1 #define _POSIX_C_SOURCE 200809L
13 #include <sys/socket.h>
14 #include <arpa/inet.h>
25 #define htonll(x) ((1==htonl(1)) ? (x) : ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32))
29 #define ntohll(x) ((1==ntohl(1)) ? (x) : ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32))
33 static char *tls_alert_msg_name(int code) {
35 case 0: return "close_notify"; break;
36 case 10: return "unexpected_message"; break;
37 case 20: return "bad_record_mac"; break;
40 return "unknown alert";
44 static uint16_t get16(const unsigned char *buf) {
47 res = ((*buf) << 8) + (*(buf+1));
51 static int tls_microsleep(unsigned int microseconds) {
56 ts.tv_sec = (time_t) (microseconds / 1000000L);
57 ts.tv_nsec = (long) (((long) microseconds % 1000000L) * 1000L);
60 while ((rv = nanosleep(&ts, &rem)) == -1) {
69 /* TODO this is biased unless limit is a power of 2 */
70 static unsigned int random_int(int limit) {
72 tls_random((unsigned char *) &res, sizeof(int));
79 static int random_sleep(long max) {
80 return tls_microsleep(random_int(max));
83 static void U32TO8(unsigned char *p, unsigned long v) {
85 p[1] = (v >> 8) & 0xff;
86 p[2] = (v >> 16) & 0xff;
87 p[3] = (v >> 24) & 0xff;
90 static int decrypt_aes_gcm(struct TLSContext *context, uint16_t length, int
91 header_size, const unsigned char *ptr, const unsigned char
92 *buf, int buf_len, struct tls_buffer *pt_buffer) {
95 unsigned char iv[TLS_13_AES_GCM_IV_LENGTH];
96 unsigned char aad[16];
97 int aad_size = sizeof(aad);
98 unsigned char *sequence = aad;
100 gcm_state *remote_gcm;
101 remote_gcm = &context->crypto.ctx_remote.aes_gcm_remote;
103 gcm_reset(remote_gcm);
106 if (context->tlsver == TLS_VERSION13) {
107 aad[0] = TLS_APPLICATION_DATA;
110 *((unsigned short *) &aad[3]) =
111 htons(buf_len - header_size);
114 *((uint64_t *) sequence) =
115 htonll(context->remote_sequence_number);
116 memcpy(iv, context->crypto.ctx_remote_mac.remote_iv,
117 TLS_13_AES_GCM_IV_LENGTH);
119 int offset = TLS_13_AES_GCM_IV_LENGTH - 8;
120 for (i = 0; i < 8; i++) {
122 context->crypto.ctx_remote_mac.remote_iv[offset +
125 pt_length = buf_len - header_size - TLS_GCM_TAG_LEN;
129 pt_length = length - 8 - TLS_GCM_TAG_LEN;
131 /* build aad and iv */
132 *((uint64_t *) aad) = htonll(context->remote_sequence_number);
137 memcpy(iv, context->crypto.ctx_remote_mac.remote_aead_iv, 4);
138 memcpy(iv + 4, buf + header_size, 8);
139 *((unsigned short *) &aad[11]) = htons(pt_length);
143 DEBUG_PRINT("Invalid packet length");
144 return TLS_BROKEN_PACKET;
146 DEBUG_DUMP_HEX_LABEL("aad", aad, aad_size);
147 DEBUG_DUMP_HEX_LABEL("aad iv", iv, 12);
149 /* I think we do all of this even if they fail to avoid timing
152 int res0 = gcm_add_iv(&context->crypto.ctx_remote.aes_gcm_remote, iv, 12);
153 int res1 = gcm_add_aad(&context->crypto.ctx_remote.aes_gcm_remote, aad, aad_size);
155 DEBUG_PRINT("PT SIZE: %i\n", pt_length);
157 /* TODO we might want to expand this buffer before we call this
159 tls_buffer_expand(pt_buffer, pt_length);
161 int res2 = gcm_process(&context->crypto.ctx_remote.
