1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22#include "tls.h"
23
24
25
26#define ALLOW_RSA_NULL_SHA256 0
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66#define TLS_DEBUG 0
67#define TLS_DEBUG_HASH 0
68#define TLS_DEBUG_DER 0
69#define TLS_DEBUG_FIXED_SECRETS 0
70#if 0
71# define dump_raw_out(...) dump_hex(__VA_ARGS__)
72#else
73# define dump_raw_out(...) ((void)0)
74#endif
75#if 0
76# define dump_raw_in(...) dump_hex(__VA_ARGS__)
77#else
78# define dump_raw_in(...) ((void)0)
79#endif
80
81#if TLS_DEBUG
82# define dbg(...) fprintf(stderr, __VA_ARGS__)
83#else
84# define dbg(...) ((void)0)
85#endif
86
87#if TLS_DEBUG_DER
88# define dbg_der(...) fprintf(stderr, __VA_ARGS__)
89#else
90# define dbg_der(...) ((void)0)
91#endif
92
93
94
95#define TLS_MAJ 3
96#define TLS_MIN 3
97
98#define RECORD_TYPE_CHANGE_CIPHER_SPEC 20
99#define RECORD_TYPE_ALERT 21
100#define RECORD_TYPE_HANDSHAKE 22
101#define RECORD_TYPE_APPLICATION_DATA 23
102
103#define HANDSHAKE_HELLO_REQUEST 0
104#define HANDSHAKE_CLIENT_HELLO 1
105#define HANDSHAKE_SERVER_HELLO 2
106#define HANDSHAKE_HELLO_VERIFY_REQUEST 3
107#define HANDSHAKE_NEW_SESSION_TICKET 4
108#define HANDSHAKE_CERTIFICATE 11
109#define HANDSHAKE_SERVER_KEY_EXCHANGE 12
110#define HANDSHAKE_CERTIFICATE_REQUEST 13
111#define HANDSHAKE_SERVER_HELLO_DONE 14
112#define HANDSHAKE_CERTIFICATE_VERIFY 15
113#define HANDSHAKE_CLIENT_KEY_EXCHANGE 16
114#define HANDSHAKE_FINISHED 20
115
116#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
117
118#define SSL_NULL_WITH_NULL_NULL 0x0000
119#define SSL_RSA_WITH_NULL_MD5 0x0001
120#define SSL_RSA_WITH_NULL_SHA 0x0002
121#define SSL_RSA_WITH_RC4_128_MD5 0x0004
122#define SSL_RSA_WITH_RC4_128_SHA 0x0005
123#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007
124#define SSL_RSA_WITH_3DES_EDE_CBC_SHA 0x000A
125
126#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
127#define SSL_DH_anon_WITH_RC4_128_MD5 0x0018
128#define SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B
129#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
130#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
131#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
132#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
133#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
134#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
135#define TLS_RSA_WITH_NULL_SHA256 0x003B
136#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
137#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
138#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
139#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
140#define TLS_PSK_WITH_AES_128_CBC_SHA 0x008C
141#define TLS_PSK_WITH_AES_256_CBC_SHA 0x008D
142#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x0090
143#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x0091
144#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
145#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
146#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
147#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
148#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
149#define TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6
150#define TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7
151#define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE
152#define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF
153#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
154#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
155#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
156#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
157#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
158#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
159#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
160#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
161#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
162#define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
163#define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
164#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
165#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
166#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025
167#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026
168#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
169#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
170#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029
171#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A
172
173#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
174#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
175#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
176#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E
177#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
178#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
179#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
180#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032
181#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035
182#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036
183#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
184#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038
185
186
187
188#define TLS_RSA_WITH_AES_128_CCM 0xC09C
189#define TLS_RSA_WITH_AES_256_CCM 0xC09D
190#define TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E
191#define TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F
192#define TLS_RSA_WITH_AES_128_CCM_8 0xC0A0
193#define TLS_RSA_WITH_AES_256_CCM_8 0xC0A1
194#define TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2
195#define TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3
196#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
197#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD
198#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
199#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF
200#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8
