1 #define _POSIX_C_SOURCE 200809L
13 #include <sys/socket.h>
14 #include <arpa/inet.h>
21 #define mp_init(a) ltc_mp.init(a)
22 #define mp_init_multi ltc_init_multi
23 #define mp_clear(a) ltc_mp.deinit(a)
24 #define mp_clear_multi ltc_deinit_multi
25 #define mp_count_bits(a) ltc_mp.count_bits(a)
26 #define mp_read_radix(a, b, c) ltc_mp.read_radix(a, b, c)
27 #define mp_unsigned_bin_size(a) ltc_mp.unsigned_size(a)
28 #define mp_to_unsigned_bin(a, b) ltc_mp.unsigned_write(a, b)
29 #define mp_read_unsigned_bin(a, b, c) ltc_mp.unsigned_read(a, b, c)
30 #define mp_exptmod(a, b, c, d) ltc_mp.exptmod(a, b, c, d)
31 #define mp_add(a, b, c) ltc_mp.add(a, b, c)
32 #define mp_mul(a, b, c) ltc_mp.mul(a, b, c)
33 #define mp_cmp(a, b) ltc_mp.compare(a, b)
34 #define mp_cmp_d(a, b) ltc_mp.compare_d(a, b)
35 #define mp_sqr(a, b) ltc_mp.sqr(a, b)
36 #define mp_mod(a, b, c) ltc_mp.mpdiv(a, b, NULL, c)
37 #define mp_sub(a, b, c) ltc_mp.sub(a, b, c)
38 #define mp_set(a, b) ltc_mp.set_int(a, b)
41 #define LTC_PKCS_1_EMSA LTC_LTC_PKCS_1_EMSA
42 #define LTC_PKCS_1_V1_5 LTC_LTC_PKCS_1_V1_5
43 #define LTC_PKCS_1_PSS LTC_LTC_PKCS_1_PSS
50 #define TLS_DH_DEFAULT_P "87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597"
51 #define TLS_DH_DEFAULT_G "3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659"
52 #define TLS_DHE_KEY_SIZE 2048
55 #define htonll(x) ((1==htonl(1)) ? (x) : ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32))
59 #define ntohll(x) ((1==ntohl(1)) ? (x) : ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32))
62 #define CHECK_HANDSHAKE_STATE(context, n, limit) { if (context->hs_messages[n] >= limit) { DEBUG_PRINT("* UNEXPECTED MESSAGE (%i)\n", (int)n); payload_res = TLS_UNEXPECTED_MESSAGE; break; } context->hs_messages[n]++; }
78 } KeyExchangeAlgorithm;
85 rsa_ephemeral_dh_RESERVED = 5,
86 dss_ephemeral_dh_RESERVED = 6,
87 fortezza_dms_RESERVED = 20,
91 } TLSClientCertificateType;
109 } TLSSignatureAlgorithm;
116 typedef ssize_t (*tls_recv_func)(int sockfd, void *buf, size_t len,
118 typedef ssize_t (*tls_send_func)(int sockfd, const void *buf, size_t len,
121 static const unsigned int version_id[] = { 1, 1, 1, 0 };
122 static const unsigned int pk_id[] = { 1, 1, 7, 0 };
123 static const unsigned int serial_id[] = { 1, 1, 2, 1, 0 };
124 static const unsigned int issurer_id[] = { 1, 1, 4, 0 };
125 static const unsigned int owner_id[] = { 1, 1, 6, 0 };
126 static const unsigned int validity_id[] = { 1, 1, 5, 0 };
127 static const unsigned int algorithm_id[] = { 1, 1, 3, 0 };
128 static const unsigned int sign_id[] = { 1, 3, 2, 1, 0 };
129 static const unsigned int sign_id2[] = { 1, 3, 2, 2, 0 };
130 static const unsigned int priv_id[] = { 1, 4, 0 };
131 static const unsigned int priv_der_id[] = { 1, 3, 1, 0 };
132 static const unsigned int ecc_priv_id[] = { 1, 2, 0 };
134 static const unsigned char country_oid[] = { 0x55, 0x04, 0x06, 0x00 };
135 static const unsigned char state_oid[] = { 0x55, 0x04, 0x08, 0x00 };
136 static const unsigned char location_oid[] = { 0x55, 0x04, 0x07, 0x00 };
137 static const unsigned char entity_oid[] = { 0x55, 0x04, 0x0A, 0x00 };
138 static const unsigned char subject_oid[] = { 0x55, 0x04, 0x03, 0x00 };
139 static const unsigned char san_oid[] = { 0x55, 0x1D, 0x11, 0x00 };
140 static const unsigned char ocsp_oid[] =
141 { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x00 };
143 static const unsigned char TLS_RSA_SIGN_RSA_OID[] =
144 { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x00 };
145 static const unsigned char TLS_RSA_SIGN_MD5_OID[] =
146 { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x00 };
147 static const unsigned char TLS_RSA_SIGN_SHA1_OID[] =
148 { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x00 };
149 static const unsigned char TLS_RSA_SIGN_SHA256_OID[] =
150 { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x00 };
151 static const unsigned char TLS_RSA_SIGN_SHA384_OID[] =
152 { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C, 0x00 };
153 static const unsigned char TLS_RSA_SIGN_SHA512_OID[] =
154 { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D, 0x00 };
157 static const unsigned char TLS_ECDSA_SIGN_SHA1_OID[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x01, 0x05, 0x00, 0x00};
158 static const unsigned char TLS_ECDSA_SIGN_SHA224_OID[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x01, 0x05, 0x00, 0x00};
159 static const unsigned char TLS_ECDSA_SIGN_SHA256_OID[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x05, 0x00, 0x00};
160 static const unsigned char TLS_ECDSA_SIGN_SHA384_OID[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x05, 0x00, 0x00};
161 static const unsigned char TLS_ECDSA_SIGN_SHA512_OID[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x04, 0x05, 0x00, 0x00};
164 static const unsigned char TLS_EC_PUBLIC_KEY_OID[] =
165 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x00 };
167 static const unsigned char TLS_EC_prime192v1_OID[] =
168 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x01, 0x00 };
169 static const unsigned char TLS_EC_prime192v2_OID[] =
170 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x02, 0x00 };
171 static const unsigned char TLS_EC_prime192v3_OID[] =
172 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x03, 0x00 };
173 static const unsigned char TLS_EC_prime239v1_OID[] =
174 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x04, 0x00 };
175 static const unsigned char TLS_EC_prime239v2_OID[] =
176 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x05, 0x00 };
177 static const unsigned char TLS_EC_prime239v3_OID[] =
178 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x06, 0x00 };
179 static const unsigned char TLS_EC_prime256v1_OID[] =
180 { 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x00 };
182 #define TLS_EC_secp256r1_OID TLS_EC_prime256v1_OID
183 static const unsigned char TLS_EC_secp224r1_OID[] =
184 { 0x2B, 0x81, 0x04, 0x00, 0x21, 0x00 };
185 static const unsigned char TLS_EC_secp384r1_OID[] =
186 { 0x2B, 0x81, 0x04, 0x00, 0x22, 0x00 };
187 static const unsigned char TLS_EC_secp521r1_OID[] =
188 { 0x2B, 0x81, 0x04, 0x00, 0x23, 0x00 };
190 int tls_random(unsigned char *key, int len);
191 void tls_destroy_packet(struct TLSPacket *packet);
192 struct TLSPacket *tls_build_hello(struct TLSContext *context,
193 int tls13_downgrade);
197 static unsigned char TLS_DSA_SIGN_SHA1_OID[] = {0x2A, 0x86, 0x52, 0xCE, 0x38, 0x04, 0x03, 0x00};
200 static uint16_t get16(const unsigned char *buf) {
203 res = ((*buf) << 8) + (*(buf+1));
207 static uint32_t get24(const unsigned char *buf) {
210 res = (buf[0] << 16) + (buf[1] << 8) + buf[2];
215 static char *packet_content_type(int type) {
217 case 20: return "change_cipher_spec"; break;
218 case 21: return "alert"; break;
219 case 22: return "handshake"; break;
220 case 23: return "application_data"; break;
223 return "unknown content type";
226 static char *packet_handshake_type(int type) {
228 case 0: return "hello_request"; break;
229 case 1: return "client_hello"; break;
230 case 2: return "server_hello"; break;
231 case 11: return "certificate"; break;
232 case 12: return "server_key_exchange"; break;
233 case 13: return "certificate_request"; break;
234 case 14: return "server_hello_done"; break;
235 case 15: return "certificate_verify"; break;
236 case 16: return "client_key_exchange"; break;
237 case 20: return "finished"; break;
240 return "unknown handshake type";
244 size_t tls_queue_packet(struct TLSPacket *packet) {
251 struct TLSContext *context = packet->context;
258 DEBUG_PRINTLN("sending packet type %d %s\n", (int)packet->buf[0],
259 packet_content_type(packet->buf[0]));
260 if (packet->buf[0] == 22) {
261 DEBUG_PRINTLN("handshake type %d %s\n", (int)packet->buf[5],
262 packet_handshake_type(packet->buf[5])
265 tls_buffer_append(&context->output_buffer, packet->buf, packet->len);
266 tls_destroy_packet(packet);
268 return context->output_buffer.len;
271 static void tls_send_change_cipher_spec(struct TLSContext *context) {
273 struct TLSPacket *packet =
274 tls_create_packet(context, TLS_CHANGE_CIPHER, context->version,
276 tls_packet_uint8(packet, 1);
277 tls_packet_update(packet);
278 context->local_sequence_number = 0;
279 tls_queue_packet(packet);
284 static void tls_send_encrypted_extensions(struct TLSContext *context) {
285 struct TLSPacket *packet =
286 tls_create_packet(context, TLS_HANDSHAKE, context->version, 3);
287 tls_packet_uint8(packet, 0x08);
289 if (context->negotiated_alpn) {
290 int alpn_negotiated_len = strlen(context->negotiated_alpn);
291 int alpn_len = alpn_negotiated_len + 1;
293 tls_packet_uint24(packet, alpn_len + 8);
294 tls_packet_uint16(packet, alpn_len + 6);
295 tls_packet_uint16(packet, 0x10);
296 tls_packet_uint16(packet, alpn_len + 2);
297 tls_packet_uint16(packet, alpn_len);
299 tls_packet_uint8(packet, alpn_negotiated_len);
300 tls_packet_append(packet, (unsigned char *) context->
301 negotiated_alpn, alpn_negotiated_len);
303 tls_packet_uint24(packet, 2);
304 tls_packet_uint16(packet, 0);
306 tls_packet_update(packet);
307 tls_queue_packet(packet);
311 static void tls_send_done(struct TLSContext *context) {
312 struct TLSPacket *packet =
313 tls_create_packet(context, TLS_HANDSHAKE, context->version, 0);
314 tls_packet_uint8(packet, 0x0E);
315 tls_packet_uint24(packet, 0);
316 tls_packet_update(packet);
317 tls_queue_packet(packet);
321 static void tls_send_certificate(struct TLSContext *context) {
323 unsigned int all_certificate_size = 0;
324 int certificates_count;
325 struct TLSCertificate **certificates;
328 if (context->is_server) {
329 certificates_count = context->certificates_count;
330 certificates = context->certificates;
332 certificates_count = context->client_certificates_count;
333 certificates = context->client_certificates;
337 if (context->tlsver == TLS_VERSION13) {
341 int is_ecdsa = tls_is_ecdsa(context);
342 /* TODO can do one loop and test for ecdsa inside loop */
344 for (i = 0; i < certificates_count; i++) {
345 struct TLSCertificate *cert = certificates[i];
346 if (cert && cert->der_len && cert->ec_algorithm) {
347 all_certificate_size += cert->der_len + delta;
351 for (i = 0; i < certificates_count; i++) {
352 struct TLSCertificate *cert = certificates[i];
353 if (cert && cert->der_len && !cert->ec_algorithm) {
354 all_certificate_size += cert->der_len + delta;
359 for (i = 0; i < certificates_count; i++) {
360 struct TLSCertificate *cert = certificates[i];
361 if (cert && cert->der_len) {
362 all_certificate_size += cert->der_len + delta;
366 if (!all_certificate_size) {
367 DEBUG_PRINT("NO CERTIFICATE SET\n");
370 struct TLSPacket *packet = tls_create_packet(context, TLS_HANDSHAKE,
371 context->version, 0);
372 tls_packet_uint8(packet, 0x0B);
374 if (all_certificate_size) {
376 if (context->tlsver == TLS_VERSION13) {
377 tls_packet_uint24(packet, all_certificate_size + 4);
378 tls_packet_uint8(packet, 0);
380 tls_packet_uint24(packet, all_certificate_size + 3);
383 tls_packet_uint24(packet, all_certificate_size);
385 for (i = 0; i < certificates_count; i++) {
386 struct TLSCertificate *cert = certificates[i];
387 if (cert && cert->der_len) {
388 /* is RSA certificate ? */
389 if (is_ecdsa && !cert->ec_algorithm) {
392 /* is ECC certificate ? */
393 if (!is_ecdsa && cert->ec_algorithm) {
396 /* 2 times -> one certificate */
397 tls_packet_uint24(packet, cert->der_len);
398 tls_packet_append(packet, cert->der_bytes,
401 if (context->tlsver == TLS_VERSION13) {
402 tls_packet_uint16(packet, 0);
407 tls_packet_uint24(packet, all_certificate_size);
408 if (context->tlsver == TLS_VERSION13) {
409 tls_packet_uint8(packet, 0);
413 tls_packet_update(packet);
414 tls_queue_packet(packet);
419 int tls_supported_version(uint16_t ver) {
425 DEBUG_PRINT("UNSUPPORTED TLS VERSION %x\n", (int)ver);
431 void tls_set_packet_length(struct TLSPacket *packet, uint32_t length) {
432 int offset = packet->payload_pos;
433 packet->buf[offset] = (length >> 16) & 0xff;
434 packet->buf[offset+1] = (length >> 8) & 0xff;
435 packet->buf[offset+2] = (length >> 0) & 0xff;
438 static void tls_init() {
439 static int loaded = 0;
444 DEBUG_PRINT("Initializing dependencies\n");
453 /* TODO remove these */
454 register_hash(&md5_desc);
455 register_hash(&sha1_desc);
457 register_hash(&sha256_desc);
458 register_hash(&sha384_desc);
459 register_hash(&sha512_desc);
461 register_prng(&sprng_desc);
463 register_cipher(&aes_desc);
465 tls_ecc_init_curves();
468 static unsigned char *decrypt_rsa(struct TLSContext *context,
469 const unsigned char *buffer,
471 unsigned int *size) {
473 if (!len || !context || !context->private_key
474 || !context->private_key->der_bytes
475 || !context->private_key->der_len) {
476 DEBUG_PRINT("No private key set\n");
481 err = rsa_import(context->private_key->der_bytes,
482 context->private_key->der_len, &key);
485 DEBUG_PRINT("Error importing RSA key (code: %i)\n", err);
489 unsigned char *out = malloc(len);
490 unsigned long out_size = len;
491 int hash_idx = find_hash("sha256");
493 err = rsa_decrypt_key_ex(buffer, len, out, &out_size, (unsigned char *)
494 "Concept", 7, hash_idx, LTC_PKCS_1_V1_5, &res, &key);
497 if (err || !out_size) {
498 DEBUG_PRINT("RSA DECRYPT ERROR\n");
502 *size = (unsigned int) out_size;
506 static int verify_rsa(struct TLSContext *context, unsigned int hash_type, const
507 unsigned char *buffer, unsigned int len, const unsigned char
508 *message, unsigned long message_len) {
513 return TLS_GENERIC_ERROR;
516 struct TLSCertificate **cert;
519 if (context->is_server) {
520 cert = context->client_certificates;
521 count = context->client_certificates_count;
523 cert = context->certificates;
524 count = context->certificates_count;
527 if (count == 0 || !cert) {
528 return TLS_GENERIC_ERROR;
531 err = rsa_import(cert[0]->der_bytes, cert[0]->der_len, &key);
534 DEBUG_PRINT("Error importing RSA certificate (code: %i)\n",
536 return TLS_GENERIC_ERROR;
539 unsigned char hash[TLS_MAX_HASH_LEN];
540 unsigned long hash_len;
541 hash_len = (unsigned long)sizeof hash;
545 hash_idx = find_hash("md5");
548 hash_idx = find_hash("sha1");
551 hash_idx = find_hash("sha256");
554 hash_idx = find_hash("sha384");
557 hash_idx = find_hash("sha512");
560 err = hash_memory(hash_idx, message, message_len, hash, &hash_len);
561 if (hash_idx < 0 || err) {
562 DEBUG_PRINT("Unsupported hash type: %i\n", hash_type);
563 return TLS_GENERIC_ERROR;
566 if (context->tlsver == TLS_VERSION13) {
567 err = rsa_verify_hash_ex(buffer, len, hash, hash_len,
568 LTC_PKCS_1_PSS, hash_idx, 0, &rsa_stat, &key);
570 err = rsa_verify_hash_ex(buffer, len, hash, hash_len,
571 LTC_PKCS_1_V1_5, hash_idx, 0, &rsa_stat, &key);
580 static int sign_rsa(struct TLSContext *context, unsigned int hash_type, const
581 unsigned char *message, unsigned int message_len, unsigned char
582 *out, unsigned long *outlen) {
586 unsigned char hash[TLS_MAX_HASH_LEN];
587 unsigned long hash_len = 0;
590 if (!outlen || !context || !out || !context->private_key
591 || !context->private_key->der_bytes