162 aes_gcm_remote, pt_buffer->buffer,
164 (char *)buf + header_size + delta,
166 pt_buffer->len = pt_length;
168 unsigned char tag[32];
169 unsigned long taglen = 32;
170 int res3 = gcm_done(&context->crypto.ctx_remote.aes_gcm_remote,
173 if (res0 || res1 || res2 || res3 || taglen != TLS_GCM_TAG_LEN) {
175 ("ERROR: gcm_add_iv: %i, gcm_add_aad: %i, gcm_process: %i, gcm_done: %i\n",
176 res0, res1, res2, res3);
177 return TLS_BROKEN_PACKET;
180 DEBUG_DUMP_HEX_LABEL("decrypted1", pt_buffer->buffer, pt_length);
181 DEBUG_DUMP_HEX_LABEL("tag", tag, taglen);
184 if (memcmp(buf + header_size + delta + pt_length, tag, taglen)) {
185 DEBUG_PRINT("INTEGRITY CHECK FAILED (msg length %i)\n",
187 DEBUG_DUMP_HEX_LABEL("TAG RECEIVED",
188 buf + header_size + delta + pt_length,
190 DEBUG_DUMP_HEX_LABEL("TAG COMPUTED", tag, taglen);
191 tls_alert(context, 1, bad_record_mac);
192 return TLS_INTEGRITY_FAILED;
194 ptr = pt_buffer->buffer;
200 static int decrypt_chacha_poly1305(struct TLSContext *context, uint16_t length,
201 int header_size, const unsigned char *ptr, const unsigned char
202 *buf, int buf_len, struct tls_buffer *pt_buffer) {
204 unsigned char aad[16];
205 int aad_size = sizeof(aad);
206 unsigned char *sequence = aad;
208 int pt_length = length - POLY1305_TAGLEN;
209 unsigned int counter = 1;
210 unsigned char poly1305_key[POLY1305_KEYLEN];
211 unsigned char trail[16];
212 unsigned char mac_tag[POLY1305_TAGLEN];
216 DEBUG_PRINT("Invalid packet length");
217 return TLS_BROKEN_PACKET;
221 if (context->tlsver == TLS_VERSION13) {
222 aad[0] = TLS_APPLICATION_DATA;
225 *((unsigned short *) &aad[3]) =
226 htons(buf_len - header_size);
229 *((uint64_t *) sequence) =
230 htonll(context->remote_sequence_number);
232 *((uint64_t *) aad) =
233 htonll(context->remote_sequence_number);
237 *((unsigned short *) &aad[11]) = htons(pt_length);
243 tls_buffer_expand(pt_buffer, pt_length);
244 chacha_ivupdate(&context->crypto.ctx_remote.chacha_remote,
245 context->crypto.ctx_remote_mac.remote_aead_iv,
246 sequence, (unsigned char *) &counter);
248 chacha_encrypt_bytes(&context->crypto.ctx_remote.chacha_remote,
249 buf + header_size, pt_buffer->buffer, pt_length);
251 DEBUG_DUMP_HEX_LABEL("decrypted2", pt_buffer->buffer, pt_length);
252 ptr = pt_buffer->buffer;
255 chacha20_poly1305_key(&context->crypto.ctx_remote.chacha_remote,
258 struct poly1305_context ctx;
259 tls_poly1305_init(&ctx, poly1305_key);
260 tls_poly1305_update(&ctx, aad, aad_size);
262 static unsigned char zeropad[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0,
265 int rem = aad_size % 16;
267 tls_poly1305_update(&ctx, zeropad, 16 - rem);
269 tls_poly1305_update(&ctx, buf + header_size, pt_length);
271 rem = pt_length % 16;
273 tls_poly1305_update(&ctx, zeropad, 16 - rem);
276 U32TO8(&trail[0], aad_size == 5 ? 5 : 13);
277 *(int *) &trail[4] = 0;
278 U32TO8(&trail[8], pt_length);
279 *(int *) &trail[12] = 0;
281 tls_poly1305_update(&ctx, trail, 16);
282 tls_poly1305_finish(&ctx, mac_tag);
283 if (memcmp(mac_tag, buf + header_size + pt_length,
286 ("INTEGRITY CHECK FAILED (msg length %i)\n",
288 DEBUG_DUMP_HEX_LABEL("POLY1305 TAG RECEIVED",
289 buf + header_size + pt_length,
291 DEBUG_DUMP_HEX_LABEL("POLY1305 TAG COMPUTED",
292 mac_tag, POLY1305_TAGLEN);
