 && cipherid1 <= 0x19) {
1747 tls->MAC_size = SHA1_OUTSIZE;
1748 } else
1749 if (cipherid1 >= 0x2B && cipherid1 <= 0x30) {
1750
1751 tls->flags |= ENCRYPTION_AESGCM;
1752 tls->MAC_size = 0;
1753 tls->IV_size = 4;
1754 }
1755 } else {
1756
1757 if ((ENABLE_FEATURE_TLS_SHA1 && cipherid1 == 0x2F)
1758 || cipherid1 == 0x3C
1759 || cipherid1 == 0x9C
1760 ) {
1761 tls->key_size = AES128_KEYSIZE;
1762 }
1763 if (ENABLE_FEATURE_TLS_SHA1 && cipherid1 <= 0x35) {
1764 tls->MAC_size = SHA1_OUTSIZE;
1765 } else
1766 if (cipherid1 == 0x9C ) {
1767
1768 tls->flags |= ENCRYPTION_AESGCM;
1769 tls->MAC_size = 0;
1770 tls->IV_size = 4;
1771 }
1772 }
1773 dbg("server chose cipher %04x\n", tls->cipher_id);
1774 dbg("key_size:%u MAC_size:%u IV_size:%u\n", tls->key_size, tls->MAC_size, tls->IV_size);
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790}
1791
1792static void get_server_cert(tls_state_t *tls)
1793{
1794 struct record_hdr *xhdr;
1795 uint8_t *certbuf;
1796 int len, len1;
1797
1798 len = tls_xread_handshake_block(tls, 10);
1799
1800 xhdr = (void*)tls->inbuf;
1801 certbuf = (void*)(xhdr + 1);
1802 if (certbuf[0] != HANDSHAKE_CERTIFICATE)
1803 bad_record_die(tls, "certificate", len);
1804 dbg("<< CERTIFICATE\n");
1805
1806
1807
1808 len1 = get24be(certbuf + 1);
1809 if (len1 > len - 4) tls_error_die(tls);
1810 len = len1;
1811 len1 = get24be(certbuf + 4);
1812 if (len1 > len - 3) tls_error_die(tls);
1813 len = len1;
1814 len1 = get24be(certbuf + 7);
1815 if (len1 > len - 3) tls_error_die(tls);
1816 len = len1;
1817
1818 if (len)
1819 find_key_in_der_cert(tls, certbuf + 10, len);
1820}
1821
1822
1823
1824
1825static void process_server_key(tls_state_t *tls, int len)
1826{
1827 struct record_hdr *xhdr;
1828 uint8_t *keybuf;
1829 int len1;
1830 uint32_t t32;
1831
1832 xhdr = (void*)tls->inbuf;
1833 keybuf = (void*)(xhdr + 1);
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868 len1 = get24be(keybuf + 1);
1869 if (len1 > len - 4) tls_error_die(tls);
1870 len = len1;
1871 if (len < (1+2+1+32)) tls_error_die(tls);
1872 keybuf += 4;
1873
1874
1875 move_from_unaligned32(t32, keybuf);
1876 if (t32 != htonl(0x03001d20))
1877 bb_error_msg_and_die("elliptic curve is not x25519");
1878
1879 memcpy(tls->hsd->ecc_pub_key32, keybuf + 4, 32);
1880 tls->flags |= GOT_EC_KEY;
1881 dbg("got eccPubKey\n");
1882}
1883
1884static void send_empty_client_cert(tls_state_t *tls)
1885{
1886 struct client_empty_cert {
1887 uint8_t type;
1888 uint8_t len24_hi, len24_mid, len24_lo;
1889 uint8_t cert_chain_len24_hi, cert_chain_len24_mid, cert_chain_len24_lo;
1890 };
1891 struct client_empty_cert *record;
1892
1893 record = tls_get_zeroed_outbuf(tls, sizeof(*record));
1894
1895
1896
1897
1898
1899 record->type = HANDSHAKE_CERTIFICATE;
1900 record->len24_lo = 3;
1901
1902 dbg(">> CERTIFICATE\n");
1903 xwrite_and_update_handshake_hash(tls, sizeof(*record));
1904}
1905
1906static void send_client_key_exchange(tls_state_t *tls)
1907{
1908 struct client_key_exchange {
1909 uint8_t type;
1910 uint8_t len24_hi, len24_mid, len24_lo;
1911 uint8_t key[2 + 4 * 1024];
1912 };
1913