592 || !context->private_key->der_len) {
593 DEBUG_PRINT("No private key set\n");
594 return TLS_GENERIC_ERROR;
597 err = rsa_import(context->private_key->der_bytes,
598 context->private_key->der_len, &key);
601 DEBUG_PRINT("Error %d importing RSA certificate", err);
602 return TLS_GENERIC_ERROR;
607 hash_index = find_hash("sha1");
611 hash_index = find_hash("sha256");
615 hash_index = find_hash("sha384");
619 hash_index = find_hash("sha512");
624 hash_index = find_hash("md5");
629 if (hash_index < 0 || err) {
630 DEBUG_PRINT("Unsupported hash type: %i\n", hash_type);
631 return TLS_GENERIC_ERROR;
634 hash_memory(hash_index, message, message_len, hash, &hash_len);
636 if (hash_type == _md5_sha1) {
637 unsigned long hlen = 20;
638 hash_index = find_hash("sha1");
639 hash_memory(hash_index, message, message_len, hash+16, &hlen);
643 //err = hash_memory(hash_idx, message, message_len, hash, &hash_len);
645 if (context->tlsver == TLS_VERSION13) {
646 err = rsa_sign_hash_ex(hash, hash_len, out, outlen,
647 LTC_PKCS_1_PSS, NULL, find_prng("sprng"),
648 hash_index, hash_type == sha256 ? 32 : 48, &key);
650 err = rsa_sign_hash_ex(hash, hash_len, out, outlen,
651 LTC_PKCS_1_V1_5, NULL, find_prng("sprng"),
652 hash_index, 0, &key);
663 static int tls_is_point(ecc_key * key) {
664 void *prime, *b, *t1, *t2;
667 if ((err = mp_init_multi(&prime, &b, &t1, &t2, NULL)) != CRYPT_OK) {
671 /* load prime and b */
672 if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) {
675 if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) {
680 if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) {
685 if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) {
688 if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) {
691 if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) {
695 /* compute y^2 - x^3 */
696 if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) {
700 /* compute y^2 - x^3 + 3x */
701 if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) {
704 if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) {
707 if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) {
710 if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) {
713 while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
714 if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) {
718 while (mp_cmp(t1, prime) != LTC_MP_LT) {
719 if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) {
725 if (mp_cmp(t1, b) != LTC_MP_EQ) {
726 err = CRYPT_INVALID_PACKET;
732 mp_clear_multi(prime, b, t1, t2, NULL);
736 static int tls_ecc_import_key(const unsigned char *private_key,
738 const unsigned char *public_key,
739 int public_len, ecc_key *key,
740 const ltc_ecc_set_type *dp) {
743 if (!key || !ltc_mp.name) {
747 key->type = PK_PRIVATE;
750 (&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
754 if (public_len && !public_key[0]) {
758 if ((err = mp_read_unsigned_bin(key->pubkey.x,
759 (unsigned char *) public_key + 1,
760 (public_len - 1) >> 1)) != CRYPT_OK) {
761 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
766 if ((err = mp_read_unsigned_bin(key->pubkey.y,
767 (unsigned char *) public_key + 1 +
768 ((public_len - 1) >> 1),
769 (public_len - 1) >> 1)) != CRYPT_OK) {
770 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
776 mp_read_unsigned_bin(key->k, (unsigned char *) private_key,
777 private_len)) != CRYPT_OK) {
778 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
787 if ((err = mp_set(key->pubkey.z, 1)) != CRYPT_OK) {
788 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
793 /* is it a point on the curve? */
794 if ((err = tls_is_point(key)) != CRYPT_OK) {
795 DEBUG_PRINT("KEY IS NOT ON CURVE\n");
796 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
805 static int sign_ecdsa(struct TLSContext *context,
806 unsigned int hash_type,
807 const unsigned char *message,
808 unsigned int message_len, unsigned char *out,
809 unsigned long *outlen) {
810 if (!outlen || !context || !out || !outlen
811 || !context->ec_private_key
812 || !context->ec_private_key->priv
813 || !context->ec_private_key->priv_len
814 || !context->ec_private_key->pk
815 || !context->ec_private_key->pk_len) {
816 DEBUG_PRINT("No private ECDSA key set\n");
817 return TLS_GENERIC_ERROR;
820 const struct ECCCurveParameters *curve = NULL;
822 switch (context->ec_private_key->ec_algorithm) {
845 DEBUG_PRINT("UNSUPPORTED CURVE\n");
849 return TLS_GENERIC_ERROR;
855 ltc_ecc_set_type *dp = (ltc_ecc_set_type *)&curve->dp;
857 /* broken ... fix this */
858 err = tls_ecc_import_key(context->ec_private_key->priv,
859 context->ec_private_key->priv_len,
860 context->ec_private_key->pk,
861 context->ec_private_key->pk_len, &key, dp);
864 DEBUG_PRINT("Error importing ECC certificate (code: %i)\n",
866 return TLS_GENERIC_ERROR;
869 unsigned char hash[TLS_MAX_HASH_LEN];
870 unsigned long hash_len = 0;
875 hash_index = find_hash("sha1");
879 hash_index = find_hash("sha256");
883 hash_index = find_hash("sha384");
887 hash_index = find_hash("sha512");
892 hash_index = find_hash("md5");
897 hash_memory(hash_index, message, message_len, hash, &hash_len);
899 if (hash_type == _md5_sha1) {
900 unsigned long hlen = 20;
901 hash_index = find_hash("sha1");
902 hash_memory(hash_index, message, message_len, hash+16, &hlen);
907 DEBUG_PRINT("Unsupported hash type: %i\n", hash_type);
908 return TLS_GENERIC_ERROR;
910 /* "Let z be the Ln leftmost bits of e, where Ln is the bit length of
911 * the group order n." */
912 if ((int)hash_len > curve->size) {
913 hash_len = curve->size;
915 err = ecc_sign_hash(hash, hash_len, out, outlen, NULL,
916 find_prng("sprng"), &key);
917 DEBUG_DUMP_HEX_LABEL("ECC SIGNATURE", out, *outlen);
923 static void tls_send_certificate_verify(struct TLSContext *context) {
924 struct TLSPacket *packet =
925 tls_create_packet(context, TLS_HANDSHAKE, context->version, 0);
926 /* certificate verify */
927 tls_packet_uint8(packet, 0x0F);
928 tls_packet_uint24(packet, 0);
930 unsigned char out[TLS_MAX_RSA_KEY];
931 unsigned long out_len = TLS_MAX_RSA_KEY;
933 unsigned char signing_data[TLS_MAX_HASH_SIZE + 98];
934 int signing_data_len;
936 /* first 64 bytes to 0x20 (32) */
937 memset(signing_data, 0x20, 64);
938 /* context string 33 bytes */
939 if (context->is_server) {
940 memcpy(signing_data + 64, "TLS 1.3, server CertificateVerify",
943 memcpy(signing_data + 64, "TLS 1.3, client CertificateVerify",
946 /* a single 0 byte separator */
947 signing_data[97] = 0;
948 signing_data_len = 98;
950 signing_data_len += tls_get_hash(context, signing_data + 98);
951 DEBUG_DUMP_HEX_LABEL("verify data", signing_data, signing_data_len);
952 int hash_algorithm = sha256;
953 if (tls_is_ecdsa(context)) {
954 switch (context->ec_private_key->ec_algorithm) {
956 /* secp256r1 + sha256 */
957 tls_packet_uint16(packet, 0x0403);
960 /* secp384r1 + sha384 */
961 tls_packet_uint16(packet, 0x0503);
962 hash_algorithm = sha384;
965 /* secp521r1 + sha512 */
966 tls_packet_uint16(packet, 0x0603);
967 hash_algorithm = sha512;
970 DEBUG_PRINT("UNSUPPORTED CURVE (SIGNING)\n");
976 tls_packet_uint16(packet, 0x0804);
981 if (tls_is_ecdsa(context)) {
982 if (sign_ecdsa(context, hash_algorithm, signing_data,
983 signing_data_len, out, &out_len) == 1)
986 ("ECDSA signing OK! (ECDSA, length %lu)\n",
988 tls_packet_uint16(packet, out_len);
989 tls_packet_append(packet, out, out_len);
990 packet_size += out_len + 2;
992 } else if (sign_rsa(context, hash_algorithm, signing_data,
993 signing_data_len, out, &out_len) == 1) {
994 DEBUG_PRINT("RSA signing OK! (length %lu)\n", out_len);
995 tls_packet_uint16(packet, out_len);
996 tls_packet_append(packet, out, out_len);
997 packet_size += out_len + 2;
1000 tls_set_packet_length(packet, packet_size);
1002 tls_packet_update(packet);
1003 tls_queue_packet(packet);
1007 static int tls_ecc_import_pk(const unsigned char *public_key,
1008 int public_len, ecc_key * key,
1009 const ltc_ecc_set_type * dp) {
1012 if (!key || !ltc_mp.name) {
1016 key->type = PK_PUBLIC;
1018 if (mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z,
1019 &key->k, NULL) != CRYPT_OK) {
1023 if (public_len && !public_key[0]) {
1027 if ((err = mp_read_unsigned_bin(key->pubkey.x,
1028 (unsigned char *) public_key + 1,
1029 (public_len - 1) >> 1)) != CRYPT_OK) {
1030 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
1035 if ((err = mp_read_unsigned_bin(key->pubkey.y,
1036 (unsigned char *) public_key + 1 +
1037 ((public_len - 1) >> 1),
1038 (public_len - 1) >> 1)) != CRYPT_OK) {
1039 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
1048 if ((err = mp_set(key->pubkey.z, 1)) != CRYPT_OK) {
1049 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
1054 /* is it a point on the curve? */
1055 if ((err = tls_is_point(key)) != CRYPT_OK) {
1056 DEBUG_PRINT("KEY IS NOT ON CURVE\n");
1057 mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
1066 static int tls_verify_ecdsa(struct TLSContext *context,
1067 unsigned int hash_type,
1068 const unsigned char *buffer,
1070 const unsigned char *message,
1071 unsigned int message_len,
1072 const struct ECCCurveParameters *curve_hint)
1078 curve_hint = context->curve;
1082 return TLS_GENERIC_ERROR;
1085 struct TLSCertificate **cert;
1088 if (context->is_server) {
1089 cert = context->client_certificates;
1090 count = context->client_certificates_count;
1092 cert = context->certificates;
1093 count = context->certificates_count;
1096 if (count == 0 || !cert || !cert[0] || !cert[0]->pk ||
1098 return TLS_GENERIC_ERROR;
1101 err = tls_ecc_import_pk(cert[0]->pk, cert[0]->pk_len, &key,
1102 (ltc_ecc_set_type *)&curve_hint->dp);
1105 DEBUG_PRINT("Error importing ECC certificate (code: %i)", err);
1106 return TLS_GENERIC_ERROR;
1110 unsigned char hash[TLS_MAX_HASH_LEN];
1111 unsigned long hash_len = 0;
1113 switch (hash_type) {
1115 hash_idx = find_hash("md5");
1119 hash_idx = find_hash("sha1");
1123 hash_idx = find_hash("sha256");
1127 hash_idx = find_hash("sha384");
1131 hash_idx = find_hash("sha512");
1136 err = hash_memory(hash_idx, message, message_len, hash, &hash_len);
1138 if (hash_idx < 0 || err) {
1139 DEBUG_PRINT("Unsupported hash type: %i\n", hash_type);
1140 return TLS_GENERIC_ERROR;
1144 err = ecc_verify_hash(buffer, len, hash, hash_len, &ecc_stat, &key);
1152 static void prf_helper(int hash_idx, unsigned long dlen,
1153 unsigned char *output, unsigned int outlen,
1154 const unsigned char *secret,
1155 const unsigned int secret_len,
1156 const unsigned char *label,
1157 unsigned int label_len, unsigned char *seed,
1158 unsigned int seed_len, unsigned char *seed_b,
1159 unsigned int seed_b_len) {
1160 unsigned char digest_out0[TLS_MAX_HASH_LEN];
1161 unsigned char digest_out1[TLS_MAX_HASH_LEN];
1165 hmac_init(&hmac, hash_idx, secret, secret_len);
1166 hmac_process(&hmac, label, label_len);
1168 hmac_process(&hmac, seed, seed_len);
1169 if (seed_b && seed_b_len) {
1170 hmac_process(&hmac, seed_b, seed_b_len);
1172 hmac_done(&hmac, digest_out0, &dlen);
1175 hmac_init(&hmac, hash_idx, secret, secret_len);
1176 hmac_process(&hmac, digest_out0, dlen);
1177 hmac_process(&hmac, label, label_len);
1178 hmac_process(&hmac, seed, seed_len);
1179 if (seed_b && seed_b_len) {
1180 hmac_process(&hmac, seed_b, seed_b_len);
1182 hmac_done(&hmac, digest_out1, &dlen);
1184 unsigned int copylen = outlen;
1185 if (copylen > dlen) {
1189 for (i = 0; i < copylen; i++) {
1190 output[idx++] ^= digest_out1[i];
1198 hmac_init(&hmac, hash_idx, secret, secret_len);
1199 hmac_process(&hmac, digest_out0, dlen);
1200 hmac_done(&hmac, digest_out0, &dlen);
1204 static void tls_prf(struct TLSContext *context,
1205 unsigned char *output, unsigned int outlen,
1206 const unsigned char *secret,
1207 const unsigned int secret_len,
1208 const unsigned char *label, unsigned int label_len,
1209 unsigned char *seed, unsigned int seed_len,
1210 unsigned char *seed_b, unsigned int seed_b_len) {
1211 if (!secret || !secret_len) {
1212 DEBUG_PRINT("NULL SECRET\n");
1216 /* TODO I don't think this is right, wouldn't use md5 for tls v1.3 */
1217 if (context->version != TLS_V12) {
1218 int md5_hash_idx = find_hash("md5");
1219 int sha1_hash_idx = find_hash("sha1");
1220 int half_secret = (secret_len + 1) / 2;
1222 memset(output, 0, outlen);
1223 prf_helper(md5_hash_idx, 16, output, outlen, secret,
1224 half_secret, label, label_len, seed, seed_len,
1225 seed_b, seed_b_len);
1226 prf_helper(sha1_hash_idx, 20, output, outlen, secret +
1227 (secret_len - half_secret), secret_len -
1228 half_secret, label, label_len, seed, seed_len,
1229 seed_b, seed_b_len);
1232 unsigned char digest_out0[TLS_MAX_HASH_LEN];
1233 unsigned char digest_out1[TLS_MAX_HASH_LEN];
1234 unsigned long dlen = 32;
1236 unsigned int mac_length = tls_mac_length(context);
1238 if (mac_length == TLS_SHA384_MAC_SIZE) {
1239 hash_idx = find_hash("sha384");
1242 hash_idx = find_hash("sha256");
1248 hmac_init(&hmac, hash_idx, secret, secret_len);
1249 hmac_process(&hmac, label, label_len);
1250 hmac_process(&hmac, seed, seed_len);
1251 if (seed_b && seed_b_len) {
1252 hmac_process(&hmac, seed_b, seed_b_len);
1254 hmac_done(&hmac, digest_out0, &dlen);
1258 hmac_init(&hmac, hash_idx, secret, secret_len);
1259 hmac_process(&hmac, digest_out0, dlen);
1260 hmac_process(&hmac, label, label_len);
1261 hmac_process(&hmac, seed, seed_len);
1262 if (seed_b && seed_b_len) {
1263 hmac_process(&hmac, seed_b, seed_b_len);
1265 hmac_done(&hmac, digest_out1, &dlen);
1267 unsigned int copylen = outlen;
1268 if (copylen > dlen) {
1269 copylen = (unsigned int) dlen;
1272 for (i = 0; i < copylen; i++) {
1273 output[idx++] = digest_out1[i];
1281 hmac_init(&hmac, hash_idx, secret, secret_len);
1282 hmac_process(&hmac, digest_out0, dlen);
1283 hmac_done(&hmac, digest_out0, &dlen);
1288 static void tls_send_finished(struct TLSContext *context) {
1290 struct TLSPacket *packet =
1291 tls_create_packet(context, TLS_HANDSHAKE, context->version,
1292 TLS_MIN_FINISHED_OPAQUE_LEN + 64);
1293 tls_packet_uint8(packet, 20);
1295 if (context->tlsver == TLS_VERSION13) {
1296 tls_packet_uint24(packet, tls_mac_length(context));
1298 tls_packet_uint24(packet, TLS_MIN_FINISHED_OPAQUE_LEN);
1302 unsigned char hash[TLS_MAX_HASH_SIZE];
1303 unsigned long out_size = TLS_MIN_FINISHED_OPAQUE_LEN;
1304 unsigned char out[TLS_MAX_HASH_SIZE];
1305 unsigned int hash_len;
1307 int context_is_v13 = 0;
1309 if (packet->context->tlsver == TLS_VERSION13) {
1313 /* server verifies client's message */
1314 if (context->is_server) {
1315 if (context_is_v13) {
1316 hash_len = tls_get_hash(context, hash);
1317 if (!context->finished_key || !hash_len) {
1319 ("NO FINISHED KEY COMPUTED OR NO HANDSHAKE HASH\n");
1321 /* TODO probably need to terminate */
1322 tls_destroy_packet(packet);
1327 DEBUG_DUMP_HEX_LABEL("HS HASH", hash, hash_len);
1328 DEBUG_DUMP_HEX_LABEL("HS FINISH",
1329 context->finished_key,
1332 out_size = hash_len;
1334 hmac_init(&hmac, tls_get_hash_idx(context),
1335 context->finished_key, hash_len);
1336 hmac_process(&hmac, hash, hash_len);
1337 hmac_done(&hmac, out, &out_size);