294 tls_alert(context, 1, bad_record_mac);
295 return TLS_INTEGRITY_FAILED;
298 pt_buffer->len = pt_length;
303 static int decrypt_other(struct TLSContext *context, uint16_t length, int
304 header_size, const unsigned char *ptr, const unsigned char
305 *buf, struct tls_buffer *pt_buffer) {
309 tls_buffer_expand(pt_buffer, length);
310 DEBUG_PRINTLN("cbc_decrypt(%p, %p, %lu, %p)\n",
311 buf+header_size, pt_buffer->buffer,
312 (unsigned long)length, &context->crypto.ctx_remote.aes_remote);
313 err = cbc_decrypt(buf+header_size, pt_buffer->buffer, length,
314 &context->crypto.ctx_remote.aes_remote);
316 DEBUG_PRINTLN("Decryption error %d %s\n", err,
317 error_to_string(err));
319 return TLS_BROKEN_PACKET;
321 pt_buffer->len = length;
322 unsigned char padding_byte = pt_buffer->buffer[length - 1];
323 unsigned char padding = padding_byte + 1;
324 DEBUG_PRINTLN("cbc padding byte = %d\n", (int)padding_byte);
327 int padding_index = length - padding;
328 if (padding_index > 0) {
330 int limit = length - 1;
331 for (i = length - padding; i < limit; i++) {
332 if (pt_buffer->buffer[i] != padding_byte) {
333 DEBUG_PRINTLN("BROKEN PACKET (POODLE ?)\n");
334 tls_alert(context, 1, decrypt_error);
336 return TLS_BROKEN_PACKET;
341 unsigned int decrypted_length = length;
342 if (padding < decrypted_length) {
343 decrypted_length -= padding;
344 pt_buffer->len -= padding;
347 DEBUG_DUMP_HEX_LABEL("decrypted", pt_buffer->buffer, decrypted_length);
349 if (decrypted_length > TLS_AES_IV_LENGTH) {
350 decrypted_length -= TLS_AES_IV_LENGTH;
351 tls_buffer_shift(pt_buffer, TLS_AES_IV_LENGTH);
353 ptr = pt_buffer->buffer;
354 length = decrypted_length;
356 unsigned int mac_size = tls_mac_length(context);
357 if (length < mac_size || !mac_size) {
358 DEBUG_PRINTLN("BROKEN PACKET\n");
359 tls_alert(context, 1, decrypt_error);
361 return TLS_BROKEN_PACKET;
364 DEBUG_PRINTLN("mac size %u\n", mac_size);
366 pt_buffer->len -= mac_size;
368 const unsigned char *message_hmac = &ptr[length];
369 unsigned char hmac_out[TLS_MAX_MAC_SIZE];
370 unsigned char temp_buf[5];
371 memcpy(temp_buf, buf, 3);
372 *(unsigned short *) &temp_buf[3] = htons(length);
373 unsigned int hmac_out_len = tls_hmac_message(0, context, temp_buf, 5,
374 ptr, length, hmac_out, mac_size);
375 if (hmac_out_len != mac_size
376 || memcmp(message_hmac, hmac_out, mac_size)) {
377 DEBUG_PRINTLN("INTEGRITY CHECK FAILED (msg length %i)\n",
379 DEBUG_DUMP_HEX_LABEL("HMAC RECEIVED", message_hmac, mac_size);
380 DEBUG_DUMP_HEX_LABEL("HMAC COMPUTED", hmac_out, hmac_out_len);
382 tls_alert(context, 1, bad_record_mac);
385 return TLS_INTEGRITY_FAILED;
392 static int decrypt_payload(struct TLSContext *context,
395 const unsigned char *ptr,
396 const unsigned char *buf,
398 struct tls_buffer *pt_buffer
401 if (context->crypto.created == 2) {
402 return decrypt_aes_gcm(context, length, header_size, ptr, buf,
404 } else if (context->crypto.created == 3) {
405 return decrypt_chacha_poly1305(context, length, header_size,
406 ptr, buf, buf_len, pt_buffer);
407 } else if (context->crypto.created == 1) {
408 return decrypt_other(context, length, header_size, ptr, buf,
411 tls_buffer_free(pt_buffer);
412 return TLS_BROKEN_PACKET;