201#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
202#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA
203
204#define TLS_AES_128_GCM_SHA256 0x1301
205#define TLS_AES_256_GCM_SHA384 0x1302
206#define TLS_CHACHA20_POLY1305_SHA256 0x1303
207#define TLS_AES_128_CCM_SHA256 0x1304
208
209
210#define TLS_MAX_CRYPTBLOCK_SIZE 16
211#define TLS_MAX_OUTBUF (1 << 14)
212
213enum {
214 SHA_INSIZE = 64,
215 SHA1_OUTSIZE = 20,
216 SHA256_OUTSIZE = 32,
217
218 AES128_KEYSIZE = 16,
219 AES256_KEYSIZE = 32,
220
221 RSA_PREMASTER_SIZE = 48,
222
223 RECHDR_LEN = 5,
224
225
226 OUTBUF_PFX = 8 + AES_BLOCK_SIZE,
227 OUTBUF_SFX = TLS_MAX_MAC_SIZE + TLS_MAX_CRYPTBLOCK_SIZE,
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263 MAX_INBUF = RECHDR_LEN + (1 << 14) + 2048,
264
265
266 NEED_EC_KEY = 1 << 0,
267 GOT_CERT_RSA_KEY_ALG = 1 << 1,
268 GOT_CERT_ECDSA_KEY_ALG = 1 << 2,
269 GOT_EC_KEY = 1 << 3,
270 ENCRYPTION_AESGCM = 1 << 4,
271 ENCRYPT_ON_WRITE = 1 << 5,
272};
273
274struct record_hdr {
275 uint8_t type;
276 uint8_t proto_maj, proto_min;
277 uint8_t len16_hi, len16_lo;
278};
279
280struct tls_handshake_data {
281
282 md5sha_ctx_t handshake_hash_ctx;
283
284 uint8_t client_and_server_rand32[2 * 32];
285 uint8_t master_secret[48];
286
287
288
289 psRsaKey_t server_rsa_pub_key;
290 uint8_t ecc_pub_key32[32];
291
292
293
294
295};
296
297
298static unsigned get24be(const uint8_t *p)
299{
300 return 0x100*(0x100*p[0] + p[1]) + p[2];
301}
302
303#if TLS_DEBUG
304
305# if TLS_DEBUG_HASH
306static unsigned sha_peek(md5sha_ctx_t *ctx, void *buffer)
307{
308 md5sha_ctx_t ctx_copy = *ctx;
309 return sha_end(&ctx_copy, buffer);
310}
311# endif
312
313static void dump_hex(const char *fmt, const void *vp, int len)
314{
315 char hexbuf[32 * 1024 + 4];
316 const uint8_t *p = vp;
317
318 bin2hex(hexbuf, (void*)p, len)[0] = '\0';
319 dbg(fmt, hexbuf);
320}
321
322static void dump_tls_record(const void *vp, int len)
323{
324 const uint8_t *p = vp;
325
326 while (len > 0) {
327 unsigned xhdr_len;
328 if (len < RECHDR_LEN) {
329 dump_hex("< |%s|\n", p, len);
330 return;
331 }
332 xhdr_len = 0x100*p[3] + p[4];
333 dbg("< hdr_type:%u ver:%u.%u len:%u", p[0], p[1], p[2], xhdr_len);
334 p += RECHDR_LEN;
335 len -= RECHDR_LEN;
336 if (len >= 4 && p[-RECHDR_LEN] == RECORD_TYPE_HANDSHAKE) {
337 unsigned len24 = get24be(p + 1);
338 dbg(" type:%u len24:%u", p[0], len24);
339 }
340 if (xhdr_len > len)
341 xhdr_len = len;
342 dump_hex(" |%s|\n", p, xhdr_len);
343 p += xhdr_len;
344 len -= xhdr_len;
345 }
346}
347#else
348# define dump_hex(...) ((void)0)
349# define dump_tls_record(...) ((void)0)
350#endif
351
352void FAST_FUNC tls_get_random(void *buf, unsigned len)
353{
354 if (len != open_read_close("/dev/urandom", buf, len))
355 xfunc_die();
356}
357
358static void xorbuf3(void *dst, const void *src1, const void *src2, unsigned count)
359{
360 uint8_t *d = dst;
361 const uint8_t *s1 = src1;
362 const uint8_t* s2 = src2;
363 while (count--)
364 *d++ = *s1++ ^ *s2++;
365}
366
367void FAST_FUNC xorbuf(void *dst, const void *src, unsigned count)
368{
369 xorbuf3(dst, dst, src, count);
370}
371
372void FAST_FUNC xorbuf_aligned_AES_BLOCK_SIZE(void *dst, const void *src)
373{
374 unsigned long *d = dst;
375 const unsigned long *s = src;
376 d[0] ^= s[0];
377#if ULONG_MAX <= 0xffffffffffffffff
378 d[1] ^= s[1];
379 #if ULONG_MAX == 0xffffffff
380 d[2] ^= s[2];
381 d[3] ^= s[3];
382 #endif
383#endif
384}
385
386#if !TLS_DEBUG_HASH
387# define hash_handshake(tls, fmt, buffer, len) \
388 hash_handshake(tls, buffer, len)
389#endif
390static void hash_handshake(tls_state_t *tls, const char *fmt, const void *buffer, unsigned len)
391{
392 md5sha_hash(&tls->hsd->handshake_hash_ctx, buffer, len);
393#if TLS_DEBUG_HASH
394 {
395 uint8_t h[TLS_MAX_MAC_SIZE];
396 dump_hex(fmt, buffer, len);
397 dbg(" (%u bytes) ", (int)len);
398 len = sha_peek(&tls->hsd->handshake_hash_ctx, h);
399 if (ENABLE_FEATURE_TLS_SHA1 && len == SHA1_OUTSIZE)
400 dump_hex("sha1:%s\n", h, len);
401 else
402 if (len == SHA256_OUTSIZE)
403 dump_hex("sha256:%s\n", h, len);
404 else
405 dump_hex("sha???:%s\n", h, len);
406 }
407#endif
408}
409
410#if !ENABLE_FEATURE_TLS_SHA1
411# define TLS_MAC_SIZE(tls) SHA256_OUTSIZE
412#else
413# define TLS_MAC_SIZE(tls) (tls)->MAC_size
414#endif
415
416
417
418
419
420
421
422
423
424
425
426typedef struct hmac_precomputed {
427 md5sha_ctx_t hashed_key_xor_ipad;
428 md5sha_ctx_t hashed_key_xor_opad;
429} hmac_precomputed_t;
430
431typedef void md5sha_begin_func(md5sha_ctx_t *ctx) FAST_FUNC;
432#if !ENABLE_FEATURE_TLS_SHA1
433#define hmac_begin(pre,key,key_size,begin) \
434 hmac_begin(pre,key,key_size)
435#define begin sha256_begin
436#endif
437static void hmac_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size, md5sha_begin_func *begin)
438{
439 uint8_t key_xor_ipad[SHA_INSIZE];
440 uint8_t key_xor_opad[SHA_INSIZE];
441
442 unsigned i;
443
444
445
446
447
448 if (key_size > SHA_INSIZE) {
449 bb_error_msg_and_die("HMAC key>64");
450
451
452
453
454
455
456
457
458
459
460
461 }
462
463 for (i = 0; i < key_size; i++) {
464 key_xor_ipad[i] = key[i] ^ 0x36;
465 key_xor_opad[i] = key[i] ^ 0x5c;
466 }
467 for (; i < SHA_INSIZE; i++) {
468 key_xor_ipad[i] = 0x36;
469 key_xor_opad[i] = 0x5c;
470 }
471
472 begin(&pre->hashed_key_xor_ipad);
473 begin(&pre->hashed_key_xor_opad);
474 md5sha_hash(&pre->hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
475 md5sha_hash(&pre->hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
476}
477#undef begin
478
479static unsigned hmac_sha_precomputed_v(
480 hmac_precomputed_t *pre,
481 uint8_t *out,
482 va_list va)
483{
484 uint8_t *text;
485 unsigned len;
486
487
488
489
490
491 while ((text = va_arg(va, uint8_t*)) != NULL) {
492 unsigned text_size = va_arg(va, unsigned);
493 md5sha_hash(&pre->hashed_key_xor_ipad, text, text_size);
494 }
495 len = sha_end(&pre->hashed_key_xor_ipad, out);
496
497
498 md5sha_hash(&pre->hashed_key_xor_opad, out, len);