1339 hash_len = tls_done_hash(context, hash);
1340 tls_prf(context, out,
1341 TLS_MIN_FINISHED_OPAQUE_LEN,
1342 context->master_key,
1343 context->master_key_len,
1345 "server finished", 15, hash,
1347 tls_destroy_hash(context);
1351 hash_len = tls_get_hash(context, hash);
1352 tls_prf(context, out, TLS_MIN_FINISHED_OPAQUE_LEN,
1353 context->master_key,
1354 context->master_key_len,
1355 (unsigned char *) "client finished", 15,
1356 hash, hash_len, NULL, 0);
1359 tls_packet_append(packet, out, out_size);
1360 tls_packet_update(packet);
1361 DEBUG_DUMP_HEX_LABEL("VERIFY DATA", out, out_size);
1362 tls_queue_packet(packet);
1367 static int tls_key_length(struct TLSContext *context) {
1368 switch (context->cipher) {
1369 case TLS_RSA_WITH_AES_128_CBC_SHA:
1370 case TLS_RSA_WITH_AES_128_CBC_SHA256:
1371 case TLS_RSA_WITH_AES_128_GCM_SHA256:
1372 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
1373 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
1374 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
1375 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
1376 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
1377 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1378 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
1379 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
1380 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1381 case TLS_AES_128_GCM_SHA256:
1383 case TLS_RSA_WITH_AES_256_CBC_SHA:
1384 case TLS_RSA_WITH_AES_256_CBC_SHA256:
1385 case TLS_RSA_WITH_AES_256_GCM_SHA384:
1386 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
1387 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
1388 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
1389 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
1390 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
1391 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
1392 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
1393 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
1394 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1395 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1396 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1397 case TLS_AES_256_GCM_SHA384:
1398 case TLS_CHACHA20_POLY1305_SHA256:
1404 /* 0 is none, 1 is GCM?, 2 is chacha */
1405 int tls_is_aead(struct TLSContext *context) {
1406 switch (context->cipher) {
1407 case TLS_RSA_WITH_AES_128_GCM_SHA256:
1408 case TLS_RSA_WITH_AES_256_GCM_SHA384:
1409 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
1410 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
1411 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1412 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
1413 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1414 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
1415 case TLS_AES_128_GCM_SHA256:
1416 case TLS_AES_256_GCM_SHA384:
1418 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1419 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1420 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1421 case TLS_CHACHA20_POLY1305_SHA256:
1427 int tls_mac_length(struct TLSContext *context) {
1428 switch (context->cipher) {
1429 case TLS_RSA_WITH_AES_128_CBC_SHA:
1430 case TLS_RSA_WITH_AES_256_CBC_SHA:
1431 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
1432 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
1433 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
1434 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
1435 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
1436 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
1437 return TLS_SHA1_MAC_SIZE;
1438 case TLS_RSA_WITH_AES_128_CBC_SHA256:
1439 case TLS_RSA_WITH_AES_256_CBC_SHA256:
1440 case TLS_RSA_WITH_AES_128_GCM_SHA256:
1441 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
1442 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
1443 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
1444 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
1445 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1446 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
1447 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1448 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1449 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1450 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1451 case TLS_AES_128_GCM_SHA256:
1452 case TLS_CHACHA20_POLY1305_SHA256:
1453 case TLS_AES_128_CCM_SHA256:
1454 case TLS_AES_128_CCM_8_SHA256:
1455 return TLS_SHA256_MAC_SIZE;
1456 case TLS_RSA_WITH_AES_256_GCM_SHA384:
1457 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
1458 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
1459 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
1460 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
1461 case TLS_AES_256_GCM_SHA384:
1462 return TLS_SHA384_MAC_SIZE;
1467 int _private_tls13_key(struct TLSContext *context, int handshake) {
1468 int key_length = tls_key_length(context);
1469 int mac_length = tls_mac_length(context);
1471 if (!context->premaster_key || !context->premaster_key_len) {
1475 if (!key_length || !mac_length) {
1477 ("KEY EXPANSION FAILED, KEY LENGTH: %i, MAC LENGTH: %i\n",
1478 key_length, mac_length);
1482 unsigned char *clientkey = NULL;
1483 unsigned char *serverkey = NULL;
1484 unsigned char *clientiv = NULL;
1485 unsigned char *serveriv = NULL;
1486 int is_aead = tls_is_aead(context);
1488 unsigned char local_keybuffer[TLS_V13_MAX_KEY_SIZE];
1489 unsigned char local_ivbuffer[TLS_V13_MAX_IV_SIZE];
1490 unsigned char remote_keybuffer[TLS_V13_MAX_KEY_SIZE];
1491 unsigned char remote_ivbuffer[TLS_V13_MAX_IV_SIZE];
1493 unsigned char prk[TLS_MAX_HASH_SIZE];
1494 unsigned char hash[TLS_MAX_HASH_SIZE];
1495 static unsigned char earlysecret[TLS_MAX_HASH_SIZE];
1497 const char *server_key = "s ap traffic";
1498 const char *client_key = "c ap traffic";
1500 server_key = "s hs traffic";
1501 client_key = "c hs traffic";
1504 unsigned char salt[TLS_MAX_HASH_SIZE];
1507 /* TODO what is the point of this ? */
1508 if (mac_length == TLS_SHA384_MAC_SIZE) {
1510 sha384_done(&md, hash);
1513 sha256_done(&md, hash);
1515 /* extract secret "early" */
1516 if (context->master_key && context->master_key_len && !handshake) {
1517 DEBUG_DUMP_HEX_LABEL("USING PREVIOUS SECRET",
1518 context->master_key,
1519 context->master_key_len);
1520 tls_hkdf_expand_label(mac_length, salt, mac_length,
1521 context->master_key, context->master_key_len,
1522 "derived", 7, hash, mac_length);
1523 DEBUG_DUMP_HEX_LABEL("salt", salt, mac_length);
1524 tls_hkdf_extract(mac_length, prk, mac_length, salt, mac_length,
1525 earlysecret, mac_length);
1527 tls_hkdf_extract(mac_length, prk, mac_length, NULL, 0,
1528 earlysecret, mac_length);
1529 /* derive secret for handshake "tls13 derived": */
1530 DEBUG_DUMP_HEX_LABEL("null hash", hash, mac_length);
1531 tls_hkdf_expand_label(mac_length, salt, mac_length, prk,
1532 mac_length, "derived", 7, hash, mac_length);
1533 /* extract secret "handshake": */
1534 DEBUG_DUMP_HEX_LABEL("salt", salt, mac_length);
1535 tls_hkdf_extract(mac_length, prk, mac_length,
1537 context->premaster_key,
1538 context->premaster_key_len);
1542 DEBUG_PRINT("KEY EXPANSION FAILED, NON AEAD CIPHER\n");
1546 unsigned char secret[TLS_MAX_MAC_SIZE];
1547 unsigned char hs_secret[TLS_MAX_HASH_SIZE];
1551 hash_size = tls_get_hash(context, hash);
1553 hash_size = tls_done_hash(context, hash);
1556 DEBUG_DUMP_HEX_LABEL("messages hash", hash, hash_size);
1558 if (context->is_server) {
1559 tls_hkdf_expand_label(mac_length, hs_secret, mac_length, prk,
1560 mac_length, server_key, 12, context->
1561 server_finished_hash ? context->
1562 server_finished_hash : hash, hash_size);
1563 DEBUG_DUMP_HEX_LABEL(server_key, hs_secret, mac_length);
1564 serverkey = local_keybuffer;
1565 serveriv = local_ivbuffer;
1566 clientkey = remote_keybuffer;
1567 clientiv = remote_ivbuffer;
1569 tls_hkdf_expand_label(mac_length, hs_secret,
1570 mac_length, prk, mac_length,
1573 server_finished_hash ?
1575 server_finished_hash : hash,
1577 serverkey = remote_keybuffer;
1578 serveriv = remote_ivbuffer;
1579 clientkey = local_keybuffer;
1580 clientiv = local_ivbuffer;
1583 int iv_length = TLS_13_AES_GCM_IV_LENGTH;
1585 iv_length = TLS_CHACHA20_IV_LENGTH;
1588 tls_hkdf_expand_label(mac_length, local_keybuffer, key_length,
1589 hs_secret, mac_length, "key", 3, NULL, 0);
1590 tls_hkdf_expand_label(mac_length, local_ivbuffer, iv_length, hs_secret,
1591 mac_length, "iv", 2, NULL, 0);
1593 tls_hkdf_expand_label(mac_length, secret,
1594 mac_length, prk, mac_length,
1595 context->is_server ? client_key : server_key,
1597 context->server_finished_hash ?
1598 context->server_finished_hash :
1602 tls_hkdf_expand_label(mac_length, remote_keybuffer, key_length, secret,
1603 mac_length, "key", 3, NULL, 0);
1604 tls_hkdf_expand_label(mac_length, remote_ivbuffer, iv_length, secret,
1605 mac_length, "iv", 2, NULL, 0);
1607 DEBUG_DUMP_HEX_LABEL("CLIENT KEY", clientkey, key_length);
1608 DEBUG_DUMP_HEX_LABEL("CLIENT IV", clientiv, iv_length);
1609 DEBUG_DUMP_HEX_LABEL("SERVER KEY", serverkey, key_length);
1610 DEBUG_DUMP_HEX_LABEL("SERVER IV", serveriv, iv_length);
1611 free(context->finished_key);
1612 free(context->remote_finished_key);
1615 context->finished_key = malloc(mac_length);
1616 context->remote_finished_key = malloc(mac_length);
1618 if (context->finished_key) {
1619 tls_hkdf_expand_label(mac_length,
1620 context->finished_key, mac_length,
1621 hs_secret, mac_length, "finished", 8,
1623 DEBUG_DUMP_HEX_LABEL("FINISHED", context->finished_key,
1627 if (context->remote_finished_key) {
1628 tls_hkdf_expand_label(mac_length,
1629 context->remote_finished_key,
1630 mac_length, secret, mac_length,
1631 "finished", 8, NULL, 0);
1632 DEBUG_DUMP_HEX_LABEL("FINISHED", context->finished_key,
1636 context->finished_key = NULL;
1637 context->remote_finished_key = NULL;
1638 free(context->server_finished_hash);
1639 context->server_finished_hash = NULL;
1642 if (context->is_server) {
1644 memcpy(context->crypto.ctx_remote_mac.remote_nonce,
1645 clientiv, iv_length);
1646 memcpy(context->crypto.ctx_local_mac.local_nonce,
1647 serveriv, iv_length);
1648 } else if (is_aead) {
1649 memcpy(context->crypto.ctx_remote_mac.remote_iv,
1650 clientiv, iv_length);
1651 memcpy(context->crypto.ctx_local_mac.local_iv,
1652 serveriv, iv_length);
1654 if (tls_crypto_create(context, key_length,
1655 serverkey, serveriv, clientkey,
1661 memcpy(context->crypto.ctx_local_mac.local_nonce,
1662 clientiv, iv_length);
1663 memcpy(context->crypto.ctx_remote_mac.remote_nonce,
1664 serveriv, iv_length);
1665 } else if (is_aead) {
1666 memcpy(context->crypto.ctx_local_mac.local_iv,
1667 clientiv, iv_length);
1668 memcpy(context->crypto.ctx_remote_mac.remote_iv,
1669 serveriv, iv_length);
1672 if (tls_crypto_create(context, key_length,
1673 clientkey, clientiv, serverkey,
1679 context->crypto.created = 1 + is_aead;
1681 free(context->master_key);
1682 context->master_key = malloc(mac_length);
1683 if (context->master_key) {
1684 memcpy(context->master_key, prk, mac_length);
1685 context->master_key_len = mac_length;
1687 context->local_sequence_number = 0;
1688 context->remote_sequence_number = 0;
1691 * extract client_mac_key(mac_key_length)
1692 * extract server_mac_key(mac_key_length)
1693 * extract client_key(enc_key_length)
1694 * extract server_key(enc_key_length)
1695 * extract client_iv(fixed_iv_lengh)
1696 * extract server_iv(fixed_iv_length)
1701 static int tls_expand_key(struct TLSContext *context) {
1702 unsigned char key[TLS_MAX_KEY_EXPANSION_SIZE];
1703 if (context->tlsver == TLS_VERSION13) {
1707 if (!context->master_key || !context->master_key_len) {
1711 int key_length = tls_key_length(context);
1712 int mac_length = tls_mac_length(context);
1714 if (!key_length || !mac_length) {
1716 ("KEY EXPANSION FAILED, KEY LENGTH: %i, MAC LENGTH: %i\n",
1717 key_length, mac_length);
1720 unsigned char *clientkey = NULL;
1721 unsigned char *serverkey = NULL;
1722 unsigned char *clientiv = NULL;
1723 unsigned char *serveriv = NULL;
1724 int iv_length = TLS_AES_IV_LENGTH;
1725 int is_aead = tls_is_aead(context);
1727 if (context->is_server) {
1728 tls_prf(context, key, sizeof(key),
1729 context->master_key, context->master_key_len,
1730 (unsigned char *) "key expansion", 13,
1731 context->local_random, TLS_SERVER_RANDOM_SIZE,
1732 context->remote_random,
1733 TLS_CLIENT_RANDOM_SIZE);
1735 tls_prf(context, key, sizeof(key),
1736 context->master_key,
1737 context->master_key_len,
1738 (unsigned char *) "key expansion", 13,
1739 context->remote_random,
1740 TLS_SERVER_RANDOM_SIZE,
1741 context->local_random,
1742 TLS_CLIENT_RANDOM_SIZE);
1745 DEBUG_DUMP_HEX_LABEL("LOCAL RANDOM ", context->local_random,
1746 TLS_SERVER_RANDOM_SIZE);
1747 DEBUG_DUMP_HEX_LABEL("REMOTE RANDOM", context->remote_random,
1748 TLS_CLIENT_RANDOM_SIZE);
1749 DEBUG_PRINT("\n=========== EXPANSION ===========\n");
1750 DEBUG_DUMP_HEX(key, TLS_MAX_KEY_EXPANSION_SIZE);
1755 iv_length = TLS_CHACHA20_IV_LENGTH;
1758 iv_length = TLS_AES_GCM_IV_LENGTH;
1760 if (context->is_server) {
1761 memcpy(context->crypto.ctx_remote_mac.remote_mac,
1762 &key[pos], mac_length);
1764 memcpy(context->crypto.ctx_local_mac.local_mac,
1765 &key[pos], mac_length);
1768 memcpy(context->crypto.ctx_local_mac.local_mac,
1769 &key[pos], mac_length);
1771 memcpy(context->crypto.ctx_remote_mac.remote_mac,
1772 &key[pos], mac_length);
1778 clientkey = &key[pos];
1780 serverkey = &key[pos];
1782 clientiv = &key[pos];
1784 serveriv = &key[pos];
1786 DEBUG_PRINT("EXPANSION %i/%i\n", (int) pos,
1787 (int) TLS_MAX_KEY_EXPANSION_SIZE);
1788 DEBUG_DUMP_HEX_LABEL("CLIENT KEY", clientkey, key_length);
1789 DEBUG_DUMP_HEX_LABEL("CLIENT IV", clientiv, iv_length);
1791 DEBUG_DUMP_HEX_LABEL("CLIENT MAC KEY",
1792 context->is_server ? context->crypto.
1793 ctx_remote_mac.remote_mac : context->
1794 crypto.ctx_local_mac.local_mac,
1797 DEBUG_DUMP_HEX_LABEL("SERVER KEY", serverkey, key_length);
1798 DEBUG_DUMP_HEX_LABEL("SERVER IV", serveriv, iv_length);
1800 DEBUG_DUMP_HEX_LABEL("SERVER MAC KEY",
1801 context->is_server ? context->crypto.
1802 ctx_local_mac.local_mac : context->crypto.
1803 ctx_remote_mac.remote_mac, mac_length);
1805 if (context->is_server) {
1807 memcpy(context->crypto.ctx_remote_mac.remote_nonce,
1808 clientiv, iv_length);
1809 memcpy(context->crypto.ctx_local_mac.local_nonce,
1810 serveriv, iv_length);
1813 memcpy(context->crypto.ctx_remote_mac.
1814 remote_aead_iv, clientiv, iv_length);
1815 memcpy(context->crypto.ctx_local_mac.local_aead_iv,
1816 serveriv, iv_length);
1820 if (tls_crypto_create(context, key_length,
1821 serverkey, serveriv, clientkey,
1827 memcpy(context->crypto.ctx_local_mac.local_nonce,
1828 clientiv, iv_length);
1829 memcpy(context->crypto.ctx_remote_mac.remote_nonce,
1830 serveriv, iv_length);
1833 memcpy(context->crypto.ctx_local_mac.local_aead_iv,
1834 clientiv, iv_length);
1835 memcpy(context->crypto.ctx_remote_mac.