1914 struct client_key_exchange *record = tls_get_zeroed_outbuf(tls, sizeof(*record));
1915 uint8_t rsa_premaster[RSA_PREMASTER_SIZE];
1916 uint8_t x25519_premaster[CURVE25519_KEYSIZE];
1917 uint8_t *premaster;
1918 int premaster_size;
1919 int len;
1920
1921 if (!(tls->flags & NEED_EC_KEY)) {
1922
1923 if (!(tls->flags & GOT_CERT_RSA_KEY_ALG))
1924 bb_error_msg("server cert is not RSA");
1925
1926 tls_get_random(rsa_premaster, sizeof(rsa_premaster));
1927 if (TLS_DEBUG_FIXED_SECRETS)
1928 memset(rsa_premaster, 0x44, sizeof(rsa_premaster));
1929
1930
1931
1932
1933 rsa_premaster[0] = TLS_MAJ;
1934 rsa_premaster[1] = TLS_MIN;
1935 dump_hex("premaster:%s\n", rsa_premaster, sizeof(rsa_premaster));
1936 len = psRsaEncryptPub( NULL,
1937 &tls->hsd->server_rsa_pub_key,
1938 rsa_premaster, sizeof(rsa_premaster),
1939 record->key + 2, sizeof(record->key) - 2,
1940 data_param_ignored
1941 );
1942
1943 record->key[0] = len >> 8;
1944 record->key[1] = len & 0xff;
1945 len += 2;
1946 premaster = rsa_premaster;
1947 premaster_size = sizeof(rsa_premaster);
1948 } else {
1949
1950 static const uint8_t basepoint9[CURVE25519_KEYSIZE] = {9};
1951 uint8_t privkey[CURVE25519_KEYSIZE];
1952
1953 if (!(tls->flags & GOT_EC_KEY))
1954 bb_error_msg("server did not provide EC key");
1955
1956
1957 tls_get_random(privkey, sizeof(privkey));
1958 privkey[0] &= 0xf8;
1959 privkey[CURVE25519_KEYSIZE-1] = ((privkey[CURVE25519_KEYSIZE-1] & 0x7f) | 0x40);
1960
1961
1962 curve25519(record->key + 1, privkey, basepoint9);
1963
1964
1965 dbg("computing x25519_premaster\n");
1966 curve25519(x25519_premaster, privkey, tls->hsd->ecc_pub_key32);
1967
1968 len = CURVE25519_KEYSIZE;
1969 record->key[0] = len;
1970 len++;
1971 premaster = x25519_premaster;
1972 premaster_size = sizeof(x25519_premaster);
1973 }
1974
1975 record->type = HANDSHAKE_CLIENT_KEY_EXCHANGE;
1976
1977 record->len24_mid = len >> 8;
1978 record->len24_lo = len & 0xff;
1979 len += 4;
1980
1981 dbg(">> CLIENT_KEY_EXCHANGE\n");
1982 xwrite_and_update_handshake_hash(tls, len);
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994 prf_hmac_sha256(
1995 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
1996 premaster, premaster_size,
1997 "master secret",
1998 tls->hsd->client_and_server_rand32, sizeof(tls->hsd->client_and_server_rand32)
1999 );
2000 dump_hex("master secret:%s\n", tls->hsd->master_secret, sizeof(tls->hsd->master_secret));
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035 {
2036 uint8_t tmp64[64];
2037
2038
2039 memcpy(&tmp64[0] , &tls->hsd->client_and_server_rand32[32], 32);
2040 memcpy(&tmp64[32], &tls->hsd->client_and_server_rand32[0] , 32);
2041
2042 prf_hmac_sha256(
2043 tls->client_write_MAC_key, 2 * (tls->MAC_size + tls->key_size + tls->IV_size),
2044
2045
2046
2047
2048
2049
2050 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
2051 "key expansion",
2052 tmp64, 64
2053 );
2054 tls->client_write_key = tls->client_write_MAC_key + (2 * tls->MAC_size);
2055 tls->server_write_key = tls->client_write_key + tls->key_size;
2056 tls->client_write_IV = tls->server_write_key + tls->key_size;
2057 tls->server_write_IV = tls->client_write_IV + tls->IV_size;