499 return sha_end(&pre->hashed_key_xor_opad, out);
500}
501
502static unsigned hmac_sha_precomputed(hmac_precomputed_t *pre_init, uint8_t *out, ...)
503{
504 hmac_precomputed_t pre;
505 va_list va;
506 unsigned len;
507
508 va_start(va, out);
509 pre = *pre_init;
510 len = hmac_sha_precomputed_v(&pre, out, va);
511 va_end(va);
512 return len;
513}
514
515#if !ENABLE_FEATURE_TLS_SHA1
516#define hmac(tls,out,key,key_size,...) \
517 hmac(out,key,key_size, __VA_ARGS__)
518#endif
519static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
520{
521 hmac_precomputed_t pre;
522 va_list va;
523 unsigned len;
524
525 va_start(va, key_size);
526
527 hmac_begin(&pre, key, key_size,
528 (ENABLE_FEATURE_TLS_SHA1 && tls->MAC_size == SHA1_OUTSIZE)
529 ? sha1_begin
530 : sha256_begin
531 );
532 len = hmac_sha_precomputed_v(&pre, out, va);
533
534 va_end(va);
535 return len;
536}
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576static void prf_hmac_sha256(
577 uint8_t *outbuf, unsigned outbuf_size,
578 uint8_t *secret, unsigned secret_size,
579 const char *label,
580 uint8_t *seed, unsigned seed_size)
581{
582 hmac_precomputed_t pre;
583 uint8_t a[TLS_MAX_MAC_SIZE];
584 uint8_t *out_p = outbuf;
585 unsigned label_size = strlen(label);
586 unsigned MAC_size = SHA256_OUTSIZE;
587
588
589#define SEED label, label_size, seed, seed_size
590#define A a, MAC_size
591
592 hmac_begin(&pre, secret, secret_size, sha256_begin);
593
594
595 hmac_sha_precomputed(&pre, a, SEED, NULL);
596
597 for (;;) {
598
599 if (outbuf_size <= MAC_size) {
600
601
602 hmac_sha_precomputed(&pre, a, A, SEED, NULL);
603 memcpy(out_p, a, outbuf_size);
604 return;
605 }
606
607 hmac_sha_precomputed(&pre, out_p, A, SEED, NULL);
608 out_p += MAC_size;
609 outbuf_size -= MAC_size;
610
611 hmac_sha_precomputed(&pre, a, A, NULL);
612 }
613#undef A
614#undef SECRET
615#undef SEED
616}
617
618static void bad_record_die(tls_state_t *tls, const char *expected, int len)
619{
620 bb_error_msg("got bad TLS record (len:%d) while expecting %s", len, expected);
621 if (len > 0) {
622 uint8_t *p = tls->inbuf;
623 if (len > 99)
624 len = 99;
625 do {
626 fprintf(stderr, " %02x", *p++);
627 len--;
628 } while (len != 0);
629 fputc('\n', stderr);
630 }
631 xfunc_die();
632}
633
634static void tls_error_die(tls_state_t *tls, int line)
635{
636 dump_tls_record(tls->inbuf, tls->ofs_to_buffered + tls->buffered_size);
637 bb_error_msg_and_die("tls error at line %d cipher:%04x", line, tls->cipher_id);
638}
639#define tls_error_die(tls) tls_error_die(tls, __LINE__)
640
641#if 0
642static void tls_free_inbuf(tls_state_t *tls)
643{
644 if (tls->buffered_size == 0) {
645 free(tls->inbuf);
646 tls->inbuf_size = 0;
647 tls->inbuf = NULL;
648 }
649}
650#endif
651
652static void tls_free_outbuf(tls_state_t *tls)
653{
654 free(tls->outbuf);
655 tls->outbuf_size = 0;
656 tls->outbuf = NULL;
657}
658
659static void *tls_get_outbuf(tls_state_t *tls, int len)
660{
661 if (len > TLS_MAX_OUTBUF)
662 xfunc_die();
663 len += OUTBUF_PFX + OUTBUF_SFX;
664 if (tls->outbuf_size < len) {
665 tls->outbuf_size = len;
666 tls->outbuf = xrealloc(tls->outbuf, len);
667 }
668 return tls->outbuf + OUTBUF_PFX;
669}
670
671static void *tls_get_zeroed_outbuf(tls_state_t *tls, int len)
672{
673 void *record = tls_get_outbuf(tls, len);
674 memset(record, 0, len);
675 return record;
676}
677
678static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, unsigned type)
679{
680 uint8_t *buf = tls->outbuf + OUTBUF_PFX;
681 struct record_hdr *xhdr;
682 uint8_t padding_length;
683
684 xhdr = (void*)(buf - RECHDR_LEN);
685 if (!ALLOW_RSA_NULL_SHA256
686 || tls->cipher_id != TLS_RSA_WITH_NULL_SHA256
687 ) {
688 xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCK_SIZE);
689 }
690
691 xhdr->type = type;
692 xhdr->proto_maj = TLS_MAJ;
693 xhdr->proto_min = TLS_MIN;
694
695 xhdr->len16_hi = size >> 8;
696 xhdr->len16_lo = size & 0xff;
697
698
699 hmac(tls, buf + size,
700 tls->client_write_MAC_key, TLS_MAC_SIZE(tls),
701 &tls->write_seq64_be, sizeof(tls->write_seq64_be),
702 xhdr, RECHDR_LEN,
703 buf, size,
704 NULL
705 );
706 tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));
707
708 size += TLS_MAC_SIZE(tls);
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743 if (ALLOW_RSA_NULL_SHA256
744 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
745 ) {
746
747 xhdr->len16_hi = size >> 8;
748 xhdr->len16_lo = size & 0xff;
749 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
750 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
751 dbg("wrote %u bytes (NULL crypt, SHA256 hash)\n", size);
752 return;
753 }
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791 tls_get_random(buf - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
792 dbg("before crypt: 5 hdr + %u data + %u hash bytes\n",
793 size - TLS_MAC_SIZE(tls), TLS_MAC_SIZE(tls));
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811 padding_length = (~size) & (AES_BLOCK_SIZE - 1);
812 do {
813 buf[size++] = padding_length;
814 } while ((size & (AES_BLOCK_SIZE - 1)) != 0);
815
816
817 aes_cbc_encrypt(
818 &tls->aes_encrypt,
819 buf - AES_BLOCK_SIZE,
820 buf, size,
821 buf
822 );
823
824
825 dbg("writing 5 + %u IV + %u encrypted bytes, padding_length:0x%02x\n",
826 AES_BLOCK_SIZE, size, padding_length);
827 size += AES_BLOCK_SIZE;
828 xhdr->len16_hi = size >> 8;
829 xhdr->len16_lo = size & 0xff;
830 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
831 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
832 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size);
833}
834
835
836
837
838
839
840
841
842
843
844
845static void xwrite_encrypted_aesgcm(tls_state_t *tls, unsigned size, unsigned type)
846{
847#define COUNTER(v) (*(uint32_t*)(v + 12))
848
849 uint8_t aad[13 + 3] ALIGNED_long;
850 uint8_t nonce[12 + 4] ALIGNED_long;
851 uint8_t scratch[AES_BLOCK_SIZE] ALIGNED_long;
852 uint8_t authtag[AES_BLOCK_SIZE] ALIGNED_long;
853 uint8_t *buf;
854 struct record_hdr *xhdr;