1836 remote_aead_iv, serveriv, iv_length);
1840 if (tls_crypto_create(context, key_length,
1841 clientkey, clientiv, serverkey,
1848 * extract client_mac_key(mac_key_length)
1849 * extract server_mac_key(mac_key_length)
1850 * extract client_key(enc_key_length)
1851 * extract server_key(enc_key_length)
1852 * extract client_iv(fixed_iv_lengh)
1853 * extract server_iv(fixed_iv_length)
1858 int tls_compute_key(struct TLSContext *context, unsigned int key_len) {
1859 if (context->tlsver == TLS_VERSION13) {
1863 if (!context->premaster_key || !context->premaster_key_len
1865 DEBUG_PRINT("CANNOT COMPUTE MASTER SECRET\n");
1869 unsigned char master_secret_label[] = "master secret";
1870 #ifdef TLS_CHECK_PREMASTER_KEY
1871 if (!tls_cipher_is_ephemeral(context)) {
1872 uint16_t version = get16(context->premaster_key);
1873 /* this check is not true for DHE/ECDHE ciphers */
1874 if (context->version > version) {
1875 DEBUG_PRINT("Mismatch protocol version 0x(%x)\n",
1881 free(context->master_key);
1882 context->master_key_len = 0;
1883 context->master_key = NULL;
1885 context->master_key = malloc(key_len);
1886 if (!context->master_key) {
1890 context->master_key_len = key_len;
1891 if (context->is_server) {
1893 context->master_key,
1894 context->master_key_len,
1895 context->premaster_key,
1896 context->premaster_key_len,
1897 master_secret_label, 13,
1898 context->remote_random,
1899 TLS_CLIENT_RANDOM_SIZE,
1900 context->local_random,
1901 TLS_SERVER_RANDOM_SIZE);
1904 context->master_key,
1905 context->master_key_len,
1906 context->premaster_key,
1907 context->premaster_key_len,
1908 master_secret_label, 13,
1909 context->local_random,
1910 TLS_CLIENT_RANDOM_SIZE,
1911 context->remote_random,
1912 TLS_SERVER_RANDOM_SIZE);
1914 free(context->premaster_key);
1915 context->premaster_key = NULL;
1916 context->premaster_key_len = 0;
1917 DEBUG_PRINT("\n=========== Master key ===========\n");
1918 DEBUG_DUMP_HEX(context->master_key,
1919 context->master_key_len);
1921 tls_expand_key(context);
1925 int _is_oid(const unsigned char *oid, const unsigned char *compare_to,
1926 int compare_to_len) {
1928 while ((oid[i]) && (i < compare_to_len)) {
1929 if (oid[i] != compare_to[i])
1937 int _is_oid2(const unsigned char *oid, const unsigned char *compare_to,
1938 int compare_to_len, int oid_len) {
1940 if (oid_len < compare_to_len) {
1941 compare_to_len = oid_len;
1944 while (i < compare_to_len) {
1945 if (oid[i] != compare_to[i]) {
1954 struct TLSCertificate *tls_create_certificate() {
1955 struct TLSCertificate zero = { 0 };
1956 struct TLSCertificate *cert = malloc(sizeof *cert);
1960 cert->not_before[0] = 0;
1961 cert->not_after[0] = 0;
1966 int tls_certificate_valid_subject_name(const unsigned char *cert_subject,
1967 const char *subject) {
1968 /* no subjects ... */
1969 if ((!cert_subject || !cert_subject[0]) && (!subject || !subject[0])) {
1973 if (!subject || !subject[0]) {
1974 return bad_certificate;
1977 if (!cert_subject || !cert_subject[0]) {
1978 return bad_certificate;
1982 if (!strcmp((const char *) cert_subject, subject)) {
1986 const char *wildcard = strchr((const char *) cert_subject, '*');
1988 /* 6.4.3 (1) The client SHOULD NOT attempt to match a presented
1989 * identifier in which the wildcard character comprises a label
1990 * other than the left-most label
1995 * subject is [something*] .. invalid
1997 return bad_certificate;
2000 const char *match = strstr(subject, wildcard);
2001 if ((!match) && (wildcard[0] == '.')) {
2002 /* check *.domain.com against domain.com */
2004 if (!strcasecmp(subject, wildcard))
2008 unsigned long offset = (unsigned long) match -
2009 (unsigned long) subject;
2011 /* check for foo.*.domain.com against *.domain.com (invalid) */
2012 if (memchr(subject, '.', offset))
2013 return bad_certificate;
2015 /* check if exact match */
2016 if (!strcasecmp(match, wildcard)) {
2022 return bad_certificate;
2025 int tls_certificate_valid_subject(struct TLSCertificate *cert,
2026 const char *subject) {
2029 return certificate_unknown;
2032 int err = tls_certificate_valid_subject_name(cert->subject, subject);
2033 if (err && cert->san) {
2034 for (i = 0; i < cert->san_length; i++) {
2035 err = tls_certificate_valid_subject_name(cert->san[i],
2045 int tls_certificate_is_valid(struct TLSCertificate *cert) {
2047 return certificate_unknown;
2050 char ts[16]; /* YYYYMMDDHHMMSSZ */
2051 time_t t = time(NULL);
2052 struct tm *utc = gmtime(&t);
2055 strftime(ts, sizeof ts, "%Y%m%d%H%M%SZ", utc);
2057 if (strcmp(cert->not_before, ts) > 0) {
2059 ("Certificate is not yet valid, now: %s (validity: %s - %s)\n",
2060 ts, cert->not_before, cert->not_after);
2061 return certificate_expired;
2064 if (strcmp(cert->not_after, ts) < 0) {
2066 ("Expired certificate, now: %s (validity: %s - %s)\n",
2067 ts, cert->not_before, cert->not_after);
2068 return certificate_expired;
2070 DEBUG_PRINT("Valid certificate, now: %s (validity: %s - %s)\n",
2071 ts, cert->not_before,
2077 void tls_certificate_set_copy(unsigned char **member,
2078 const unsigned char *val, int len) {
2086 *member = malloc(len + 1);
2088 memcpy(*member, val, len);
2096 void tls_certificate_set_copy_date(unsigned char *member,
2097 const unsigned char *val, int len) {
2100 if (val[0] >= '5') {
2107 memcpy(member + 2, val, len);
2114 void tls_certificate_set_key(struct TLSCertificate *cert,
2115 const unsigned char *val, int len) {
2116 if (!val[0] && len % 2) {
2120 tls_certificate_set_copy(&cert->pk, val, len);
2126 void tls_certificate_set_priv(struct TLSCertificate *cert,
2127 const unsigned char *val, int len) {
2128 tls_certificate_set_copy(&cert->priv, val, len);
2130 cert->priv_len = len;
2134 void tls_certificate_set_sign_key(struct TLSCertificate *cert,
2135 const unsigned char *val, int len) {
2136 if (!val[0] && len % 2) {
2140 tls_certificate_set_copy(&cert->sign_key, val, len);
2141 if (cert->sign_key) {
2142 cert->sign_len = len;
2146 void tls_certificate_set_exponent(struct TLSCertificate *cert,
2147 const unsigned char *val, int len) {
2148 tls_certificate_set_copy(&cert->exponent, val, len);
2149 if (cert->exponent) {
2150 cert->exponent_len = len;
2154 void tls_certificate_set_serial(struct TLSCertificate *cert,
2155 const unsigned char *val, int len) {
2156 tls_certificate_set_copy(&cert->serial_number, val, len);
2157 if (cert->serial_number) {
2158 cert->serial_len = len;
2162 void tls_certificate_set_algorithm(unsigned int *algorithm,
2163 const unsigned char *val, int len) {
2164 if (len == 7 && _is_oid(val, TLS_EC_PUBLIC_KEY_OID, 7)) {
2165 *algorithm = TLS_EC_PUBLIC_KEY;
2170 if (_is_oid(val, TLS_EC_prime192v1_OID, len)) {
2171 *algorithm = TLS_EC_prime192v1;
2174 if (_is_oid(val, TLS_EC_prime192v2_OID, len)) {
2175 *algorithm = TLS_EC_prime192v2;
2178 if (_is_oid(val, TLS_EC_prime192v3_OID, len)) {
2179 *algorithm = TLS_EC_prime192v3;
2182 if (_is_oid(val, TLS_EC_prime239v1_OID, len)) {
2183 *algorithm = TLS_EC_prime239v1;
2186 if (_is_oid(val, TLS_EC_prime239v2_OID, len)) {
2187 *algorithm = TLS_EC_prime239v2;
2190 if (_is_oid(val, TLS_EC_prime239v3_OID, len)) {
2191 *algorithm = TLS_EC_prime239v3;
2194 if (_is_oid(val, TLS_EC_prime256v1_OID, len)) {
2195 *algorithm = TLS_EC_prime256v1;
2201 (val, TLS_EC_secp224r1_OID, len,
2202 sizeof(TLS_EC_secp224r1_OID) - 1)) {
2203 *algorithm = TLS_EC_secp224r1;
2207 (val, TLS_EC_secp384r1_OID, len,
2208 sizeof(TLS_EC_secp384r1_OID) - 1)) {
2209 *algorithm = TLS_EC_secp384r1;
2213 (val, TLS_EC_secp521r1_OID, len,
2214 sizeof(TLS_EC_secp521r1_OID) - 1)) {
2215 *algorithm = TLS_EC_secp521r1;
2223 if (_is_oid(val, TLS_RSA_SIGN_SHA256_OID, 9)) {
2224 *algorithm = TLS_RSA_SIGN_SHA256;
2228 if (_is_oid(val, TLS_RSA_SIGN_RSA_OID, 9)) {
2229 *algorithm = TLS_RSA_SIGN_RSA;
2233 if (_is_oid(val, TLS_RSA_SIGN_SHA1_OID, 9)) {
2234 *algorithm = TLS_RSA_SIGN_SHA1;
2238 if (_is_oid(val, TLS_RSA_SIGN_SHA512_OID, 9)) {
2239 *algorithm = TLS_RSA_SIGN_SHA512;
2243 if (_is_oid(val, TLS_RSA_SIGN_SHA384_OID, 9)) {
2244 *algorithm = TLS_RSA_SIGN_SHA384;
2248 if (_is_oid(val, TLS_RSA_SIGN_MD5_OID, 9)) {
2249 *algorithm = TLS_RSA_SIGN_MD5;
2254 void tls_destroy_certificate(struct TLSCertificate *cert) {
2257 free(cert->exponent);
2259 free(cert->issuer_country);
2260 free(cert->issuer_state);
2261 free(cert->issuer_location);
2262 free(cert->issuer_entity);
2263 free(cert->issuer_subject);
2264 free(cert->country);
2266 free(cert->location);
2267 free(cert->subject);
2268 for (i = 0; i < cert->san_length; i++) {
2273 free(cert->serial_number);
2275 cert->not_before[0] = 0;
2276 cert->not_after[0] = 0;
2277 free(cert->sign_key);
2279 free(cert->der_bytes);
2281 free(cert->fingerprint);
2286 struct TLSPacket *tls_create_packet(struct TLSContext *context,
2288 unsigned short version,
2289 int payload_size_hint) {
2290 struct TLSPacket *packet = malloc(sizeof *packet);
2295 if (payload_size_hint > 0) {
2296 packet->size = payload_size_hint + 10;
2298 packet->size = TLS_BLOB_INCREMENT;
2300 packet->buf = malloc(packet->size);
2301 memset(packet->buf, 0, packet->size);
2302 packet->context = context;
2308 packet->payload_pos = 6;
2309 packet->len = packet->payload_pos - 1;
2313 packet->buf[0] = type;
2315 /* big endian protocol version */
2316 packet->buf[1] = version >> 8;
2317 packet->buf[2] = version & 0xff;
2318 if (version == TLS_V13) {
2319 packet->buf[2] = 0x04;
2325 void tls_destroy_packet(struct TLSPacket *packet) {
2334 int tls_crypto_create(struct TLSContext *context, int key_length,
2335 unsigned char *localkey,
2336 unsigned char *localiv,
2337 unsigned char *remotekey,
2338 unsigned char *remoteiv) {
2339 if (context->crypto.created) {
2340 if (context->crypto.created == 1) {
2341 cbc_done(&context->crypto.ctx_remote.aes_remote);
2342 cbc_done(&context->crypto.ctx_local.aes_local);
2344 if (context->crypto.created == 2) {
2345 unsigned char dummy_buffer[32];
2346 unsigned long tag_len = 0;
2347 gcm_done(&context->crypto.ctx_remote.
2348 aes_gcm_remote, dummy_buffer,
2350 gcm_done(&context->crypto.ctx_local.
2351 aes_gcm_local, dummy_buffer,
2355 context->crypto.created = 0;
2357 int is_aead = tls_is_aead(context);
2358 int cipherID = find_cipher("aes");
2359 DEBUG_PRINT("Using cipher ID: %x\n", (int) context->cipher);
2361 unsigned int counter = 1;
2363 chacha_keysetup(&context->crypto.ctx_local.chacha_local,
2364 localkey, key_length * 8);
2365 chacha_ivsetup_96bitnonce(&context->crypto.ctx_local.
2366 chacha_local, localiv,
2367 (unsigned char *) &counter);
2369 chacha_keysetup(&context->crypto.ctx_remote.chacha_remote,
2370 remotekey, key_length * 8);
2371 chacha_ivsetup_96bitnonce(&context->crypto.ctx_remote.
2372 chacha_remote, remoteiv,
2373 (unsigned char *) &counter);
2375 context->crypto.created = 3;
2379 gcm_init(&context->crypto.ctx_local.aes_gcm_local,
2380 cipherID, localkey, key_length);
2382 gcm_init(&context->crypto.ctx_remote.aes_gcm_remote,
2383 cipherID, remotekey, key_length);
2386 return TLS_GENERIC_ERROR;
2388 context->crypto.created = 2;
2391 cbc_start(cipherID, localiv, localkey, key_length, 0,
2392 &context->crypto.ctx_local.aes_local);
2394 cbc_start(cipherID, remoteiv, remotekey, key_length, 0,
2395 &context->crypto.ctx_remote.aes_remote);
2398 return TLS_GENERIC_ERROR;
2400 context->crypto.created = 1;
2406 static void tls_crypto_done(struct TLSContext *context) {
2407 unsigned char dummy_buffer[32];
2408 unsigned long tag_len = 0;
2410 switch (context->crypto.created) {
2412 cbc_done(&context->crypto.ctx_remote.aes_remote);
2413 cbc_done(&context->crypto.ctx_local.aes_local);
2416 gcm_done(&context->crypto.ctx_remote.aes_gcm_remote,
2417 dummy_buffer, &tag_len);
2418 gcm_done(&context->crypto.ctx_local.aes_gcm_local,
2419 dummy_buffer, &tag_len);
2422 context->crypto.created = 0;
2425 int tls_packet_append(struct TLSPacket *packet, const unsigned char *buf,
2429 if (!packet || packet->broken) {
2437 unsigned int new_len = packet->len + len;
2439 if (new_len > packet->size) {
2440 packet->size = (new_len / TLS_BLOB_INCREMENT + 1) *
2442 new = TLS_REALLOC(packet->buf, packet->size);
2453 memcpy(packet->buf + packet->len, buf, len);
2454 packet->len = new_len;
2458 int tls_packet_uint8(struct TLSPacket *packet, unsigned char i) {
2459 return tls_packet_append(packet, &i, 1);
2462 int tls_packet_uint16(struct TLSPacket *packet, unsigned short i) {
2463 unsigned short ni = htons(i);
2464 return tls_packet_append(packet, (unsigned char *) &ni, 2);
2467 int tls_packet_uint32(struct TLSPacket *packet, unsigned int i) {
2468 unsigned int ni = htonl(i);
2469 return tls_packet_append(packet, (unsigned char *) &ni, 4);
2472 int tls_packet_uint24(struct TLSPacket *packet, unsigned int i) {
2473 unsigned char buf[3];
2474 buf[0] = (i >> 16) & 0xff;
2475 buf[1] = (i >> 8) & 0xff;
2476 buf[2] = (i >> 0) & 0xff;
2478 return tls_packet_append(packet, buf, 3);
2481 int tls_random(unsigned char *key, int len) {
2483 for (int i = 0; i < len; i++) {
2484 unsigned int v = arc4random() % 0x100;
2489 /* TODO use open and read */
2490 FILE *fp = fopen("/dev/urandom", "r");
2492 int key_len = fread(key, 1, len, fp);
2501 int tls_established(struct TLSContext *context) {
2502 return context && context->connection_status == TLS_CONNECTED;
2505 void tls_read_clear(struct TLSContext *context) {
2507 tls_buffer_free(&context->application_buffer);
2511 struct TLSContext *tls_create_context(int is_server, unsigned short version) {
2512 struct TLSContext zero = {0};
2514 struct TLSContext *context = 0;
2516 if (version == TLS_V13 && !is_server) {
2517 /* TLS 1.3 clients not supported */
2525 context = malloc(sizeof *context);
2531 ver = version - 0x0201;
2535 context->is_server = is_server;
2536 context->version = version;
2537 context->tlsver = ver;
2538 context->hs_index = -1;
2539 /* set up output buffer */
2540 tls_buffer_init(&context->output_buffer, 0);
2541 tls_buffer_init(&context->input_buffer, 0);
2542 tls_buffer_init(&context->cached_handshake, 0);
2543 tls_buffer_init(&context->application_buffer, 0);
2548 struct TLSContext *tls_accept(struct TLSContext *context) {
2549 if (!context || !context->is_server) {
2553 struct TLSContext *child = malloc(sizeof *child);
2555 memset(child, 0, sizeof(struct TLSContext));
2556 child->is_server = 1;
2557 child->is_child = 1;
2558 child->version = context->version;
2559 child->certificates = context->certificates;
2560 child->certificates_count = context->certificates_count;