2058 dump_hex("client_write_MAC_key:%s\n",
2059 tls->client_write_MAC_key, tls->MAC_size
2060 );
2061 dump_hex("client_write_key:%s\n",
2062 tls->client_write_key, tls->key_size
2063 );
2064 dump_hex("client_write_IV:%s\n",
2065 tls->client_write_IV, tls->IV_size
2066 );
2067
2068 aes_setkey(&tls->aes_decrypt, tls->server_write_key, tls->key_size);
2069 aes_setkey(&tls->aes_encrypt, tls->client_write_key, tls->key_size);
2070 {
2071 uint8_t iv[AES_BLOCK_SIZE];
2072 memset(iv, 0, AES_BLOCK_SIZE);
2073 aes_encrypt_one_block(&tls->aes_encrypt, iv, tls->H);
2074 }
2075 }
2076}
2077
2078static const uint8_t rec_CHANGE_CIPHER_SPEC[] = {
2079 RECORD_TYPE_CHANGE_CIPHER_SPEC, TLS_MAJ, TLS_MIN, 00, 01,
2080 01
2081};
2082
2083static void send_change_cipher_spec(tls_state_t *tls)
2084{
2085 dbg(">> CHANGE_CIPHER_SPEC\n");
2086 xwrite(tls->ofd, rec_CHANGE_CIPHER_SPEC, sizeof(rec_CHANGE_CIPHER_SPEC));
2087}
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126static void send_client_finished(tls_state_t *tls)
2127{
2128 struct finished {
2129 uint8_t type;
2130 uint8_t len24_hi, len24_mid, len24_lo;
2131 uint8_t prf_result[12];
2132 };
2133 struct finished *record = tls_get_outbuf(tls, sizeof(*record));
2134 uint8_t handshake_hash[TLS_MAX_MAC_SIZE];
2135 unsigned len;
2136
2137 fill_handshake_record_hdr(record, HANDSHAKE_FINISHED, sizeof(*record));
2138
2139 len = sha_end(&tls->hsd->handshake_hash_ctx, handshake_hash);
2140
2141 prf_hmac_sha256(
2142 record->prf_result, sizeof(record->prf_result),
2143 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
2144 "client finished",
2145 handshake_hash, len
2146 );
2147 dump_hex("from secret: %s\n", tls->hsd->master_secret, sizeof(tls->hsd->master_secret));
2148 dump_hex("from labelSeed: %s", "client finished", sizeof("client finished")-1);
2149 dump_hex("%s\n", handshake_hash, sizeof(handshake_hash));
2150 dump_hex("=> digest: %s\n", record->prf_result, sizeof(record->prf_result));
2151
2152 dbg(">> FINISHED\n");
2153 xwrite_encrypted(tls, sizeof(*record), RECORD_TYPE_HANDSHAKE);
2154}
2155
2156void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
2157{
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175 int len;
2176 int got_cert_req;
2177
2178 send_client_hello_and_alloc_hsd(tls, sni);
2179 get_server_hello(tls);
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190 get_server_cert(tls);
2191
2192 len = tls_xread_handshake_block(tls, 4);
2193 if (tls->inbuf[RECHDR_LEN] == HANDSHAKE_SERVER_KEY_EXCHANGE) {
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206 dbg("<< SERVER_KEY_EXCHANGE len:%u\n", len);
2207 dump_raw_in("<< %s\n", tls->inbuf, RECHDR_LEN + len);
2208 if (tls->flags & NEED_EC_KEY)
2209 process_server_key(tls, len);
2210
2211
2212 len = tls_xread_handshake_block(tls, 4);
2213 }
2214
2215 got_cert_req = (tls->inbuf[RECHDR_LEN] == HANDSHAKE_CERTIFICATE_REQUEST);
2216 if (got_cert_req) {
2217 dbg("<< CERTIFICATE_REQUEST\n");
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228 len = tls_xread_handshake_block(tls, 4);
2229 }
2230