855 unsigned remaining;
856 unsigned cnt;
857 uint64_t t64;
858
859 buf = tls->outbuf + OUTBUF_PFX;
860 dump_hex("xwrite_encrypted_aesgcm plaintext:%s\n", buf, size);
861
862 xhdr = (void*)(buf - 8 - RECHDR_LEN);
863 xhdr->type = type;
864
865 aad[8] = type;
866 aad[9] = TLS_MAJ;
867 aad[10] = TLS_MIN;
868 aad[11] = size >> 8;
869
870 COUNTER(aad) = SWAP_LE32(size & 0xff);
871
872 memcpy(nonce, tls->client_write_IV, 4);
873 t64 = tls->write_seq64_be;
874 move_to_unaligned64(nonce + 4, t64);
875 move_to_unaligned64(aad, t64);
876 move_to_unaligned64(buf - 8, t64);
877
878 tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(t64));
879
880 cnt = 1;
881 remaining = size;
882 while (remaining != 0) {
883 unsigned n;
884
885 cnt++;
886 COUNTER(nonce) = htonl(cnt);
887 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
888 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
889 xorbuf(buf, scratch, n);
890 buf += n;
891 remaining -= n;
892 }
893
894 aesgcm_GHASH(tls->H, aad, tls->outbuf + OUTBUF_PFX, size, authtag );
895 COUNTER(nonce) = htonl(1);
896 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
897 xorbuf_aligned_AES_BLOCK_SIZE(authtag, scratch);
898
899 memcpy(buf, authtag, sizeof(authtag));
900
901
902 xhdr = (void*)(tls->outbuf + OUTBUF_PFX - 8 - RECHDR_LEN);
903 size += 8 + sizeof(authtag);
904
905 xhdr->proto_maj = TLS_MAJ;
906 xhdr->proto_min = TLS_MIN;
907 xhdr->len16_hi = size >> 8;
908 xhdr->len16_lo = size & 0xff;
909 size += RECHDR_LEN;
910 dump_raw_out(">> %s\n", xhdr, size);
911 xwrite(tls->ofd, xhdr, size);
912 dbg("wrote %u bytes\n", size);
913#undef COUNTER
914}
915
916static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
917{
918 if (!(tls->flags & ENCRYPTION_AESGCM)) {
919 xwrite_encrypted_and_hmac_signed(tls, size, type);
920 return;
921 }
922 xwrite_encrypted_aesgcm(tls, size, type);
923}
924
925static void xwrite_handshake_record(tls_state_t *tls, unsigned size)
926{
927 uint8_t *buf = tls->outbuf + OUTBUF_PFX;
928 struct record_hdr *xhdr = (void*)(buf - RECHDR_LEN);
929
930 xhdr->type = RECORD_TYPE_HANDSHAKE;
931 xhdr->proto_maj = TLS_MAJ;
932 xhdr->proto_min = TLS_MIN;
933 xhdr->len16_hi = size >> 8;
934 xhdr->len16_lo = size & 0xff;
935 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
936 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
937 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size);
938}
939
940static void xwrite_and_update_handshake_hash(tls_state_t *tls, unsigned size)
941{
942 if (!(tls->flags & ENCRYPT_ON_WRITE)) {
943 uint8_t *buf;
944
945 xwrite_handshake_record(tls, size);
946
947 buf = tls->outbuf + OUTBUF_PFX;
948 hash_handshake(tls, ">> hash:%s", buf, size);
949 return;
950 }
951 xwrite_encrypted(tls, size, RECORD_TYPE_HANDSHAKE);
952}
953
954static int tls_has_buffered_record(tls_state_t *tls)
955{
956 int buffered = tls->buffered_size;
957 struct record_hdr *xhdr;
958 int rec_size;
959
960 if (buffered < RECHDR_LEN)
961 return 0;
962 xhdr = (void*)(tls->inbuf + tls->ofs_to_buffered);
963 rec_size = RECHDR_LEN + (0x100 * xhdr->len16_hi + xhdr->len16_lo);
964 if (buffered < rec_size)
965 return 0;
966 return rec_size;
967}
968
969static const char *alert_text(int code)
970{
971 switch (code) {
972 case 20: return "bad MAC";
973 case 50: return "decode error";
974 case 51: return "decrypt error";
975 case 40: return "handshake failure";
976 case 112: return "unrecognized name";
977 }
978 return itoa(code);
979}
980
981static void tls_aesgcm_decrypt(tls_state_t *tls, uint8_t *buf, int size)
982{
983#define COUNTER(v) (*(uint32_t*)(v + 12))
984
985
986 uint8_t nonce[12 + 4] ALIGNED_long;
987 uint8_t scratch[AES_BLOCK_SIZE] ALIGNED_long;
988
989 unsigned remaining;
990 unsigned cnt;
991
992
993
994
995
996
997
998
999
1000 memcpy(nonce, tls->server_write_IV, 4);
1001 memcpy(nonce + 4, buf, 8);
1002
1003 cnt = 1;
1004 remaining = size;
1005 while (remaining != 0) {
1006 unsigned n;
1007
1008 cnt++;
1009 COUNTER(nonce) = htonl(cnt);
1010 aes_encrypt_one_block(&tls->aes_decrypt, nonce, scratch);
1011 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
1012 xorbuf3(buf, scratch, buf + 8, n);
1013 buf += n;
1014 remaining -= n;
1015 }
1016
1017
1018
1019
1020
1021
1022
1023#undef COUNTER
1024}
1025
1026static int tls_xread_record(tls_state_t *tls, const char *expected)
1027{
1028 struct record_hdr *xhdr;
1029 int sz;
1030 int total;
1031 int target;
1032
1033 again:
1034 dbg("ofs_to_buffered:%u buffered_size:%u\n", tls->ofs_to_buffered, tls->buffered_size);
1035 total = tls->buffered_size;
1036 if (total != 0) {
1037 memmove(tls->inbuf, tls->inbuf + tls->ofs_to_buffered, total);
1038
1039
1040 }
1041 errno = 0;
1042 target = MAX_INBUF;
1043 for (;;) {
1044 int rem;
1045
1046 if (total >= RECHDR_LEN && target == MAX_INBUF) {
1047 xhdr = (void*)tls->inbuf;
1048 target = RECHDR_LEN + (0x100 * xhdr->len16_hi + xhdr->len16_lo);
1049
1050 if (target > MAX_INBUF
1051 || xhdr->proto_maj != TLS_MAJ
1052 || xhdr->proto_min != TLS_MIN
1053 ) {
1054 sz = total < target ? total : target;
1055 bad_record_die(tls, expected, sz);
1056 }
1057 dbg("xhdr type:%d ver:%d.%d len:%d\n",
1058 xhdr->type, xhdr->proto_maj, xhdr->proto_min,
1059 0x100 * xhdr->len16_hi + xhdr->len16_lo
1060 );
1061 }
1062
1063 if (total - target >= 0)
1064 break;
1065
1066 rem = tls->inbuf_size - total;
1067 if (rem == 0) {
1068 tls->inbuf_size += MAX_INBUF / 8;
1069 if (tls->inbuf_size > MAX_INBUF)
1070 tls->inbuf_size = MAX_INBUF;
1071 dbg("inbuf_size:%d\n", tls->inbuf_size);
1072 rem = tls->inbuf_size - total;
1073 tls->inbuf = xrealloc(tls->inbuf, tls->inbuf_size);
1074 }
1075 sz = safe_read(tls->ifd, tls->inbuf + total, rem);
1076 if (sz <= 0) {
1077 if (sz == 0 && total == 0) {
1078
1079 dbg("EOF (without TLS shutdown) from peer\n");
1080 tls->buffered_size = 0;
1081 goto end;
1082 }
1083 bb_perror_msg_and_die("short read, have only %d", total);
1084 }
1085 dump_raw_in("<< %s\n", tls->inbuf + total, sz);
1086 total += sz;
1087 }