2561 child->private_key = context->private_key;
2562 child->ec_private_key = context->ec_private_key;
2563 child->root_certificates = context->root_certificates;
2564 child->root_count = context->root_count;
2565 child->default_dhe_p = context->default_dhe_p;
2566 child->default_dhe_g = context->default_dhe_g;
2567 child->curve = context->curve;
2568 child->alpn = context->alpn;
2569 child->alpn_count = context->alpn_count;
2574 int tls_add_alpn(struct TLSContext *context, const char *alpn) {
2577 if (!context || !alpn || !alpn[0]
2578 || (context->is_server && context->is_child)) {
2579 return TLS_GENERIC_ERROR;
2582 int len = strlen(alpn);
2583 if (tls_alpn_contains(context, alpn, len)) {
2587 new = TLS_REALLOC(context->alpn, (context->alpn_count + 1) *
2590 context->alpn = new;
2592 free(context->alpn);
2594 context->alpn_count = 0;
2595 return TLS_NO_MEMORY;
2597 char *alpn_ref = malloc(len + 1);
2598 context->alpn[context->alpn_count] = alpn_ref;
2600 memcpy(alpn_ref, alpn, len);
2602 context->alpn_count++;
2604 return TLS_NO_MEMORY;
2609 int tls_alpn_contains(struct TLSContext *context, const char *alpn,
2610 unsigned char alpn_size) {
2613 if (!context || !alpn || !alpn_size || !context->alpn) {
2617 for (i = 0; i < context->alpn_count; i++) {
2618 const char *alpn_local = context->alpn[i];
2620 int len = strlen(alpn_local);
2621 if (alpn_size == len) {
2622 if (!memcmp(alpn_local, alpn, alpn_size)) {
2632 void tls_destroy_context(struct TLSContext *context) {
2639 if (!context->is_child) {
2640 if (context->certificates) {
2641 for (i = 0; i < context->certificates_count; i++) {
2642 tls_destroy_certificate(context->
2646 if (context->root_certificates) {
2647 for (i = 0; i < context->root_count; i++) {
2648 tls_destroy_certificate(context->
2649 root_certificates[i]);
2651 free(context->root_certificates);
2652 context->root_certificates = NULL;
2654 if (context->private_key) {
2655 tls_destroy_certificate(context->private_key);
2657 if (context->ec_private_key) {
2658 tls_destroy_certificate(context->ec_private_key);
2660 free(context->certificates);
2661 free(context->default_dhe_p);
2662 free(context->default_dhe_g);
2663 if (context->alpn) {
2664 for (i = 0; i < context->alpn_count; i++) {
2665 free(context->alpn[i]);
2667 free(context->alpn);
2671 if (context->client_certificates) {
2672 for (i = 0; i < context->client_certificates_count; i++) {
2673 tls_destroy_certificate(context->
2674 client_certificates[i]);
2676 free(context->client_certificates);
2679 context->client_certificates = NULL;
2680 free(context->master_key);
2681 free(context->premaster_key);
2683 if (context->crypto.created) {
2684 tls_crypto_done(context);
2687 tls_done_hash(context, NULL);
2688 tls_destroy_hash(context);
2690 tls_buffer_free(&context->output_buffer);
2691 tls_buffer_free(&context->input_buffer);
2692 tls_buffer_free(&context->application_buffer);
2693 tls_buffer_free(&context->cached_handshake);
2694 //free(context->cached_handshake);
2697 tls_dhe_free(context);
2698 tls_ecc_dhe_free(context);
2699 free(context->negotiated_alpn);
2700 free(context->finished_key);
2701 free(context->remote_finished_key);
2702 free(context->server_finished_hash);
2706 int tls_cipher_is_ephemeral(struct TLSContext *context) {
2711 switch (context->cipher) {
2712 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
2713 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
2714 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
2715 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
2716 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
2717 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
2718 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
2720 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
2721 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
2722 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
2723 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
2724 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
2725 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
2726 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
2727 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
2728 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
2729 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
2730 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
2731 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
2732 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
2734 case TLS_AES_128_GCM_SHA256:
2735 case TLS_CHACHA20_POLY1305_SHA256:
2736 case TLS_AES_128_CCM_SHA256:
2737 case TLS_AES_128_CCM_8_SHA256:
2738 case TLS_AES_256_GCM_SHA384:
2747 int tls_is_ecdsa(struct TLSContext *context) {
2752 switch (context->cipher) {
2753 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
2754 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
2755 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
2756 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
2757 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
2758 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
2759 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
2763 if (context->ec_private_key) {
2770 static void tls_send_server_key_exchange(struct TLSContext *context,
2772 if (!context->is_server) {
2774 ("CANNOT BUILD SERVER KEY EXCHANGE MESSAGE FOR CLIENTS\n");
2778 struct TLSPacket *packet =
2779 tls_create_packet(context, TLS_HANDSHAKE, context->version, 0);
2780 tls_packet_uint8(packet, 0x0C);
2781 unsigned char dummy[3];
2782 tls_packet_append(packet, dummy, 3);
2783 int start_len = packet->len;
2785 if (method == KEA_dhe_rsa) {
2786 tls_dhe_create(context);
2788 const char *default_dhe_p = context->default_dhe_p;
2789 const char *default_dhe_g = context->default_dhe_g;
2791 if (!default_dhe_p || !default_dhe_g) {
2792 default_dhe_p = TLS_DH_DEFAULT_P;
2793 default_dhe_g = TLS_DH_DEFAULT_G;
2794 key_size = TLS_DHE_KEY_SIZE / 8;
2796 key_size = strlen(default_dhe_p);
2798 if (tls_dh_make_key(key_size, context->dhe, default_dhe_p,
2799 default_dhe_g, 0, 0)) {
2800 DEBUG_PRINT("ERROR CREATING DHE KEY\n");
2803 context->dhe = NULL;
2804 /* TODO set error */
2808 unsigned char dh_Ys[0xFFF];
2809 unsigned char dh_p[0xFFF];
2810 unsigned char dh_g[0xFFF];
2811 unsigned long dh_p_len = sizeof(dh_p);
2812 unsigned long dh_g_len = sizeof(dh_g);
2813 unsigned long dh_Ys_len = sizeof(dh_Ys);
2815 if (tls_dh_export_pqY
2816 (dh_p, &dh_p_len, dh_g, &dh_g_len, dh_Ys, &dh_Ys_len,
2818 DEBUG_PRINT("ERROR EXPORTING DHE KEY\n");
2820 /* TODO set error */
2824 DEBUG_PRINT("LEN: %lu (%lu, %lu)\n", dh_Ys_len, dh_p_len,
2826 DEBUG_DUMP_HEX_LABEL("DHE PK", dh_Ys, dh_Ys_len);
2827 DEBUG_DUMP_HEX_LABEL("DHE P", dh_p, dh_p_len);
2828 DEBUG_DUMP_HEX_LABEL("DHE G", dh_g, dh_g_len);
2830 tls_packet_uint16(packet, dh_p_len);
2831 tls_packet_append(packet, dh_p, dh_p_len);
2833 tls_packet_uint16(packet, dh_g_len);
2834 tls_packet_append(packet, dh_g, dh_g_len);
2836 tls_packet_uint16(packet, dh_Ys_len);
2837 tls_packet_append(packet, dh_Ys, dh_Ys_len);
2841 } else if (method == KEA_ec_diffie_hellman) {
2842 /* 3 = named curve */
2843 if (!context->curve) {
2844 context->curve = tls_ecc_default_curve;
2846 tls_packet_uint8(packet, 3);
2847 tls_packet_uint16(packet, context->curve->iana);
2848 tls_ecc_dhe_create(context);
2850 ltc_ecc_set_type *dp =
2851 (ltc_ecc_set_type *) & context->curve->dp;
2853 if (ecc_make_key_ex(NULL, find_prng("sprng"), context->ecc_dhe,
2855 free(context->ecc_dhe);
2856 context->ecc_dhe = NULL;
2857 DEBUG_PRINT("Error generating ECC key\n");
2859 /* TODO set error */
2862 unsigned char out[TLS_MAX_RSA_KEY];
2863 unsigned long out_len = TLS_MAX_RSA_KEY;
2864 if (ecc_ansi_x963_export(context->ecc_dhe, out, &out_len)) {
2865 DEBUG_PRINT("Error exporting ECC key\n");
2870 tls_packet_uint8(packet, out_len);
2871 tls_packet_append(packet, out, out_len);
2875 DEBUG_PRINT("Unsupported ephemeral method: %i\n", method);
2880 unsigned int params_len = packet->len - start_len;
2881 unsigned int message_len =
2882 params_len + TLS_CLIENT_RANDOM_SIZE + TLS_SERVER_RANDOM_SIZE;
2883 unsigned char *message = malloc(message_len);
2885 unsigned char out[TLS_MAX_RSA_KEY];
2886 unsigned long out_len = TLS_MAX_RSA_KEY;
2890 hash_algorithm = sha256;
2892 if (tls_is_ecdsa(context)) {
2893 hash_algorithm = sha512;
2894 tls_packet_uint8(packet, hash_algorithm);
2895 tls_packet_uint8(packet, ecdsa);
2897 tls_packet_uint8(packet, hash_algorithm);
2898 tls_packet_uint8(packet, rsa_sign);
2901 memcpy(message, context->remote_random,
2902 TLS_CLIENT_RANDOM_SIZE);
2903 memcpy(message + TLS_CLIENT_RANDOM_SIZE, context->local_random,
2904 TLS_SERVER_RANDOM_SIZE);
2905 memcpy(message + TLS_CLIENT_RANDOM_SIZE +
2906 TLS_SERVER_RANDOM_SIZE, packet->buf +
2907 start_len, params_len);
2908 if (tls_is_ecdsa(context)) {
2909 if (sign_ecdsa(context, hash_algorithm, message,
2910 message_len, out, &out_len) ==
2913 ("Signing OK! (ECDSA, length %lu)\n",
2915 tls_packet_uint16(packet, out_len);
2916 tls_packet_append(packet, out, out_len);
2919 if (sign_rsa(context, hash_algorithm, message, message_len,
2920 out, &out_len) == 1) {
2921 DEBUG_PRINT("Signing OK! (length %lu)\n", out_len);
2922 tls_packet_uint16(packet, out_len);
2923 tls_packet_append(packet, out, out_len);
2927 if (!packet->broken && packet->buf) {
2928 tls_set_packet_length(packet, packet->len - start_len);
2930 tls_packet_update(packet);
2931 tls_queue_packet(packet);
2936 void _private_tls_set_session_id(struct TLSContext *context) {
2937 if (context->tlsver == TLS_VERSION13
2938 && context->session_size == TLS_MAX_SESSION_ID) {
2942 if (tls_random(context->session, TLS_MAX_SESSION_ID)) {
2943 context->session_size = TLS_MAX_SESSION_ID;
2945 context->session_size = 0;
2950 struct TLSPacket *tls_certificate_request(struct TLSContext *context) {
2951 if (!context || !context->is_server) {
2955 unsigned short packet_version = context->version;
2956 struct TLSPacket *packet =
2957 tls_create_packet(context, TLS_HANDSHAKE, packet_version, 0);
2963 /* cert request and size placeholder */
2964 unsigned char dummy[] = { 0x0d, 0, 0, 0 };
2965 tls_packet_append(packet, dummy, sizeof dummy);
2967 int start_len = packet->len;
2969 if (context->tlsver == TLS_VERSION13) {
2970 /* certificate request context */
2971 tls_packet_uint8(packet, 0);
2973 tls_packet_uint16(packet, 18);
2974 /* signature algorithms */
2975 tls_packet_uint16(packet, 0x0D);
2976 tls_packet_uint16(packet, 14);
2977 tls_packet_uint16(packet, 12);
2980 tls_packet_uint16(packet, 0x0401);
2982 tls_packet_uint16(packet, 0x0501);
2984 tls_packet_uint16(packet, 0x0601);
2987 /* ecdsa_secp256r1_sha256 */
2988 tls_packet_uint16(packet, 0x0403);
2989 /* ecdsa_secp384r1_sha384 */
2990 tls_packet_uint16(packet, 0x0503);
2991 /* ecdsa_secp521r1_sha512 */
2992 tls_packet_uint16(packet, 0x0604);
2993 /* rsa_pss_rsae_sha256 */
2994 tls_packet_uint16(packet, 0x0804);
2995 /* rsa_pss_rsae_sha384 */
2996 tls_packet_uint16(packet, 0x0805);
2997 /* rsa_pss_rsae_sha512 */
2998 tls_packet_uint16(packet, 0x0806);
3000 tls_packet_uint8(packet, 1);
3001 tls_packet_uint8(packet, rsa_sign);
3002 if (context->version == TLS_V12) {
3003 /* 10 pairs or 2 bytes */
3004 tls_packet_uint16(packet, 10);
3005 tls_packet_uint8(packet, sha256);
3006 tls_packet_uint8(packet, rsa);
3007 tls_packet_uint8(packet, sha1);
3008 tls_packet_uint8(packet, rsa);
3009 tls_packet_uint8(packet, sha384);
3010 tls_packet_uint8(packet, rsa);
3011 tls_packet_uint8(packet, sha512);
3012 tls_packet_uint8(packet, rsa);
3013 tls_packet_uint8(packet, md5);
3014 tls_packet_uint8(packet, rsa);
3016 /* no DistinguishedName yet */
3017 tls_packet_uint16(packet, 0);
3019 if (!packet->broken) {
3020 tls_set_packet_length(packet, packet->len - start_len);
3022 tls_packet_update(packet);
3026 int tls_parse_key_share(struct TLSContext *context, const unsigned char *buf,
3029 struct ECCCurveParameters *curve = 0;
3030 struct DHKey *dhkey = 0;
3031 int dhe_key_size = 0;
3032 const unsigned char *buffer = NULL;
3033 unsigned char *out2;
3034 unsigned long out_size;
3037 while (buf_len >= 4) {
3038 uint16_t named_group = get16(&buf[i]);
3042 key_size = get16(&buf[i]);
3046 if (key_size > buf_len) {
3047 return TLS_BROKEN_PACKET;
3050 switch (named_group) {
3054 DEBUG_PRINT("KEY SHARE => secp256r1\n");
3061 DEBUG_PRINT("KEY SHARE => secp384r1\n");
3069 if (key_size != 32) {
3071 ("INVALID x25519 KEY SIZE (%i)\n",
3075 curve = &curve25519;
3077 DEBUG_PRINT("KEY SHARE => x25519\n");
3087 dhe_key_size = 2048;
3091 dhe_key_size = 3072;
3095 dhe_key_size = 4096;
3099 dhe_key_size = 6144;
3103 dhe_key_size = 8192;
3107 buf_len -= key_size;
3111 context->curve = curve;
3113 if (curve == &curve25519) {
3114 if (!tls_random(context->local_random,
3115 TLS_SERVER_RANDOM_SIZE)) {
3116 return TLS_GENERIC_ERROR;
3119 unsigned char secret[32];
3120 static const unsigned char basepoint[32] = { 9 };
3122 tls_random(secret, 32);
3128 /* use finished key to store public key */
3129 free(context->finished_key);
3130 context->finished_key = malloc(32);
3131 if (!context->finished_key) {
3132 return TLS_GENERIC_ERROR;
3135 x25519(context->finished_key, secret, basepoint);
3137 free(context->premaster_key);
3138 context->premaster_key = malloc(32);
3140 if (!context->premaster_key) {
3141 return TLS_GENERIC_ERROR;
3144 x25519(context->premaster_key, secret, buffer);
3145 context->premaster_key_len = 32;
3150 tls_ecc_dhe_create(context);
3151 ltc_ecc_set_type *dp = (ltc_ecc_set_type *)&context->curve->dp;
3153 if (ecc_make_key_ex(NULL, find_prng("sprng"), context->ecc_dhe,
3155 free(context->ecc_dhe);
3156 context->ecc_dhe = NULL;
3157 DEBUG_PRINT("Error generating ECC DHE key\n");
3158 return TLS_GENERIC_ERROR;
3161 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
3162 return TLS_GENERIC_ERROR;
3166 memset(&client_key, 0, sizeof client_key);
3167 if (ecc_ansi_x963_import_ex
3168 (buffer, key_size, &client_key, dp)) {
3169 DEBUG_PRINT("Error importing ECC DHE key\n");
3170 return TLS_GENERIC_ERROR;
3172 out2 = malloc(key_size);
3173 out_size = key_size;
3175 int err = ecc_shared_secret(context->ecc_dhe, &client_key,
3177 ecc_free(&client_key);
3180 DEBUG_PRINT("ECC DHE DECRYPT ERROR %i\n", err);
3182 return TLS_GENERIC_ERROR;
3185 DEBUG_PRINT("OUT_SIZE: %lu\n", out_size);
3186 DEBUG_DUMP_HEX_LABEL("ECC DHE", out2, out_size);