418 int tls_parse_message(struct TLSContext *context, unsigned char *buf,
421 uint16_t version; /* a struct of two uint8 per the rfc, but
422 we encode it as a uint16_t */
427 const unsigned char *ptr = 0;
428 /* TODO probably make this buffer part of the context,
429 * and just zero it out instead of malloc and free
431 struct tls_buffer pt;
433 int header_size = res;
439 return TLS_NEED_MORE_DATA;
444 version = get16(&buf[buf_pos]);
447 if (!tls_supported_version(version)) {
452 length = get16(&buf[buf_pos]);
457 DEBUG_PRINTLN("Message type: %d, length: %d\n", (int)type, (int)length);
459 /* this buffer can go out of scope */
460 tls_buffer_init(&pt, 0);
462 if (context->cipher_spec_set && type != TLS_CHANGE_CIPHER) {
463 /* Need to decrypt payload */
464 DEBUG_DUMP_HEX_LABEL("encrypted", &buf[header_size], length);
466 if (!context->crypto.created) {
467 DEBUG_PRINT("Encryption context not created\n");
468 random_sleep(TLS_MAX_ERROR_SLEEP_uS);
470 return TLS_BROKEN_PACKET;
473 int rv = decrypt_payload(context, length, header_size, ptr,
477 tls_buffer_free(&pt);
478 random_sleep(TLS_MAX_ERROR_SLEEP_uS);
484 tls_buffer_free(&pt);
485 random_sleep(TLS_MAX_ERROR_SLEEP_uS);
487 return TLS_NO_MEMORY;
494 context->remote_sequence_number++;
496 if (context->tlsver == TLS_VERSION13) {
497 /*(context->connection_status == 2) && */
498 if (type == TLS_APPLICATION_DATA && context->crypto.created) {
506 /* TODO for v1.3 encrypted handshake messages will show up
507 * as application data, so we need to re-compute the record
508 * type, that may be what the above is doing
512 /* application data */
513 case TLS_APPLICATION_DATA:
514 if (context->connection_status != TLS_CONNECTED) {
516 ("UNEXPECTED APPLICATION DATA MESSAGE\n");
517 payload_res = TLS_UNEXPECTED_MESSAGE;
518 tls_alert(context, 1, unexpected_message);
522 ("APPLICATION DATA MESSAGE (TLS VERSION: %x):\n",
523 (int) context->version);
524 DEBUG_DUMP(ptr, length);
526 tls_buffer_append(&context->application_buffer, ptr, length);
527 if (context->application_buffer.error) {
528 payload_res = TLS_NO_MEMORY;
533 DEBUG_PRINT("HANDSHAKE MESSAGE\n");
534 payload_res = tls_parse_payload(context, ptr, length);
536 /* change cipher spec */
537 case TLS_CHANGE_CIPHER:
538 if (context->connection_status != 2) {
539 if (context->connection_status == 4) {
541 ("IGNORING CHANGE CIPHER SPEC MESSAGE (HELLO RETRY REQUEST)\n");
545 ("UNEXPECTED CHANGE CIPHER SPEC MESSAGE (%i)\n",
546 context->connection_status);
547 tls_alert(context, 1, unexpected_message);
548 payload_res = TLS_UNEXPECTED_MESSAGE;
550 DEBUG_PRINT("CHANGE CIPHER SPEC MESSAGE\n");
551 context->cipher_spec_set = 1;
552 /* reset sequence numbers */
553 context->remote_sequence_number = 0;
558 DEBUG_PRINTLN("ALERT MESSAGE\n");
562 DEBUG_PRINTLN("level = %d, code = %d\n", level, code);
563 if (level == TLS_ALERT_CRITICAL) {
564 DEBUG_PRINTLN("critical error: %s\n",
565 tls_alert_msg_name(code));
566 context->critical_error = 1;
567 res = TLS_ERROR_ALERT;
569 context->error_code = code;
571 DEBUG_PRINT("ALERT MESSAGE short\n");
576 DEBUG_PRINT("UNKNOWN MESSAGE TYPE: %x\n", (int)type);
577 payload_res = TLS_NOT_UNDERSTOOD;
581 tls_buffer_free(&pt);
583 if (payload_res < 0) {
590 return header_size + length;
projects / zpackage / blob