1088 tls->buffered_size = total - target;
1089 tls->ofs_to_buffered = target;
1090
1091
1092
1093 sz = target - RECHDR_LEN;
1094
1095
1096 if (tls->min_encrypted_len_on_read != 0) {
1097 if (sz < (int)tls->min_encrypted_len_on_read)
1098 bb_error_msg_and_die("bad encrypted len:%u", sz);
1099
1100 if (tls->flags & ENCRYPTION_AESGCM) {
1101
1102 uint8_t *p = tls->inbuf + RECHDR_LEN;
1103
1104 sz -= 8 + AES_BLOCK_SIZE;
1105 tls_aesgcm_decrypt(tls, p, sz);
1106 dbg("encrypted size:%u\n", sz);
1107 } else
1108 if (tls->min_encrypted_len_on_read > TLS_MAC_SIZE(tls)) {
1109
1110 uint8_t *p = tls->inbuf + RECHDR_LEN;
1111 int padding_len;
1112
1113 if (sz & (AES_BLOCK_SIZE-1))
1114 bb_error_msg_and_die("bad encrypted len:%u", sz);
1115
1116
1117 sz -= AES_BLOCK_SIZE;
1118 aes_cbc_decrypt(
1119 &tls->aes_decrypt,
1120 p,
1121 p + AES_BLOCK_SIZE, sz,
1122 p
1123 );
1124 padding_len = p[sz - 1];
1125 dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len);
1126 padding_len++;
1127 sz -= TLS_MAC_SIZE(tls) + padding_len;
1128 } else {
1129
1130
1131 sz -= tls->min_encrypted_len_on_read;
1132 }
1133 }
1134 if (sz < 0)
1135 bb_error_msg_and_die("encrypted data too short");
1136
1137
1138
1139 xhdr = (void*)tls->inbuf;
1140 if (xhdr->type == RECORD_TYPE_ALERT && sz >= 2) {
1141 uint8_t *p = tls->inbuf + RECHDR_LEN;
1142 dbg("ALERT size:%d level:%d description:%d\n", sz, p[0], p[1]);
1143 if (p[0] == 2) {
1144 bb_error_msg_and_die("TLS %s from peer (alert code %d): %s",
1145 "error",
1146 p[1], alert_text(p[1])
1147 );
1148 }
1149 if (p[0] == 1) {
1150 if (p[1] == 0) {
1151 dbg("EOF (TLS encoded) from peer\n");
1152 sz = 0;
1153 goto end;
1154 }
1155
1156
1157
1158
1159
1160
1161
1162 goto again;
1163 }
1164
1165 sz = 0;
1166 goto end;
1167 }
1168
1169
1170
1171
1172 if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE
1173
1174
1175 ) {
1176 hash_handshake(tls, "<< hash:%s", tls->inbuf + RECHDR_LEN, sz);
1177 }
1178 end:
1179 dbg("got block len:%u\n", sz);
1180 return sz;
1181}
1182
1183static void binary_to_pstm(pstm_int *pstm_n, uint8_t *bin_ptr, unsigned len)
1184{
1185 pstm_init_for_read_unsigned_bin( NULL, pstm_n, len);
1186 pstm_read_unsigned_bin(pstm_n, bin_ptr, len);
1187
1188}
1189
1190
1191
1192
1193static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end)
1194{
1195 unsigned len, len1;
1196
1197 if (end - der < 2)
1198 xfunc_die();
1199
1200
1201
1202 len = der[1];
1203 if (len >= 0x80) {
1204
1205
1206 if (len == 0x80 || end - der < (int)(len - 0x7e)) {
1207
1208
1209 xfunc_die();
1210 }
1211
1212 len1 = der[2];
1213 if (len > 0x82) {
1214
1215 xfunc_die();
1216 }
1217 if (len == 0x82) {
1218 len1 = 0x100*len1 + der[3];
1219 der += 1;
1220 }
1221 der += 1;
1222 len = len1;
1223
1224
1225 }
1226 der += 2;
1227
1228 if (end - der < (int)len)
1229 xfunc_die();
1230 *bodyp = der;
1231
1232 return len;
1233}
1234
1235static uint8_t *enter_der_item(uint8_t *der, uint8_t **endp)
1236{
1237 uint8_t *new_der;
1238 unsigned len = get_der_len(&new_der, der, *endp);
1239 dbg_der("entered der @%p:0x%02x len:%u inner_byte @%p:0x%02x\n", der, der[0], len, new_der, new_der[0]);
1240
1241 *endp = new_der + len;
1242 return new_der;
1243}
1244
1245static uint8_t *skip_der_item(uint8_t *der, uint8_t *end)
1246{
1247 uint8_t *new_der;
1248 unsigned len = get_der_len(&new_der, der, end);
1249
1250 new_der += len;
1251 dbg_der("skipped der 0x%02x, next byte 0x%02x\n", der[0], new_der[0]);
1252 return new_der;
1253}
1254
1255static void der_binary_to_pstm(pstm_int *pstm_n, uint8_t *der, uint8_t *end)
1256{
1257 uint8_t *bin_ptr;
1258 unsigned len = get_der_len(&bin_ptr, der, end);
1259
1260 dbg_der("binary bytes:%u, first:0x%02x\n", len, bin_ptr[0]);
1261 binary_to_pstm(pstm_n, bin_ptr, len);
1262}
1263
1264static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
1265{
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357 uint8_t *end = der + len;
1358
1359
1360 der = enter_der_item(der, &end);
1361
1362
1363 der = enter_der_item(der, &end);
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377 if (der[0] == 0xa0)
1378 der = skip_der_item(der, end);
1379
1380
1381 der = skip_der_item(der, end);
1382 der = skip_der_item(der, end);
1383 der = skip_der_item(der, end);
1384 der = skip_der_item(der, end);
1385 der = skip_der_item(der, end);
1386
1387
1388 der = enter_der_item(der, &end);
1389 {
1390 static const uint8_t OID_RSA_KEY_ALG[] ALIGN1 = {
1391 0x30,0x0d,
1392 0x06,0x09, 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
1393
1394 };
1395 static const uint8_t OID_ECDSA_KEY_ALG[] ALIGN1 = {
1396 0x30,0x13,
1397 0x06,0x07, 0x2a,0x86,0x48,0xce,0x3d,0x02,0x01,
1398
1399
1400
1401
1402
1403
1404
1405 };
1406 if (memcmp(der, OID_RSA_KEY_ALG, sizeof(OID_RSA_KEY_ALG)) == 0) {
1407 dbg("RSA key\n");
1408 tls->flags |= GOT_CERT_RSA_KEY_ALG;
1409 } else
1410 if (memcmp(der, OID_ECDSA_KEY_ALG, sizeof(OID_ECDSA_KEY_ALG)) == 0) {
1411 dbg("ECDSA key\n");
1412
1413 } else
1414 bb_error_msg_and_die("not RSA or ECDSA cert");
1415 }
1416
1417 if (tls->flags & GOT_CERT_RSA_KEY_ALG) {
1418
1419
1420
1421 der = skip_der_item(der, end);
1422
1423
1424 der = enter_der_item(der, &end);
1425
1426 dbg("key bytes:%u, first:0x%02x\n", (int)(end - der), der[0]);
1427 if (end - der < 14)
1428 xfunc_die();
1429
1430
1431
1432
1433
1434
1435 if (*der != 0)
1436 xfunc_die();
1437 der++;
1438 der = enter_der_item(der, &end);
1439
1440 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.N, der, end);
1441 der = skip_der_item(der, end);
1442 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.e, der, end);
1443 tls->hsd->server_rsa_pub_key.size = pstm_unsigned_bin_size(&tls->hsd->server_rsa_pub_key.N);
1444 dbg("server_rsa_pub_key.size:%d\n", tls->hsd->server_rsa_pub_key.size);
1445 }
1446
1447
1448
1449
1450
1451}
1452
1453
1454
1455
1456static int tls_xread_handshake_block(tls_state_t *tls, int min_len)
1457{
1458 struct record_hdr *xhdr;
1459 int len = tls_xread_record(tls, "handshake record");