3188 free(context->premaster_key);
3189 context->premaster_key = out2;
3190 context->premaster_key_len = out_size;
3193 tls_dhe_create(context);
3194 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE))
3196 return TLS_GENERIC_ERROR;
3199 if (tls_dh_make_key(dhe_key_size / 8, context->dhe,
3200 (const char *)dhkey->p, (const char *)dhkey->g, 0, 0)) {
3202 context->dhe = NULL;
3203 DEBUG_PRINT("Error generating DHE key\n");
3204 return TLS_GENERIC_ERROR;
3207 unsigned int dhe_out_size;
3208 out2 = tls_decrypt_dhe(context, buffer, key_size,
3211 DEBUG_PRINT("Error generating DHE shared key\n");
3212 return TLS_GENERIC_ERROR;
3215 free(context->premaster_key);
3216 context->premaster_key = out2;
3217 context->premaster_key_len = dhe_out_size;
3219 context->dhe->iana = dhkey->iana;
3223 DEBUG_PRINT("NO COMMON KEY SHARE SUPPORTED\n");
3224 return TLS_NO_COMMON_CIPHER;
3227 int tls_parse_certificate(struct TLSContext *context,
3228 const unsigned char *buf, int buf_len,
3232 return TLS_NEED_MORE_DATA;
3235 int size = get24(buf);
3237 /* not enough data, so just consume all of it */
3242 res += 3; /* skip over the size field */
3244 if (context->tlsver == TLS_VERSION13) {
3245 int context_size = buf[res];
3249 res += context_size;
3253 if (buf_len - res < size) {
3254 return TLS_NEED_MORE_DATA;
3258 int valid_certificate = 0;
3261 if (buf_len - res < 3) {
3262 return TLS_NEED_MORE_DATA;
3264 int certificate_size = get24(buf+res);
3266 if (buf_len - res < certificate_size) {
3267 return TLS_NEED_MORE_DATA;
3270 int certificates_in_chain = 0;
3272 unsigned int remaining = certificate_size;
3274 if (remaining <= 3) {
3277 certificates_in_chain++;
3278 unsigned int certificate_size2 = get24(buf+res2);
3281 if (certificate_size2 > remaining) {
3283 ("Invalid certificate size (%i from %i bytes remaining)\n",
3284 certificate_size2, remaining);
3287 remaining -= certificate_size2;
3289 struct TLSCertificate *cert = asn1_parse(context,
3295 if (certificate_size2) {
3297 malloc(certificate_size2);
3306 /* valid certificate */
3309 valid_certificate = 1;
3312 TLS_REALLOC(context->
3313 client_certificates,
3315 client_certificates_count
3324 client_certificates);
3326 client_certificates =
3328 return TLS_NO_MEMORY;
3331 context->client_certificates = new;
3334 [context->client_certificates_count]
3337 client_certificates_count++;
3341 TLS_REALLOC(context->
3353 context->certificates = 0;
3354 return TLS_NO_MEMORY;
3356 context->certificates = new;
3357 context->certificates[context->
3360 context->certificates_count++;
3361 if ((cert->pk) || (cert->priv))
3362 valid_certificate = 1;
3363 else if (!context->is_server)
3364 valid_certificate = 1;
3367 res2 += certificate_size2;
3369 if (context->tlsver == TLS_VERSION13) {
3370 if (remaining >= 2) {
3371 /* ignore extensions */
3373 uint16_t size = get16(&buf[res2]);
3374 if (size && size >= remaining) {
3380 } while (remaining > 0);
3382 DEBUG_PRINT("Extra %i bytes after certificate\n",
3385 size -= certificate_size + 3;
3386 res += certificate_size;
3388 if (!valid_certificate) {
3390 return TLS_UNSUPPORTED_CERTIFICATE;
3392 if (res != buf_len) {
3393 DEBUG_PRINT("Warning: %i bytes read from %i byte buffer\n",
3394 (int) res, (int) buf_len);
3399 static int parse_dh( const unsigned char *buf, int buf_len, const unsigned char
3400 **out, int *out_size) {
3405 return TLS_NEED_MORE_DATA;
3407 uint16_t size = get16(buf);
3409 if (buf_len - res < size) {
3410 return TLS_NEED_MORE_DATA;
3412 DEBUG_DUMP_HEX(&buf[res], size);
3419 static int tls_parse_random(struct TLSContext *context,
3420 const unsigned char *buf, int buf_len) {
3422 int ephemeral = tls_cipher_is_ephemeral(context);
3424 if (ephemeral == 2) {
3426 return TLS_NEED_MORE_DATA;
3432 return TLS_NEED_MORE_DATA;
3438 if (buf_len - res < size) {
3439 return TLS_NEED_MORE_DATA;
3441 unsigned int out_len = 0;
3442 unsigned char *random = NULL;
3443 switch (ephemeral) {
3445 random = tls_decrypt_dhe(context, &buf[res], size, &out_len,
3449 random = tls_decrypt_ecc_dhe(context, &buf[res], size,
3453 random = decrypt_rsa(context, &buf[res], size,
3457 if (random && out_len > 2) {
3458 /* *(unsigned short *)&random[0] = htons(context->version); */
3459 DEBUG_DUMP_HEX_LABEL("PRE MASTER KEY", random, out_len);
3460 free(context->premaster_key);
3461 context->premaster_key = random;
3462 context->premaster_key_len = out_len;
3463 tls_compute_key(context, 48);
3472 static const unsigned char *parse_signature(const unsigned char *buf, int
3473 buf_len, int *hash_algorithm, int *sign_algorithm, int
3474 *sig_size, int *offset) {
3479 *hash_algorithm = _md5_sha1;
3480 *sign_algorithm = rsa_sign;
3482 *hash_algorithm = buf[res];
3484 *sign_algorithm = buf[res];
3486 uint16_t size = get16(&buf[res]);
3488 if (buf_len - res < size) {
3491 DEBUG_DUMP_HEX(&buf[res], size);
3493 *offset = res + size;
3497 int tls_parse_server_key_exchange(struct TLSContext *context,
3498 const unsigned char *buf, int buf_len) {
3502 return TLS_NEED_MORE_DATA;
3504 int size = get24(buf);
3506 const unsigned char *packet_ref = buf + res;
3507 if (buf_len - res < size) {
3508 return TLS_NEED_MORE_DATA;
3515 unsigned char has_ds_params = 0;
3517 const struct ECCCurveParameters *curve = NULL;
3518 const unsigned char *pk_key = NULL;
3519 int ephemeral = tls_cipher_is_ephemeral(context);
3521 if (ephemeral == 1) {
3524 if (buf[res++] != 3) {
3526 /* any other method is not supported */
3529 if (buf_len - res < 3) {
3530 return TLS_NEED_MORE_DATA;
3532 int iana_n = get16(&buf[res]);
3534 key_size = buf[res];
3536 if (buf_len - res < key_size) {
3537 return TLS_NEED_MORE_DATA;
3539 DEBUG_PRINT("IANA CURVE NUMBER: %i\n", iana_n);
3563 DEBUG_PRINT("UNSUPPORTED CURVE\n");
3564 return TLS_GENERIC_ERROR;
3568 context->curve = curve;
3572 const unsigned char *dh_p = NULL;
3574 const unsigned char *dh_g = NULL;
3576 const unsigned char *dh_Ys = NULL;
3579 if (has_ds_params) {
3580 DEBUG_PRINT(" dh_p: ");
3581 dh_res = parse_dh(&buf[res], buf_len - res, &dh_p, &dh_p_len);
3583 return TLS_BROKEN_PACKET;
3588 DEBUG_PRINT(" dh_q: ");
3589 dh_res = parse_dh(&buf[res], buf_len - res, &dh_g, &dh_g_len);
3592 return TLS_BROKEN_PACKET;
3597 DEBUG_PRINT(" dh_Ys: ");
3598 dh_res = parse_dh(&buf[res], buf_len - res, &dh_Ys,
3602 return TLS_BROKEN_PACKET;
3610 int packet_size = res - 3;
3612 DEBUG_PRINT(" SIGNATURE (%i/%i/%i): ", packet_size,
3614 const unsigned char *signature =
3615 parse_signature(&buf[res], buf_len - res, &hash_algorithm,
3616 &sign_algorithm, &sign_size, &offset);
3618 if (sign_size <= 0 || !signature) {
3619 return TLS_BROKEN_PACKET;
3622 /* check signature */
3623 unsigned int message_len =
3624 packet_size + TLS_CLIENT_RANDOM_SIZE + TLS_SERVER_RANDOM_SIZE;
3625 unsigned char *message = malloc(message_len);
3627 memcpy(message, context->local_random, TLS_CLIENT_RANDOM_SIZE);
3628 memcpy(message + TLS_CLIENT_RANDOM_SIZE,
3629 context->remote_random, TLS_SERVER_RANDOM_SIZE);
3630 memcpy(message + TLS_CLIENT_RANDOM_SIZE +
3631 TLS_SERVER_RANDOM_SIZE, packet_ref, packet_size);
3632 if (tls_is_ecdsa(context)) {
3633 if (tls_verify_ecdsa
3634 (context, hash_algorithm, signature, sign_size,
3635 message, message_len, NULL) != 1) {
3637 ("ECC Server signature FAILED!\n");
3639 return TLS_BROKEN_PACKET;
3643 if (verify_rsa(context, hash_algorithm, signature,
3645 message_len) != 1) {
3646 DEBUG_PRINT("Server signature FAILED!\n");
3648 return TLS_BROKEN_PACKET;
3654 if (buf_len - res) {
3655 DEBUG_PRINT("EXTRA %i BYTES AT THE END OF MESSAGE\n",
3657 DEBUG_DUMP_HEX(&buf[res], buf_len - res);
3661 if (ephemeral == 1) {
3662 tls_dhe_create(context);
3663 DEBUG_DUMP_HEX_LABEL("DHP", dh_p, dh_p_len);
3664 DEBUG_DUMP_HEX_LABEL("DHG", dh_g, dh_g_len);
3665 int dhe_key_size = dh_p_len;
3666 if (dh_g_len > dh_p_len) {
3667 dhe_key_size = dh_g_len;
3670 if (tls_dh_make_key(dhe_key_size, context->dhe, (const char *)
3671 dh_p, (const char *) dh_g, dh_p_len,
3673 DEBUG_PRINT("ERROR CREATING DHE KEY\n");
3675 context->dhe = NULL;
3676 return TLS_GENERIC_ERROR;
3679 unsigned int dh_key_size = 0;
3680 unsigned char *key = tls_decrypt_dhe(context, dh_Ys, dh_Ys_len,
3682 DEBUG_DUMP_HEX_LABEL("DH COMMON SECRET", key, dh_key_size);
3683 if (key && dh_key_size) {
3684 free(context->premaster_key);
3685 context->premaster_key = key;
3686 context->premaster_key_len = dh_key_size;
3688 } else if (ephemeral == 2 && curve && pk_key && key_size) {
3689 tls_ecc_dhe_create(context);
3691 ltc_ecc_set_type *dp = (ltc_ecc_set_type *) & curve->dp;
3693 (NULL, find_prng("sprng"), context->ecc_dhe, dp)) {
3694 free(context->ecc_dhe);
3695 context->ecc_dhe = NULL;
3696 DEBUG_PRINT("Error generating ECC key\n");
3697 return TLS_GENERIC_ERROR;
3700 free(context->premaster_key);
3701 context->premaster_key_len = 0;
3703 unsigned int out_len = 0;
3704 context->premaster_key =
3705 tls_decrypt_ecc_dhe(context, pk_key, key_size,
3707 if (context->premaster_key) {
3708 context->premaster_key_len = out_len;
3715 int tls_parse_client_key_exchange(struct TLSContext *context,
3716 const unsigned char *buf, int buf_len) {
3717 if (context->connection_status != 1) {
3719 ("UNEXPECTED CLIENT KEY EXCHANGE MESSAGE (connections status: %i)\n",
3720 (int) context->connection_status);
3721 return TLS_UNEXPECTED_MESSAGE;
3727 return TLS_NEED_MORE_DATA;
3729 int size = get24(buf);
3732 if (buf_len - res < size) {
3733 return TLS_NEED_MORE_DATA;
3740 dh_res = tls_parse_random(context, &buf[res], size);
3742 DEBUG_PRINT("broken key\n");
3743 return TLS_BROKEN_PACKET;
3748 context->connection_status = 2;
3752 static int tls_parse_server_hello_done(const unsigned char *buf, int buf_len) {
3755 return TLS_NEED_MORE_DATA;
3757 int size = get24(buf);
3760 if (buf_len - res < size) {
3761 return TLS_NEED_MORE_DATA;
3769 int tls_parse_finished(struct TLSContext *context,
3770 const unsigned char *buf, int buf_len,
3771 unsigned int *write_packets) {
3772 if (context->connection_status < 2
3773 || context->connection_status == TLS_CONNECTED) {
3774 DEBUG_PRINT("UNEXPECTED FINISHED MESSAGE\n");
3775 return TLS_UNEXPECTED_MESSAGE;
3781 return TLS_NEED_MORE_DATA;
3783 int size = get24(buf);
3786 if (size < TLS_MIN_FINISHED_OPAQUE_LEN) {
3787 DEBUG_PRINT("Invalid finished packet size: %i\n", size);
3788 return TLS_BROKEN_PACKET;
3791 if (buf_len - res < size) {
3792 return TLS_NEED_MORE_DATA;
3795 unsigned char hash[TLS_MAX_SHA_SIZE];
3796 unsigned int hash_len = tls_get_hash(context, hash);
3798 if (context->tlsver == TLS_VERSION13) {
3799 unsigned char hash_out[TLS_MAX_SHA_SIZE];
3800 unsigned long out_size = TLS_MAX_SHA_SIZE;
3801 if (!context->remote_finished_key || !hash_len) {
3803 ("NO FINISHED KEY COMPUTED OR NO HANDSHAKE HASH\n");
3804 return TLS_NOT_VERIFIED;
3807 DEBUG_DUMP_HEX_LABEL("HS HASH", hash, hash_len);
3808 DEBUG_DUMP_HEX_LABEL("HS FINISH", context->remote_finished_key,
3811 out_size = hash_len;
3813 hmac_init(&hmac, tls_get_hash_idx(context),
3814 context->remote_finished_key, hash_len);
3815 hmac_process(&hmac, hash, hash_len);
3816 hmac_done(&hmac, hash_out, &out_size);
3818 if (size != (int)out_size || memcmp(hash_out, &buf[res], size)) {
3820 ("Finished validation error (sequence number, local: %i, remote: %i)\n",
3821 (int) context->local_sequence_number,
3822 (int) context->remote_sequence_number);
3823 DEBUG_DUMP_HEX_LABEL("FINISHED OPAQUE", &buf[res],
3825 DEBUG_DUMP_HEX_LABEL("VERIFY", hash_out, out_size);
3826 return TLS_NOT_VERIFIED;
3828 if (context->is_server) {
3829 context->connection_status = TLS_CONNECTED;
3831 _private_tls13_key(context, 0);
3832 context->local_sequence_number = 0;
3833 context->remote_sequence_number = 0;
3836 /* TODO client verify */
3839 unsigned char *out = malloc(size);
3841 DEBUG_PRINT("Error in malloc (%i bytes)\n",
3843 return TLS_NO_MEMORY;
3846 /* server verifies client's message */
3847 if (context->is_server) {
3848 tls_prf(context, out, size,
3849 context->master_key,
3850 context->master_key_len,
3852 "client finished", 15, hash,
3855 tls_prf(context, out, size,
3856 context->master_key,
3857 context->master_key_len,
3859 "server finished", 15, hash,
3863 if (memcmp(out, &buf[res], size)) {
3866 ("Finished validation error (sequence number, local: %i, remote: %i)\n",
3867 (int) context->local_sequence_number,
3868 (int) context->remote_sequence_number);
3869 DEBUG_DUMP_HEX_LABEL("FINISHED OPAQUE", &buf[res],
3871 DEBUG_DUMP_HEX_LABEL("VERIFY", out, size);
3872 return TLS_NOT_VERIFIED;
3877 if (context->is_server) {
3880 context->connection_status = TLS_CONNECTED;
3883 // fprintf(stderr, "set conn status = %d\n", context->connection_status);
3890 int tls_parse_verify_tls13(struct TLSContext *context,
3891 const unsigned char *buf, int buf_len) {
3893 return TLS_NEED_MORE_DATA;
3895 int size = get24(buf);
3901 unsigned char signing_data[TLS_MAX_HASH_SIZE + 98];
3902 int signing_data_len;
3904 /* first 64 bytes to 0x20 (32) */
3905 memset(signing_data, 0x20, 64);
3906 /* context string 33 bytes */
3907 if (context->is_server) {
3908 memcpy(signing_data + 64,
3909 "TLS 1.3, server CertificateVerify", 33);
3911 memcpy(signing_data + 64,
3912 "TLS 1.3, client CertificateVerify", 33);
3915 /* a single 0 byte separator */
3916 signing_data[97] = 0;
3917 signing_data_len = 98;
3919 signing_data_len += tls_get_hash(context, signing_data + 98);
3920 DEBUG_DUMP_HEX_LABEL("signature data", signing_data, signing_data_len);
3921 uint16_t signature = get16(&buf[3]);
3922 uint16_t signature_size = get16(&buf[5]);
3924 if (buf_len < size + 7) {
3925 return TLS_NEED_MORE_DATA;
3927 switch (signature) {
3929 /* secp256r1 + sha256 */
3931 tls_verify_ecdsa(context, sha256, buf + 7,
3932 signature_size, signing_data,
3937 /* secp384r1 + sha384 */
3938 valid = tls_verify_ecdsa(context, sha384, buf + 7,
3939 signature_size, signing_data,
3940 signing_data_len, &secp384r1);
3943 /* secp521r1 + sha512 */
3944 valid = tls_verify_ecdsa(context, sha512, buf + 7,
3945 signature_size, signing_data,
3946 signing_data_len, &secp521r1);
3949 valid = verify_rsa(context, sha256, buf + 7,
3950 signature_size, signing_data,
3954 DEBUG_PRINT("Unsupported signature: %x\n",
3956 return TLS_UNSUPPORTED_CERTIFICATE;
3959 DEBUG_PRINT("Signature FAILED!\n");
3960 return TLS_DECRYPTION_FAILED;
3965 int tls_parse_verify(struct TLSContext *context, const unsigned char *buf,
3967 if (context->tlsver == TLS_VERSION13) {