2231 if (tls->inbuf[RECHDR_LEN] != HANDSHAKE_SERVER_HELLO_DONE) {
2232 bad_record_die(tls, "'server hello done'", len);
2233 }
2234
2235 dbg("<< SERVER_HELLO_DONE\n");
2236
2237 if (got_cert_req)
2238 send_empty_client_cert(tls);
2239
2240 send_client_key_exchange(tls);
2241
2242 send_change_cipher_spec(tls);
2243
2244
2245 tls->flags |= ENCRYPT_ON_WRITE;
2246
2247 send_client_finished(tls);
2248
2249
2250 len = tls_xread_record(tls, "switch to encrypted traffic");
2251 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
2252 bad_record_die(tls, "switch to encrypted traffic", len);
2253 dbg("<< CHANGE_CIPHER_SPEC\n");
2254
2255 if (ALLOW_RSA_NULL_SHA256
2256 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
2257 ) {
2258 tls->min_encrypted_len_on_read = tls->MAC_size;
2259 } else
2260 if (!(tls->flags & ENCRYPTION_AESGCM)) {
2261 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
2262
2263
2264
2265 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE);
2266 } else {
2267 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE;
2268 }
2269 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read);
2270
2271
2272 len = tls_xread_record(tls, "'server finished'");
2273 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED)
2274 bad_record_die(tls, "'server finished'", len);
2275 dbg("<< FINISHED\n");
2276
2277
2278
2279 psRsaKey_clear(&tls->hsd->server_rsa_pub_key);
2280
2281
2282 free(tls->hsd);
2283 tls->hsd = NULL;
2284}
2285
2286static void tls_xwrite(tls_state_t *tls, int len)
2287{
2288 dbg(">> DATA\n");
2289 xwrite_encrypted(tls, len, RECORD_TYPE_APPLICATION_DATA);
2290}
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301void FAST_FUNC tls_run_copy_loop(tls_state_t *tls, unsigned flags)
2302{
2303 int inbuf_size;
2304 const int INBUF_STEP = 4 * 1024;
2305 struct pollfd pfds[2];
2306
2307 pfds[0].fd = STDIN_FILENO;
2308 pfds[0].events = POLLIN;
2309 pfds[1].fd = tls->ifd;
2310 pfds[1].events = POLLIN;
2311
2312 inbuf_size = INBUF_STEP;
2313 for (;;) {
2314 int nread;
2315
2316 if (safe_poll(pfds, 2, -1) < 0)
2317 bb_perror_msg_and_die("poll");
2318
2319 if (pfds[0].revents) {
2320 void *buf;
2321
2322 dbg("STDIN HAS DATA\n");
2323 buf = tls_get_outbuf(tls, inbuf_size);
2324 nread = safe_read(STDIN_FILENO, buf, inbuf_size);
2325 if (nread < 1) {
2326
2327
2328
2329
2330
2331
2332
2333
2334 pfds[0].fd = -1;
2335 tls_free_outbuf(tls);
2336 if (flags & TLSLOOP_EXIT_ON_LOCAL_EOF)
2337 break;
2338 } else {
2339 if (nread == inbuf_size) {
2340
2341
2342
2343 inbuf_size += INBUF_STEP;
2344 if (inbuf_size > TLS_MAX_OUTBUF)
2345 inbuf_size = TLS_MAX_OUTBUF;
2346 }
2347 tls_xwrite(tls, nread);
2348 }
2349 }
2350 if (pfds[1].revents) {
2351 dbg("NETWORK HAS DATA\n");
2352 read_record:
2353 nread = tls_xread_record(tls, "encrypted data");
2354 if (nread < 1) {
2355
2356
2357
2358
2359
2360
2361
2362 break;
2363 }
2364 if (tls->inbuf[0] != RECORD_TYPE_APPLICATION_DATA)
2365 bad_record_die(tls, "encrypted data", nread);
2366 xwrite(STDOUT_FILENO, tls->inbuf + RECHDR_LEN, nread);
2367
2368
2369
2370 if (tls_has_buffered_record(tls))
2371 goto read_record;
2372 }
2373 }
2374}
2375