1460
1461 xhdr = (void*)tls->inbuf;
1462 if (len < min_len
1463 || xhdr->type != RECORD_TYPE_HANDSHAKE
1464 ) {
1465 bad_record_die(tls, "handshake record", len);
1466 }
1467 dbg("got HANDSHAKE\n");
1468 return len;
1469}
1470
1471static ALWAYS_INLINE void fill_handshake_record_hdr(void *buf, unsigned type, unsigned len)
1472{
1473 struct handshake_hdr {
1474 uint8_t type;
1475 uint8_t len24_hi, len24_mid, len24_lo;
1476 } *h = buf;
1477
1478 len -= 4;
1479 h->type = type;
1480 h->len24_hi = len >> 16;
1481 h->len24_mid = len >> 8;
1482 h->len24_lo = len & 0xff;
1483}
1484
1485static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1486{
1487#define NUM_CIPHERS (7 + 6 * ENABLE_FEATURE_TLS_SHA1 + ALLOW_RSA_NULL_SHA256)
1488 static const uint8_t ciphers[] = {
1489 0x00,2 + NUM_CIPHERS*2,
1490 0x00,0xFF,
1491
1492#if ENABLE_FEATURE_TLS_SHA1
1493 0xC0,0x09,
1494 0xC0,0x0A,
1495 0xC0,0x13,
1496 0xC0,0x14,
1497
1498
1499#endif
1500 0xC0,0x23,
1501
1502 0xC0,0x27,
1503
1504 0xC0,0x2B,
1505
1506
1507 0xC0,0x2F,
1508
1509
1510#if ENABLE_FEATURE_TLS_SHA1
1511
1512
1513#endif
1514
1515
1516#if ENABLE_FEATURE_TLS_SHA1
1517 0x00,0x2F,
1518 0x00,0x35,
1519#endif
1520 0x00,0x3C,
1521 0x00,0x3D,
1522 0x00,0x9C,
1523
1524#if ALLOW_RSA_NULL_SHA256
1525 0x00,0x3B,
1526#endif
1527 0x01,0x00,
1528 };
1529 static const uint8_t supported_groups[] = {
1530 0x00,0x0a,
1531 0x00,0x04,
1532 0x00,0x02,
1533 0x00,0x1d,
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545 };
1546
1547
1548
1549
1550
1551
1552
1553 struct client_hello {
1554 uint8_t type;
1555 uint8_t len24_hi, len24_mid, len24_lo;
1556 uint8_t proto_maj, proto_min;
1557 uint8_t rand32[32];
1558 uint8_t session_id_len;
1559
1560 uint8_t cipherid_len16_hi, cipherid_len16_lo;
1561 uint8_t cipherid[2 + NUM_CIPHERS*2];
1562 uint8_t comprtypes_len;
1563 uint8_t comprtypes[1];
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584 };
1585 struct client_hello *record;
1586 uint8_t *ptr;
1587 int len;
1588 int ext_len;
1589 int sni_len = sni ? strnlen(sni, 127 - 5) : 0;
1590
1591 ext_len = 0;
1592
1593 ext_len += sizeof(supported_groups);
1594 if (sni_len)
1595 ext_len += 9 + sni_len;
1596
1597
1598 len = sizeof(*record) + 2 + ext_len;
1599 record = tls_get_zeroed_outbuf(tls, len);
1600
1601 fill_handshake_record_hdr(record, HANDSHAKE_CLIENT_HELLO, len);
1602 record->proto_maj = TLS_MAJ;
1603 record->proto_min = TLS_MIN;
1604 tls_get_random(record->rand32, sizeof(record->rand32));
1605 if (TLS_DEBUG_FIXED_SECRETS)
1606 memset(record->rand32, 0x11, sizeof(record->rand32));
1607
1608
1609 BUILD_BUG_ON(sizeof(ciphers) != 2 + 2 + NUM_CIPHERS*2 + 2);
1610 memcpy(&record->cipherid_len16_hi, ciphers, sizeof(ciphers));
1611
1612 ptr = (void*)(record + 1);
1613 *ptr++ = ext_len >> 8;
1614 *ptr++ = ext_len;
1615 if (sni_len) {
1616
1617
1618
1619 ptr[3] = sni_len + 5;
1620
1621 ptr[5] = sni_len + 3;
1622
1623
1624 ptr[8] = sni_len;
1625 ptr = mempcpy(&ptr[9], sni, sni_len);
1626 }
1627 memcpy(ptr, supported_groups, sizeof(supported_groups));
1628
1629 tls->hsd = xzalloc(sizeof(*tls->hsd));
1630
1631 memcpy(tls->hsd->client_and_server_rand32, record->rand32, sizeof(record->rand32));
1632
1633
1634
1635
1636 dbg(">> CLIENT_HELLO\n");
1637
1638
1639
1640 sha256_begin(&tls->hsd->handshake_hash_ctx);
1641 xwrite_and_update_handshake_hash(tls, len);
1642
1643
1644
1645
1646}
1647
1648static void get_server_hello(tls_state_t *tls)
1649{
1650 struct server_hello {
1651 struct record_hdr xhdr;
1652 uint8_t type;
1653 uint8_t len24_hi, len24_mid, len24_lo;
1654 uint8_t proto_maj, proto_min;
1655 uint8_t rand32[32];
1656 uint8_t session_id_len;
1657 uint8_t session_id[32];
1658 uint8_t cipherid_hi, cipherid_lo;
1659 uint8_t comprtype;
1660
1661 };
1662
1663 struct server_hello *hp;
1664 uint8_t *cipherid;
1665 uint8_t cipherid1;
1666 int len, len24;
1667
1668 len = tls_xread_handshake_block(tls, 74 - 32);
1669
1670 hp = (void*)tls->inbuf;
1671
1672
1673
1674 if (hp->type != HANDSHAKE_SERVER_HELLO
1675 || hp->len24_hi != 0
1676 || hp->len24_mid != 0
1677
1678 || hp->proto_maj != TLS_MAJ
1679 || hp->proto_min != TLS_MIN
1680 ) {
1681 bad_record_die(tls, "'server hello'", len);
1682 }
1683
1684 cipherid = &hp->cipherid_hi;
1685 len24 = hp->len24_lo;
1686 if (hp->session_id_len != 32) {
1687 if (hp->session_id_len != 0)
1688 bad_record_die(tls, "'server hello'", len);
1689
1690
1691
1692
1693
1694 cipherid -= 32;
1695 len24 += 32;
1696 }
1697
1698 if (len24 < 70)
1699 bad_record_die(tls, "'server hello'", len);
1700 dbg("<< SERVER_HELLO\n");
1701
1702 memcpy(tls->hsd->client_and_server_rand32 + 32, hp->rand32, sizeof(hp->rand32));
1703
1704
1705#if 0
1706#if ENABLE_FEATURE_TLS_SHA1
1707 0xC0,0x09,
1708 0xC0,0x0A,
1709 0xC0,0x13,
1710 0xC0,0x14,
1711
1712
1713#endif
1714 0xC0,0x23,
1715
1716 0xC0,0x27,
1717
1718 0xC0,0x2B,
1719
1720
1721 0xC0,0x2F,
1722
1723
1724#if ENABLE_FEATURE_TLS_SHA1
1725
1726
1727#endif
1728
1729
1730#if ENABLE_FEATURE_TLS_SHA1
1731 0x00,0x2F,
1732 0x00,0x35,
1733#endif
1734 0x00,0x3C,
1735 0x00,0x3D,
1736 0x00,0x9C,
1737
1738#if ALLOW_RSA_NULL_SHA256
1739 0x00,0x3B,
1740#endif
1741#endif
1742 cipherid1 = cipherid[1];
1743 tls->cipher_id = 0x100 * cipherid[0] + cipherid1;
1744 tls->key_size = AES256_KEYSIZE;
1745 tls->MAC_size = SHA256_OUTSIZE;
1746
1747 if (cipherid[0] == 0xC0) {
1748
1749 tls->flags |= NEED_EC_KEY;
1750 if (cipherid1 & 1) {
1751
1752 tls->key_size = AES128_KEYSIZE;
1753 }
1754 if (ENABLE_FEATURE_TLS_SHA1 && cipherid1 <= 0x19) {
1755 tls->MAC_size = SHA1_OUTSIZE;
1756 } else
1757 if (cipherid1 >= 0x2B && cipherid1 <= 0x30) {
1758
1759 tls->flags |= ENCRYPTION_AESGCM;
1760 tls->MAC_size = 0;
1761 tls->IV_size = 4;
1762 }
1763 } else {
1764
1765 if ((ENABLE_FEATURE_TLS_SHA1 && cipherid1 == 0x2F)
1766 || cipherid1 == 0x3C
1767 || cipherid1 == 0x9C
1768 ) {
1769 tls->key_size = AES128_KEYSIZE;
1770 }
1771 if (ENABLE_FEATURE_TLS_SHA1 && cipherid1 <= 0x35) {
1772 tls->MAC_size = SHA1_OUTSIZE;
1773 } else