3968 return tls_parse_verify_tls13(context, buf, buf_len);
3972 return TLS_BAD_CERTIFICATE;
3975 int bytes_to_follow = get24(buf);
3977 if (buf_len - 3 < bytes_to_follow) {
3978 return TLS_BAD_CERTIFICATE;
3983 unsigned int hash = buf[3];
3984 unsigned int algorithm = buf[4];
3985 if (algorithm != rsa) {
3986 return TLS_UNSUPPORTED_CERTIFICATE;
3988 uint16_t size = get16(&buf[5]);
3989 if (bytes_to_follow - 4 < size) {
3990 return TLS_BAD_CERTIFICATE;
3992 DEBUG_PRINT("ALGORITHM %i/%i (%i)\n", hash, algorithm, (int) size);
3993 DEBUG_DUMP_HEX_LABEL("VERIFY", &buf[7], bytes_to_follow - 7);
3995 res = verify_rsa(context, hash, &buf[7], size,
3996 context->cached_handshake.buffer,
3997 context->cached_handshake.len);
3999 tls_buffer_free(&context->cached_handshake);
4001 DEBUG_PRINT("Signature OK\n");
4002 context->client_verified = 1;
4004 DEBUG_PRINT("Signature FAILED\n");
4005 context->client_verified = 0;
4010 /* TODO This is actually a parse a handshake message */
4011 int tls_parse_payload(struct TLSContext *context, const unsigned char *buf,
4014 int orig_len = buf_len;
4017 if (context->connection_status == TLS_CONNECTED) {
4018 if (context->version == TLS_V13) {
4019 tls_alert(context, 1, unexpected_message);
4021 tls_alert(context, 0, no_renegotiation_RESERVED);
4027 while (buf_len >= 4 && !context->critical_error) {
4028 int payload_res = 0;
4029 //unsigned char update_hash = 1;
4030 unsigned char type = buf[0];
4031 unsigned int write_packets = 0;
4032 int certificate_verify_alert = no_error;
4033 int payload_size = get24(buf+1) + 3;
4034 if (buf_len < payload_size + 1) {
4035 return TLS_NEED_MORE_DATA;
4040 CHECK_HANDSHAKE_STATE(context, 0, 1);
4042 (" => HELLO REQUEST (RENEGOTIATION?)\n");
4043 if (context->is_server) {
4044 payload_res = TLS_UNEXPECTED_MESSAGE;
4046 if (context->connection_status == TLS_CONNECTED) {
4048 payload_res = TLS_NO_RENEGOTIATION;
4050 payload_res = TLS_UNEXPECTED_MESSAGE;
4057 CHECK_HANDSHAKE_STATE(context, 1, 1);
4058 DEBUG_PRINT(" => CLIENT HELLO\n");
4059 if (context->is_server) {
4061 tls_parse_client_hello(context,
4066 payload_res = TLS_UNEXPECTED_MESSAGE;
4071 CHECK_HANDSHAKE_STATE(context, 2, 1);
4072 DEBUG_PRINT(" => SERVER HELLO\n");
4073 if (context->is_server) {
4074 payload_res = TLS_UNEXPECTED_MESSAGE;
4077 payload_res = tls_parse_server_hello(context, buf + 1, payload_size);
4081 /* hello verify request */
4082 DEBUG_PRINT(" => VERIFY REQUEST\n");
4083 CHECK_HANDSHAKE_STATE(context, 3, 1);
4084 payload_res = TLS_UNEXPECTED_MESSAGE;
4088 CHECK_HANDSHAKE_STATE(context, 4, 1);
4089 DEBUG_PRINT(" => CERTIFICATE\n");
4090 if (context->tlsver == TLS_VERSION13) {
4091 if (context->connection_status == 2) {
4093 tls_parse_certificate(context,
4098 if (context->is_server) {
4099 if (context->certificate_verify && context->client_certificates_count) {
4100 certificate_verify_alert
4102 context->certificate_verify(context,
4103 context->client_certificates,
4104 context->client_certificates_count);
4106 /* empty certificates are permitted for client */
4107 if (payload_res <= 0) {
4113 TLS_UNEXPECTED_MESSAGE;
4115 if (context->connection_status == 1) {
4116 if (context->is_server) {
4117 /* client certificate */
4119 tls_parse_certificate(context,
4123 if (context->certificate_verify && context->client_certificates_count) {
4124 certificate_verify_alert =
4125 context->certificate_verify
4128 client_certificates,
4130 client_certificates_count);
4132 /* empty certificates are permitted for client */
4133 if (payload_res <= 0)
4137 tls_parse_certificate(context,
4141 if (certificate_verify && context->certificates_count) {
4142 certificate_verify_alert =
4143 context->certificate_verify
4145 context->certificates,
4147 certificates_count);
4151 payload_res = TLS_UNEXPECTED_MESSAGE;
4155 /* server key exchange */
4156 CHECK_HANDSHAKE_STATE(context, 5, 1);
4157 DEBUG_PRINT(" => SERVER KEY EXCHANGE\n");
4158 if (context->is_server) {
4159 payload_res = TLS_UNEXPECTED_MESSAGE;
4162 tls_parse_server_key_exchange(context,
4168 /* certificate request */
4169 CHECK_HANDSHAKE_STATE(context, 6, 1);
4170 /* server to client */
4171 if (context->is_server) {
4172 payload_res = TLS_UNEXPECTED_MESSAGE;
4174 context->client_verified = 2;
4176 DEBUG_PRINT(" => CERTIFICATE REQUEST\n");
4179 /* server hello done */
4180 CHECK_HANDSHAKE_STATE(context, 7, 1);
4181 DEBUG_PRINT(" => SERVER HELLO DONE\n");
4182 if (context->is_server) {
4183 payload_res = TLS_UNEXPECTED_MESSAGE;
4186 tls_parse_server_hello_done(
4189 if (payload_res > 0) {
4195 /* certificate verify */
4196 CHECK_HANDSHAKE_STATE(context, 8, 1);
4197 DEBUG_PRINT(" => CERTIFICATE VERIFY\n");
4198 if (context->connection_status == 2) {
4200 tls_parse_verify(context, buf + 1,
4203 payload_res = TLS_UNEXPECTED_MESSAGE;
4207 /* client key exchange */
4208 CHECK_HANDSHAKE_STATE(context, 9, 1);
4209 DEBUG_PRINT(" => CLIENT KEY EXCHANGE\n");
4210 if (context->is_server) {
4212 tls_parse_client_key_exchange(context,
4216 payload_res = TLS_UNEXPECTED_MESSAGE;
4221 tls_buffer_free(&context->cached_handshake);
4222 CHECK_HANDSHAKE_STATE(context, 10, 1);
4223 DEBUG_PRINT(" => FINISHED\n");
4224 payload_res = tls_parse_finished(context,
4225 buf + 1, payload_size,
4227 if (payload_res > 0) {
4228 memset(context->hs_messages, 0,
4229 sizeof(context->hs_messages));
4234 (" => NOT UNDERSTOOD PAYLOAD TYPE: %x\n",
4236 return TLS_NOT_UNDERSTOOD;
4239 //if (type != 0x00 && update_hash) {
4241 tls_update_hash(context, buf, payload_size + 1);
4244 if (certificate_verify_alert != no_error) {
4246 tls_alert(context, 1, certificate_verify_alert);
4247 context->critical_error = 1;
4250 if (payload_res < 0) {
4251 switch (payload_res) {
4252 case TLS_UNEXPECTED_MESSAGE:
4254 tls_alert(context, 1, unexpected_message);
4256 case TLS_COMPRESSION_NOT_SUPPORTED:
4258 tls_alert(context, 1, decompression_failure_RESERVED);
4260 case TLS_BROKEN_PACKET:
4262 tls_alert(context, 1, decode_error);
4266 tls_alert(context, 1, internal_error);
4268 case TLS_NOT_VERIFIED:
4270 tls_alert(context, 1, bad_record_mac);
4272 case TLS_BAD_CERTIFICATE:
4274 if (context->is_server) {
4275 /* bad client certificate, continue */
4276 tls_alert(context, 0, bad_certificate);
4279 tls_alert(context, 1, bad_certificate);
4282 case TLS_UNSUPPORTED_CERTIFICATE:
4284 tls_alert(context, 1, unsupported_certificate);
4286 case TLS_NO_COMMON_CIPHER:
4288 tls_alert(context, 1, insufficient_security);
4290 case TLS_NOT_UNDERSTOOD:
4292 tls_alert(context, 1, internal_error);
4294 case TLS_NO_RENEGOTIATION:
4296 tls_alert(context, 0, no_renegotiation_RESERVED);
4299 case TLS_DECRYPTION_FAILED:
4301 tls_alert(context, 1, decryption_failed_RESERVED);
4304 if (payload_res < 0) {
4309 if (certificate_verify_alert != no_error) {
4310 payload_res = TLS_BAD_CERTIFICATE;
4311 /* TODO this is set but not used */
4314 /* except renegotiation */
4315 struct TLSPacket *pkt;
4316 switch (write_packets) {
4318 if (context->client_verified == 2) {
4319 tls_send_certificate(context);
4320 context->client_verified = 0;
4323 /* client handshake */
4324 tls_send_client_key_exchange(context);
4325 tls_send_change_cipher_spec(context);
4327 context->cipher_spec_set = 1;
4328 context->local_sequence_number = 0;
4330 tls_send_finished(context);
4332 context->cipher_spec_set = 0;
4335 /* server handshake */
4336 DEBUG_PRINT("<= SENDING SERVER HELLO\n");
4337 if (context->connection_status == 3) {
4338 context->connection_status = 2;
4340 (tls_build_hello(context, 0));
4341 tls_send_change_cipher_spec(context);
4342 _private_tls13_key(context, 1);
4343 context->cipher_spec_set = 1;
4345 ("<= SENDING ENCRYPTED EXTENSIONS\n");
4346 tls_send_encrypted_extensions(context);
4348 if (context->request_client_certificate) {
4350 ("<= SENDING CERTIFICATE REQUEST\n");
4352 (tls_certificate_request
4356 tls_send_certificate(context);
4357 tls_send_certificate_verify(context);
4358 tls_send_finished(context);
4361 free(context->server_finished_hash);
4363 context->server_finished_hash =
4364 malloc(tls_mac_length(context));
4366 if (context->server_finished_hash) {
4367 tls_get_hash(context,
4368 context->server_finished_hash);
4373 tls_queue_packet(tls_build_hello(context, 0));
4374 DEBUG_PRINT("<= SENDING CERTIFICATE\n");
4375 tls_send_certificate(context);
4377 int ephemeral_cipher =
4378 tls_cipher_is_ephemeral(context);
4379 if (ephemeral_cipher) {
4381 ("<= SENDING EPHEMERAL DH KEY\n");
4382 tls_send_server_key_exchange(context,
4383 ephemeral_cipher == 1 ?
4385 KEA_ec_diffie_hellman);
4387 if (context->request_client_certificate) {
4389 ("<= SENDING CERTIFICATE REQUEST\n");
4391 (tls_certificate_request
4394 tls_send_done(context);
4398 tls_send_change_cipher_spec(context);
4399 tls_send_finished(context);
4400 context->connection_status = TLS_CONNECTED;
4407 /* hello retry request */
4408 DEBUG_PRINT("<= SENDING HELLO RETRY REQUEST\n");
4409 pkt = tls_build_hello(context, 0);
4410 tls_queue_packet(pkt);
4414 buf += payload_size;
4415 buf_len -= payload_size;
4421 unsigned int asn1_get_len(const unsigned char *buffer, int buf_len,
4422 unsigned int *octets) {
4429 unsigned char size = buffer[0];
4432 *octets = size & 0x7F;
4433 if ((int) *octets > buf_len - 1) {
4437 unsigned int ref_octets = *octets;
4441 if ((int) *octets > buf_len - 1) {
4444 unsigned int long_size = 0;
4445 unsigned int coef = 1;
4447 for (i = ref_octets; i > 0; i--) {
4448 long_size += buffer[i] * coef;
4458 void print_index(const unsigned int *fields) {
4464 DEBUG_PRINT("%i", fields[i]);
4473 int _is_field(const unsigned int *fields, const unsigned int *prefix) {
4476 if (fields[i] != prefix[i]) {
4484 static int tls_hash_len(int algorithm) {
4485 switch (algorithm) {
4486 case TLS_RSA_SIGN_MD5:
4488 case TLS_RSA_SIGN_SHA1:
4490 case TLS_RSA_SIGN_SHA256:
4492 case TLS_RSA_SIGN_SHA384:
4494 case TLS_RSA_SIGN_SHA512:
4500 static unsigned char *tls_compute_hash(int algorithm, const unsigned char
4501 *message, unsigned int message_len) {
4502 unsigned char *hash = NULL;
4504 int hash_index = -1;
4505 unsigned long hash_len = 0;
4507 if (!message || !message_len) {
4511 switch (algorithm) {
4512 case TLS_RSA_SIGN_MD5:
4513 DEBUG_PRINT("SIGN MD5\n");
4514 hash_index = find_hash("md5");
4517 case TLS_RSA_SIGN_SHA1:
4518 DEBUG_PRINT("SIGN SHA1\n");
4519 hash_index = find_hash("sha1");
4522 case TLS_RSA_SIGN_SHA256:
4523 DEBUG_PRINT("SIGN SHA256\n");
4524 hash_index = find_hash("sha256");
4527 case TLS_RSA_SIGN_SHA384:
4528 DEBUG_PRINT("SIGN SHA384\n");
4529 hash_index = find_hash("sha384");
4532 case TLS_RSA_SIGN_SHA512:
4533 DEBUG_PRINT("SIGN SHA512\n");
4534 hash_index = find_hash("sha512");
4538 DEBUG_PRINT("UNKNOWN SIGNATURE ALGORITHM\n");
4543 hash = malloc(hash_len);
4548 err = hash_memory(hash_index, message, message_len, hash, &hash_len);
4555 int tls_certificate_verify_signature(struct TLSCertificate *cert,
4556 struct TLSCertificate *parent) {
4557 if (!cert || !parent || !cert->sign_key
4558 || !cert->fingerprint || !cert->sign_len
4559 || !parent->der_bytes || !parent->der_len) {
4560 DEBUG_PRINT("CANNOT VERIFY SIGNATURE ");
4562 DEBUG_PRINT("!cert ");
4564 if (!cert->sign_key) {
4565 DEBUG_PRINT("!cert->sign_key ");
4567 if (!cert->fingerprint) {
4568 DEBUG_PRINT("!cert->fingerprint ");
4570 if (!cert->sign_len) {
4571 DEBUG_PRINT("!cert->sign_len ");
4576 DEBUG_PRINT("!parent ");
4578 if (!parent->der_bytes) {
4579 DEBUG_PRINT("!parent->der_bytes ");
4581 if (!parent->der_len) {
4582 DEBUG_PRINT("!parent->der_len ");
4589 DEBUG_PRINT("checking alg\n");
4590 int hash_len = tls_hash_len(cert->algorithm);
4591 if (hash_len <= 0) {
4596 switch (cert->algorithm) {
4597 case TLS_RSA_SIGN_MD5:
4598 hash_index = find_hash("md5");
4600 case TLS_RSA_SIGN_SHA1:
4601 hash_index = find_hash("sha1");
4603 case TLS_RSA_SIGN_SHA256:
4604 hash_index = find_hash("sha256");
4606 case TLS_RSA_SIGN_SHA384:
4607 hash_index = find_hash("sha384");
4609 case TLS_RSA_SIGN_SHA512:
4610 hash_index = find_hash("sha512");
4613 DEBUG_PRINT("UNKNOWN SIGNATURE ALGORITHM\n");
4618 DEBUG_PRINTLN("rsa_import(%p, %d, %p)\n", parent->der_bytes,
4619 parent->der_len, &key);
4620 int err = rsa_import(parent->der_bytes, parent->der_len, &key);
4623 ("Error importing RSA certificate (code: %i)\n", err);
4624 DEBUG_PRINT("Message: %s\n", error_to_string(err));
4625 DEBUG_DUMP_HEX_LABEL("CERTIFICATE", parent->der_bytes,
4630 unsigned char *signature = cert->sign_key;
4631 int signature_len = cert->sign_len;
4632 if (!signature[0]) {
4637 err = rsa_verify_hash_ex(signature, signature_len, cert->fingerprint,
4638 hash_len, LTC_PKCS_1_V1_5, hash_index, 0, &rsa_stat,
4643 DEBUG_PRINT("HASH VERIFY ERROR %i\n", err);
4646 DEBUG_PRINT("CERTIFICATE VALIDATION: %i\n", rsa_stat);
4650 int tls_certificate_chain_is_valid(struct TLSCertificate **certificates,
4652 if (!certificates || !len) {
4653 return bad_certificate;
4657 DEBUG_PRINT("verifying %i length cert chain\n", len);
4660 /* expired certificate or not yet valid ? */
4661 if (tls_certificate_is_valid(certificates[0])) {
4662 return bad_certificate;
4666 for (i = 0; i < len; i++) {
4667 /* certificate in chain is expired ? */
4668 if (tls_certificate_is_valid(certificates[i + 1])) {
4669 return bad_certificate;
4672 if (!tls_certificate_verify_signature(certificates[i],
4673 certificates[i + 1])) {
4675 ("tls_certificate_verify_signature certs[%d], certs[%d+1] failed\n",
4677 return bad_certificate;
4684 int tls_certificate_chain_is_valid_root(struct TLSContext *context, struct
4685 TLSCertificate **certificates, int len) {
4688 if (!certificates || !len || !context->root_certificates
4689 || !context->root_count) {
4690 return bad_certificate;
4692 for (i = 0; i < len; i++) {
4693 for (j = 0; j < context->root_count; j++) {
4694 /* check if root certificate expired */
4695 if (tls_certificate_is_valid
4696 (context->root_certificates[j])) {
4699 /* if any root validates any certificate in the chain,
4700 * then is root validated */
4701 if (tls_certificate_verify_signature(certificates[i],
4702 context->root_certificates[j]))
4708 return bad_certificate;
4711 int _private_is_oid(struct OID_chain *ref_chain,
4712 const unsigned char *looked_oid, int looked_oid_len) {
4714 if (ref_chain->oid) {
4716 (ref_chain->oid, looked_oid, 16,
4721 ref_chain = (struct OID_chain *) ref_chain->top;
4726 int _private_asn1_parse(struct TLSContext *context,
4727 struct TLSCertificate *cert,