1774 if (cipherid1 == 0x9C ) {
1775
1776 tls->flags |= ENCRYPTION_AESGCM;
1777 tls->MAC_size = 0;
1778 tls->IV_size = 4;
1779 }
1780 }
1781 dbg("server chose cipher %04x\n", tls->cipher_id);
1782 dbg("key_size:%u MAC_size:%u IV_size:%u\n", tls->key_size, tls->MAC_size, tls->IV_size);
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798}
1799
1800static void get_server_cert(tls_state_t *tls)
1801{
1802 struct record_hdr *xhdr;
1803 uint8_t *certbuf;
1804 int len, len1;
1805
1806 len = tls_xread_handshake_block(tls, 10);
1807
1808 xhdr = (void*)tls->inbuf;
1809 certbuf = (void*)(xhdr + 1);
1810 if (certbuf[0] != HANDSHAKE_CERTIFICATE)
1811 bad_record_die(tls, "certificate", len);
1812 dbg("<< CERTIFICATE\n");
1813
1814
1815
1816 len1 = get24be(certbuf + 1);
1817 if (len1 > len - 4) tls_error_die(tls);
1818 len = len1;
1819 len1 = get24be(certbuf + 4);
1820 if (len1 > len - 3) tls_error_die(tls);
1821 len = len1;
1822 len1 = get24be(certbuf + 7);
1823 if (len1 > len - 3) tls_error_die(tls);
1824 len = len1;
1825
1826 if (len)
1827 find_key_in_der_cert(tls, certbuf + 10, len);
1828}
1829
1830
1831
1832
1833static void process_server_key(tls_state_t *tls, int len)
1834{
1835 struct record_hdr *xhdr;
1836 uint8_t *keybuf;
1837 int len1;
1838 uint32_t t32;
1839
1840 xhdr = (void*)tls->inbuf;
1841 keybuf = (void*)(xhdr + 1);
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876 len1 = get24be(keybuf + 1);
1877 if (len1 > len - 4) tls_error_die(tls);
1878 len = len1;
1879 if (len < (1+2+1+32)) tls_error_die(tls);
1880 keybuf += 4;
1881
1882
1883 move_from_unaligned32(t32, keybuf);
1884 if (t32 != htonl(0x03001d20))
1885 bb_error_msg_and_die("elliptic curve is not x25519");
1886
1887 memcpy(tls->hsd->ecc_pub_key32, keybuf + 4, 32);
1888 tls->flags |= GOT_EC_KEY;
1889 dbg("got eccPubKey\n");
1890}
1891
1892static void send_empty_client_cert(tls_state_t *tls)
1893{
1894 struct client_empty_cert {
1895 uint8_t type;
1896 uint8_t len24_hi, len24_mid, len24_lo;
1897 uint8_t cert_chain_len24_hi, cert_chain_len24_mid, cert_chain_len24_lo;
1898 };
1899 struct client_empty_cert *record;
1900
1901 record = tls_get_zeroed_outbuf(tls, sizeof(*record));
1902
1903
1904
1905
1906
1907 record->type = HANDSHAKE_CERTIFICATE;
1908 record->len24_lo = 3;
1909
1910 dbg(">> CERTIFICATE\n");
1911 xwrite_and_update_handshake_hash(tls, sizeof(*record));
1912}
1913
1914static void send_client_key_exchange(tls_state_t *tls)
1915{
1916 struct client_key_exchange {
1917 uint8_t type;
1918 uint8_t len24_hi, len24_mid, len24_lo;
1919 uint8_t key[2 + 4 * 1024];
1920 };
1921
1922 struct client_key_exchange *record = tls_get_zeroed_outbuf(tls, sizeof(*record));
1923 uint8_t rsa_premaster[RSA_PREMASTER_SIZE];
1924 uint8_t x25519_premaster[CURVE25519_KEYSIZE];
1925 uint8_t *premaster;
1926 int premaster_size;
1927 int len;
1928
1929 if (!(tls->flags & NEED_EC_KEY)) {
1930
1931 if (!(tls->flags & GOT_CERT_RSA_KEY_ALG))
1932 bb_error_msg("server cert is not RSA");
1933
1934 tls_get_random(rsa_premaster, sizeof(rsa_premaster));
1935 if (TLS_DEBUG_FIXED_SECRETS)
1936 memset(rsa_premaster, 0x44, sizeof(rsa_premaster));
1937
1938
1939
1940
1941 rsa_premaster[0] = TLS_MAJ;
1942 rsa_premaster[1] = TLS_MIN;
1943 dump_hex("premaster:%s\n", rsa_premaster, sizeof(rsa_premaster));
1944 len = psRsaEncryptPub( NULL,
1945 &tls->hsd->server_rsa_pub_key,
1946 rsa_premaster, sizeof(rsa_premaster),
1947 record->key + 2, sizeof(record->key) - 2,
1948 data_param_ignored
1949 );
1950
1951 record->key[0] = len >> 8;
1952 record->key[1] = len & 0xff;
1953 len += 2;
1954 premaster = rsa_premaster;
1955 premaster_size = sizeof(rsa_premaster);
1956 } else {
1957
1958 static const uint8_t basepoint9[CURVE25519_KEYSIZE] = {9};
1959 uint8_t privkey[CURVE25519_KEYSIZE];
1960
1961 if (!(tls->flags & GOT_EC_KEY))
1962 bb_error_msg("server did not provide EC key");
1963
1964
1965 tls_get_random(privkey, sizeof(privkey));
1966 privkey[0] &= 0xf8;
1967 privkey[CURVE25519_KEYSIZE-1] = ((privkey[CURVE25519_KEYSIZE-1] & 0x7f) | 0x40);
1968
1969
1970 curve25519(record->key + 1, privkey, basepoint9);
1971
1972
1973 dbg("computing x25519_premaster\n");
1974 curve25519(x25519_premaster, privkey, tls->hsd->ecc_pub_key32);
1975
1976 len = CURVE25519_KEYSIZE;
1977 record->key[0] = len;
1978 len++;
1979 premaster = x25519_premaster;
1980 premaster_size = sizeof(x25519_premaster);
1981 }
1982
1983 record->type = HANDSHAKE_CLIENT_KEY_EXCHANGE;
1984
1985 record->len24_mid = len >> 8;
1986 record->len24_lo = len & 0xff;
1987 len += 4;
1988
1989 dbg(">> CLIENT_KEY_EXCHANGE\n");
1990 xwrite_and_update_handshake_hash(tls, len);
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002 prf_hmac_sha256(
2003 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
2004 premaster, premaster_size,
2005 "master secret",
2006 tls->hsd->client_and_server_rand32, sizeof(tls->hsd->client_and_server_rand32)
2007 );
2008 dump_hex("master secret:%s\n", tls->hsd->master_secret, sizeof(tls->hsd->master_secret));
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043 {
2044 uint8_t tmp64[64];
2045
2046
2047 memcpy(&tmp64[0] , &tls->hsd->client_and_server_rand32[32], 32);
2048 memcpy(&tmp64[32], &tls->hsd->client_and_server_rand32[0] , 32);
2049
2050 prf_hmac_sha256(
2051 tls->client_write_MAC_key, 2 * (tls->MAC_size + tls->key_size + tls->IV_size),
2052
2053
2054
2055
2056
2057
2058 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
2059 "key expansion",
2060 tmp64, 64
2061 );
2062 tls->client_write_key = tls->client_write_MAC_key + (2 * tls->MAC_size);
2063 tls->server_write_key = tls->client_write_key + tls->key_size;
2064 tls->client_write_IV = tls->server_write_key + tls->key_size;
2065 tls->server_write_IV = tls->client_write_IV + tls->IV_size;
2066 dump_hex("client_write_MAC_key:%s\n",
2067 tls->client_write_MAC_key, tls->MAC_size
2068 );
2069 dump_hex("client_write_key:%s\n",
2070 tls->client_write_key, tls->key_size
2071 );
2072 dump_hex("client_write_IV:%s\n",
2073 tls->client_write_IV, tls->IV_size
2074 );
2075
2076 aes_setkey(&tls->aes_decrypt, tls->server_write_key, tls->key_size);
2077 aes_setkey(&tls->aes_encrypt, tls->client_write_key, tls->key_size);
2078 {
2079 uint8_t iv[AES_BLOCK_SIZE];
2080 memset(iv, 0, AES_BLOCK_SIZE);
2081 aes_encrypt_one_block(&tls->aes_encrypt, iv, tls->H);
2082 }
2083 }
2084}
2085
2086static const uint8_t rec_CHANGE_CIPHER_SPEC[] ALIGN1 = {
2087 RECORD_TYPE_CHANGE_CIPHER_SPEC, TLS_MAJ, TLS_MIN, 00, 01,
2088 01
2089};
2090
2091static void send_change_cipher_spec(tls_state_t *tls)
2092{
2093 dbg(">> CHANGE_CIPHER_SPEC\n");
2094 xwrite(tls->ofd, rec_CHANGE_CIPHER_SPEC, sizeof(rec_CHANGE_CIPHER_SPEC));
2095}
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134static void send_client_finished(tls_state_t *tls)
2135{
2136 struct finished {
2137 uint8_t type;
2138 uint8_t len24_hi, len24_mid, len24_lo;
2139 uint8_t prf_result[12];
2140 };
2141 struct finished *record = tls_get_outbuf(tls, sizeof(*record));
2142 uint8_t handshake_hash[TLS_MAX_MAC_SIZE];
2143 unsigned len;
2144
2145 fill_handshake_record_hdr(record, HANDSHAKE_FINISHED, sizeof(*record));
2146
2147 len = sha_end(&tls->hsd->handshake_hash_ctx, handshake_hash);
2148
2149 prf_hmac_sha256(
2150 record->prf_result, sizeof(record->prf_result),
2151 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
2152 "client finished",
2153 handshake_hash, len
2154 );
2155 dump_hex("from secret: %s\n", tls->hsd->master_secret, sizeof(tls->hsd->master_secret));
2156 dump_hex("from labelSeed: %s", "client finished", sizeof("client finished")-1);
2157 dump_hex("%s\n", handshake_hash, sizeof(handshake_hash));
2158 dump_hex("=> digest: %s\n", record->prf_result, sizeof(record->prf_result));
2159
2160 dbg(">> FINISHED\n");
2161 xwrite_encrypted(tls, sizeof(*record), RECORD_TYPE_HANDSHAKE);
2162}
2163
2164void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
2165{
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183 int len;
2184 int got_cert_req;
2185
2186 send_client_hello_and_alloc_hsd(tls, sni);
2187 get_server_hello(tls);
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198 get_server_cert(tls);
2199
2200 len = tls_xread_handshake_block(tls, 4);
2201 if (tls->inbuf[RECHDR_LEN] == HANDSHAKE_SERVER_KEY_EXCHANGE) {
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214 dbg("<< SERVER_KEY_EXCHANGE len:%u\n", len);
2215 dump_raw_in("<< %s\n", tls->inbuf, RECHDR_LEN + len);
2216 if (tls->flags & NEED_EC_KEY)
2217 process_server_key(tls, len);
2218
2219
2220 len = tls_xread_handshake_block(tls, 4);
2221 }
2222
2223 got_cert_req = (tls->inbuf[RECHDR_LEN] == HANDSHAKE_CERTIFICATE_REQUEST);
2224 if (got_cert_req) {
2225 dbg("<< CERTIFICATE_REQUEST\n");
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236 len = tls_xread_handshake_block(tls, 4);
2237 }
2238
2239 if (tls->inbuf[RECHDR_LEN] != HANDSHAKE_SERVER_HELLO_DONE) {
2240 bad_record_die(tls, "'server hello done'", len);
2241 }
2242
2243 dbg("<< SERVER_HELLO_DONE\n");
2244
2245 if (got_cert_req)
2246 send_empty_client_cert(tls);
2247
2248 send_client_key_exchange(tls);
2249
2250 send_change_cipher_spec(tls);
2251
2252
2253 tls->flags |= ENCRYPT_ON_WRITE;
2254
2255 send_client_finished(tls);
2256
2257
2258 len = tls_xread_record(tls, "switch to encrypted traffic");
2259 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
2260 bad_record_die(tls, "switch to encrypted traffic", len);
2261 dbg("<< CHANGE_CIPHER_SPEC\n");
2262
2263 if (ALLOW_RSA_NULL_SHA256
2264 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
2265 ) {
2266 tls->min_encrypted_len_on_read = tls->MAC_size;
2267 } else
2268 if (!(tls->flags & ENCRYPTION_AESGCM)) {
2269 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
2270
2271
2272
2273 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE);
2274 } else {
2275 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE;
2276 }
2277 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read);
2278
2279
2280 len = tls_xread_record(tls, "'server finished'");
2281 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED)
2282 bad_record_die(tls, "'server finished'", len);
2283 dbg("<< FINISHED\n");
2284
2285
2286
2287 psRsaKey_clear(&tls->hsd->server_rsa_pub_key);
2288
2289
2290 free(tls->hsd);
2291 tls->hsd = NULL;
2292}
2293
2294static void tls_xwrite(tls_state_t *tls, int len)
2295{
2296 dbg(">> DATA\n");
2297 xwrite_encrypted(tls, len, RECORD_TYPE_APPLICATION_DATA);
2298}
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309void FAST_FUNC tls_run_copy_loop(tls_state_t *tls, unsigned flags)
2310{
2311 int inbuf_size;
2312 const int INBUF_STEP = 4 * 1024;
2313 struct pollfd pfds[2];
2314
2315 pfds[0].fd = STDIN_FILENO;
2316 pfds[0].events = POLLIN;
2317 pfds[1].fd = tls->ifd;
2318 pfds[1].events = POLLIN;
2319
2320 inbuf_size = INBUF_STEP;
2321 for (;;) {
2322 int nread;
2323
2324 if (safe_poll(pfds, 2, -1) < 0)
2325 bb_perror_msg_and_die("poll");
2326
2327 if (pfds[0].revents) {
2328 void *buf;
2329
2330 dbg("STDIN HAS DATA\n");
2331 buf = tls_get_outbuf(tls, inbuf_size);
2332 nread = safe_read(STDIN_FILENO, buf, inbuf_size);
2333 if (nread < 1) {
2334
2335
2336
2337
2338
2339
2340
2341
2342 pfds[0].fd = -1;
2343 tls_free_outbuf(tls);
2344 if (flags & TLSLOOP_EXIT_ON_LOCAL_EOF)
2345 break;
2346 } else {
2347 if (nread == inbuf_size) {
2348
2349
2350
2351 inbuf_size += INBUF_STEP;
2352 if (inbuf_size > TLS_MAX_OUTBUF)
2353 inbuf_size = TLS_MAX_OUTBUF;
2354 }
2355 tls_xwrite(tls, nread);
2356 }
2357 }
2358 if (pfds[1].revents) {
2359 dbg("NETWORK HAS DATA\n");
2360 read_record:
2361 nread = tls_xread_record(tls, "encrypted data");
2362 if (nread < 1) {
2363
2364
2365
2366
2367
2368
2369
2370 break;
2371 }
2372 if (tls->inbuf[0] != RECORD_TYPE_APPLICATION_DATA)
2373 bad_record_die(tls, "encrypted data", nread);
2374 xwrite(STDOUT_FILENO, tls->inbuf + RECHDR_LEN, nread);
2375
2376
2377
2378 if (tls_has_buffered_record(tls))
2379 goto read_record;
2380 }
2381 }
2382}
2383