4728 const unsigned char *buffer, int size, int level,
4729 unsigned int *fields, unsigned char *has_key,
4730 int client_cert, unsigned char *top_oid,
4731 struct OID_chain *chain) {
4732 struct OID_chain local_chain;
4733 DEBUG_INDEX(fields);
4735 local_chain.top = chain;
4739 unsigned char oid[16];
4741 local_chain.oid = oid;
4745 unsigned char local_has_key = 0;
4746 const unsigned char *cert_data = NULL;
4747 unsigned int cert_len = 0;
4748 while (pos < size) {
4749 unsigned int start_pos = pos;
4750 if (size - pos < 2) {
4751 return TLS_NEED_MORE_DATA;
4753 unsigned char first = buffer[pos++];
4754 unsigned char type = first & 0x1F;
4755 unsigned char constructed = first & 0x20;
4756 unsigned char element_class = first >> 6;
4760 if (level <= TLS_ASN1_MAXLEVEL) {
4761 fields[level - 1] = idx;
4763 DEBUG_INDEX(fields);
4765 int length = asn1_get_len((unsigned char *) &buffer[pos], size
4767 DEBUG_PRINT("asn1_get_len = %u\n", length);
4768 if ((octets > 4) || (octets > size - pos)) {
4770 ("CANNOT READ CERTIFICATE octets = %d, size = %d pos = %d, size - pos = %d\n",
4771 octets, size, pos, size - pos);
4776 if (size - pos < length) {
4777 return TLS_NEED_MORE_DATA;
4780 /*DEBUG_PRINT("FIRST: %x => %x (%i)\n", (int)first, (int)type, length); */
4782 /*DEBUG_PRINT("%2i: ", level); */
4784 DEBUG_INDEX(fields);
4786 for (i1 = 1; i1 < level; i1++) {
4791 if (length && constructed) {
4794 DEBUG_PRINT("CONSTRUCTED BITSTREAM\n");
4797 DEBUG_PRINT("SEQUENCE\n");
4798 if ((level == 2) && (idx == 1)) {
4800 length + (pos - start_pos);
4801 cert_data = &buffer[start_pos];
4803 /* private key on server or public key on client */
4805 && (_is_field(fields, priv_der_id))) {
4806 free(cert->der_bytes);
4807 temp = length + (pos - start_pos);
4808 cert->der_bytes = malloc(temp);
4809 if (cert->der_bytes) {
4810 memcpy(cert->der_bytes,
4813 cert->der_len = temp;
4819 DEBUG_PRINT("EMBEDDED PDV\n");
4822 if (element_class == 0x02) {
4823 DEBUG_PRINT("CONTEXT-SPECIFIC\n");
4827 DEBUG_PRINT("CONSTRUCT TYPE %02X\n",(int)type);
4831 _private_asn1_parse(context, cert, &buffer[pos],
4832 length, level + 1, fields,
4833 &local_has_key, client_cert,
4834 top_oid, &local_chain);
4835 if (((local_has_key && context
4836 && (!context->is_server || client_cert))
4838 && (_is_field(fields, pk_id))) {
4839 free(cert->der_bytes);
4840 temp = length + (pos - start_pos);
4841 cert->der_bytes = malloc(temp);
4842 if (cert->der_bytes) {
4843 memcpy(cert->der_bytes,
4844 &buffer[start_pos], temp);
4845 cert->der_len = temp;
4853 /* end of content */
4854 DEBUG_PRINT("END OF CONTENT\n");
4860 DEBUG_PRINT("BOOLEAN: %i\n", temp);
4864 if (_is_field(fields, pk_id)) {
4870 tls_certificate_set_key
4871 (cert, &buffer[pos],
4873 } else if (idx == 2) {
4874 tls_certificate_set_exponent
4875 (cert, &buffer[pos],
4878 } else if (_is_field(fields, serial_id)) {
4879 tls_certificate_set_serial(cert,
4885 if (_is_field(fields, version_id)) {
4890 #ifdef TLS_X509_V1_SUPPORT
4898 unsigned int fields_temp[3];
4899 fields_temp[0] = fields[level - 2];
4900 fields_temp[1] = fields[level - 1];
4903 (fields_temp, priv_id)) {
4904 tls_certificate_set_priv
4905 (cert, &buffer[pos],
4909 DEBUG_PRINT("INTEGER(%i): ", length);
4910 DEBUG_DUMP_HEX(&buffer[pos], length);
4911 if ((chain) && (length > 2)) {
4914 sizeof(san_oid) - 1)) {
4918 TLS_REALLOC(cert->san,
4930 tls_certificate_set_copy
4937 (" => SUBJECT ALTERNATIVE NAME: %s",
4954 if (_is_field(fields, pk_id)) {
4959 DEBUG_PRINT("BITSTREAM(%i): ", length);
4960 DEBUG_DUMP_HEX(&buffer[pos], length);
4962 if (_is_field(fields, sign_id)
4963 || _is_field(fields, sign_id2)) {
4964 DEBUG_PRINT("set sign key\n");
4965 tls_certificate_set_sign_key(cert,
4969 } else if (cert->ec_algorithm
4970 && (_is_field(fields, pk_id))) {
4971 tls_certificate_set_key(cert,
4976 if (buffer[pos] == 0x00
4981 length - 1, level + 1,
4984 client_cert, top_oid,
4989 &buffer[pos], length,
4992 client_cert, top_oid,
4999 TLS_EC_prime256v1_OID,
5002 (TLS_EC_prime256v1) -
5010 TLS_EC_secp224r1_OID,
5013 (TLS_EC_secp224r1_OID)
5021 TLS_EC_secp384r1_OID,
5024 (TLS_EC_secp384r1_OID)
5032 TLS_EC_secp521r1_OID,
5035 (TLS_EC_secp521r1_OID)
5041 if ((cert->ec_algorithm)
5043 tls_certificate_set_key
5051 if (top_oid && _is_field(fields, ecc_priv_id)
5053 DEBUG_PRINT("BINARY STRING(%i): ",
5055 DEBUG_DUMP_HEX(&buffer[pos],
5058 tls_certificate_set_priv(cert,
5063 _private_asn1_parse(context, cert,
5075 DEBUG_PRINT("NULL\n");
5078 /* object identifier */
5079 if (_is_field(fields, pk_id)) {
5080 if (length == 8 || length == 5) {
5081 tls_certificate_set_algorithm
5082 (&cert->ec_algorithm,
5083 &buffer[pos], length);
5085 tls_certificate_set_algorithm
5086 (&cert->key_algorithm,
5087 &buffer[pos], length);
5090 if (_is_field(fields, algorithm_id))
5091 tls_certificate_set_algorithm
5093 &buffer[pos], length);
5095 DEBUG_PRINT("OBJECT IDENTIFIER(%i): ", length);
5096 DEBUG_DUMP_HEX(&buffer[pos], length);
5098 /* check previous oid */
5101 sizeof(ocsp_oid) - 1))
5102 tls_certificate_set_copy(&cert->ocsp,
5107 memcpy(oid, &buffer[pos], length);
5109 memcpy(oid, &buffer[pos], 16);
5112 memcpy(top_oid, oid, 16);
5115 DEBUG_PRINT("REAL NUMBER(%i): ", length);
5116 DEBUG_DUMP_HEX(&buffer[pos], length);
5121 DEBUG_PRINT("UTC TIME: [");
5122 DEBUG_DUMP(&buffer[pos], length);
5125 if (_is_field(fields, validity_id)) {
5127 tls_certificate_set_copy_date
5129 &buffer[pos], length);
5131 tls_certificate_set_copy_date
5133 &buffer[pos], length);
5138 /* generalized time */
5139 DEBUG_PRINT("GENERALIZED TIME: [");
5140 DEBUG_DUMP(&buffer[pos], length);
5144 /* printable string */
5155 if (_is_field(fields, issurer_id)) {
5156 if (_is_oid(oid, country_oid, 3)) {
5157 tls_certificate_set_copy
5158 (&cert->issuer_country,
5159 &buffer[pos], length);
5161 (oid, state_oid, 3)) {
5162 tls_certificate_set_copy
5163 (&cert->issuer_state,
5164 &buffer[pos], length);
5166 (oid, location_oid, 3)) {
5167 tls_certificate_set_copy
5170 &buffer[pos], length);
5172 (oid, entity_oid, 3)) {
5173 tls_certificate_set_copy
5174 (&cert->issuer_entity,
5175 &buffer[pos], length);
5177 (oid, subject_oid, 3)) {
5178 tls_certificate_set_copy
5179 (&cert->issuer_subject,
5180 &buffer[pos], length);
5182 } else if (_is_field(fields, owner_id)) {
5183 if (_is_oid(oid, country_oid, 3)) {
5184 tls_certificate_set_copy
5186 &buffer[pos], length);
5188 (oid, state_oid, 3)) {
5189 tls_certificate_set_copy
5191 &buffer[pos], length);
5193 (oid, location_oid, 3)) {
5194 tls_certificate_set_copy
5196 &buffer[pos], length);
5198 (oid, entity_oid, 3)) {
5199 tls_certificate_set_copy
5201 &buffer[pos], length);
5203 (oid, subject_oid, 3)) {
5204 tls_certificate_set_copy
5206 &buffer[pos], length);
5209 DEBUG_PRINT("STR: [");
5210 DEBUG_DUMP(&buffer[pos], length);
5214 DEBUG_PRINT("EMPTY SEQUENCE\n");
5217 DEBUG_PRINT("ENUMERATED(%i): ", length);
5218 DEBUG_DUMP_HEX(&buffer[pos], length);
5222 DEBUG_PRINT("========> NOT SUPPORTED %x\n",
5224 /* not supported / needed */
5231 if (cert_len && cert_data) {
5232 int h = find_hash("sha256");
5233 size_t len = sizeof cert->fp;
5234 hash_memory(h, cert_data,cert_len, cert->fp, &len);
5237 if (level == 2 && cert->sign_key && cert->sign_len
5238 && cert_len && cert_data) {
5239 free(cert->fingerprint);
5240 cert->fingerprint = tls_compute_hash(cert->algorithm,
5241 cert_data, cert_len);
5243 if (cert->fingerprint) {
5244 DEBUG_DUMP_HEX_LABEL("FINGERPRINT",
5246 tls_hash_len(cert->algorithm));
5253 struct TLSCertificate *asn1_parse(struct TLSContext *context,
5254 const unsigned char *buffer, int size,
5256 unsigned int fields[TLS_ASN1_MAXLEVEL] = { 0 };
5258 struct TLSCertificate *cert = tls_create_certificate();
5261 if (client_cert < 0) {
5264 unsigned char top_oid[16];
5265 memset(top_oid, 0, sizeof(top_oid));
5266 _private_asn1_parse(context, cert, buffer, size, 1,
5267 fields, NULL, client_cert,
5270 _private_asn1_parse(context, cert, buffer, size, 1,
5271 fields, NULL, client_cert,
5278 int tls_clear_certificates(struct TLSContext *tls) {
5281 if (!tls || !tls->is_server || tls->is_child) {
5282 return TLS_GENERIC_ERROR;
5285 if (tls->root_certificates) {
5286 for (i = 0; i < tls->root_count; i++) {
5287 tls_destroy_certificate(tls->root_certificates[i]);
5290 tls->root_certificates = NULL;
5291 tls->root_count = 0;
5293 if (tls->private_key) {
5294 tls_destroy_certificate(tls->private_key);
5296 tls->private_key = NULL;
5297 if (tls->ec_private_key) {
5298 tls_destroy_certificate(tls->ec_private_key);
5300 tls->ec_private_key = NULL;
5301 free(tls->certificates);
5302 tls->certificates = NULL;
5303 tls->certificates_count = 0;
5307 /* This is just a wrapper around parse message so we don't
5308 * call read more often than necessary. IOW, if there's
5309 * more than one record in the input buffer, process them all
5311 int tls_consume_stream(struct TLSContext *context) {
5313 return TLS_GENERIC_ERROR;
5316 if (context->critical_error) {
5317 return TLS_BROKEN_CONNECTION;
5320 size_t tls_buffer_len = context->input_buffer.len;
5321 unsigned char *buffer = context->input_buffer.buffer;
5323 unsigned int index = 0;
5326 int tls_header_size;
5327 int tls_size_offset;
5329 tls_size_offset = 3;
5330 tls_header_size = 5;
5332 while (tls_buffer_len >= 5) {
5335 length = get16(buffer + index + tls_size_offset)
5338 if (length > tls_buffer_len) {
5339 /* record not complete */
5343 /* This is the only place tls_parse_message is called */
5344 int consumed = tls_parse_message(context, buffer+index, length);
5346 fprintf(stderr, "parse message error: %d\n", consumed);
5347 err_flag = consumed;
5351 tls_buffer_len -= length;
5352 if (context->critical_error) {
5353 err_flag = TLS_BROKEN_CONNECTION;
5358 if (err_flag || context->input_buffer.error) {
5359 if (!context->critical_error) {
5360 context->critical_error = 1;
5362 DEBUG_PRINT("ERROR IN CONSUME: %i\n", err_flag);
5363 tls_buffer_free(&context->input_buffer);
5366 tls_buffer_shift(&context->input_buffer, index);
5370 void tls_close_notify(struct TLSContext *context) {
5371 if (!context || context->critical_error) {
5374 context->critical_error = 1;
5375 DEBUG_PRINT("CLOSE\n");
5376 tls_alert(context, 0, close_notify);
5379 void tls_alert(struct TLSContext *context, int critical, int code) {
5384 struct TLSPacket *packet = tls_create_packet(context, TLS_ALERT,
5385 context->version, 0);
5386 tls_packet_uint8(packet, critical ? TLS_ALERT_CRITICAL :
5389 tls_packet_uint8(packet, code);
5390 tls_packet_update(packet);
5393 context->critical_error = 1;
5396 tls_queue_packet(packet);
5399 int tls_is_broken(struct TLSContext *context) {
5400 if (!context || context->critical_error) {
5406 /* TODO I don't see that this ever gets cleared */
5407 int tls_request_client_certificate(struct TLSContext *context) {
5408 if (!context || !context->is_server) {
5412 context->request_client_certificate = 1;
5416 int tls_client_verified(struct TLSContext *context) {
5417 if (!context || context->critical_error) {
5421 return context->client_verified == 1;
5424 int tls_sni_set(struct TLSContext *context, const char *sni) {
5425 if (!context || context->is_server || context->critical_error
5426 || context->connection_status != 0) {
5432 context->sni = sni ? strdup(sni) : 0;
5433 return context->sni ? 1 : 0;
5436 int tls_default_verify(struct TLSContext *context,
5437 struct TLSCertificate **certificate_chain, int len)
5442 if (certificate_chain) {
5443 for (i = 0; i < len; i++) {
5444 struct TLSCertificate *certificate =
5445 certificate_chain[i];
5446 /* check validity date */
5447 err = tls_certificate_is_valid(certificate);
5453 /* check if chain is valid */
5454 err = tls_certificate_chain_is_valid(certificate_chain, len);
5459 /* check certificate subject */
5460 if (!context->is_server && context->sni && len > 0
5461 && certificate_chain) {
5462 err = tls_certificate_valid_subject(certificate_chain[0],
5469 err = tls_certificate_chain_is_valid_root(context, certificate_chain,
5475 DEBUG_PRINT("Certificate OK\n");
5479 ssize_t tls_fsync(struct TLSContext *context) {
5482 ssize_t send_res = 0;
5484 unsigned char *buffer;
5485 tls_send_func write_cb = NULL;
5496 buffer = context->output_buffer.buffer;
5497 buflen = context->output_buffer.len;
5499 if (context->send) {
5500 write_cb = context->send;
5505 while (buflen > 0) {
5508 res = write_cb(fd, buffer+offset, buflen, 0);
5510 perror("send error");
5518 DEBUG_PRINT("sent %zd bytes\n", send_res);
5519 context->output_buffer.len = 0;
5523 void tls_free(struct TLSContext *context) {
5525 free(context->user_data);
5526 tls_destroy_context(context);
5530 int tls_set_fd(struct TLSContext *context, int socket) {
5532 return TLS_GENERIC_ERROR;
5534 context->fd = socket;
5538 int tls_load_root_file(struct TLSContext *context, const char *pem_filename) {
5549 fd = open(pem_filename, O_RDONLY);
5554 if (fstat(fd, &st) == -1) {
5559 addr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
5560 if (addr == MAP_FAILED) {
5565 count = tls_load_root_certificates(context, addr, st.st_size);
5566 munmap(addr, st.st_size);
5572 void tls_set_verify(struct TLSContext *tls, tls_validation_function vfunc) {
5574 tls->certificate_verify = vfunc;
5578 static ssize_t tls_safe_read(struct TLSContext *tls) {
5579 tls_recv_func read_cb;
5583 if (!tls || tls->fd <= 0) {
5584 return TLS_GENERIC_ERROR;
5588 read_cb = tls->recv;
5594 bytes = read_cb(tls->fd, buffer, sizeof buffer, 0);
5596 tls_buffer_append(&tls->input_buffer, buffer, bytes);
5602 /* I think this is the server handshake */
5603 int SSL_accept(struct TLSContext *context) {
5604 ssize_t read_size = 0;
5606 if (!context || context->fd <= 0) {
5607 return TLS_GENERIC_ERROR;
5610 if (tls_established(context)) {
5615 while ((read_size = tls_safe_read(context)) > 0) {
5616 if (tls_consume_stream(context) >= 0) {
5617 ssize_t res = tls_fsync(context);
5622 if (tls_established(context)) {
5626 if (read_size <= 0) {
5627 return TLS_BROKEN_CONNECTION;
5632 /* TODO this is really do the handshake */
5633 int tls_connect(struct TLSContext *context) {
5638 if (!context || context->fd < 0 || context->critical_error) {
5641 } else if (context->fd < 0) {
5647 return TLS_GENERIC_ERROR;
5651 if (context->is_server) {
5652 return TLS_UNEXPECTED_MESSAGE;
5656 res = tls_queue_packet(tls_build_client_hello(context));
5664 res = tls_fsync(context);
5670 while ((read_size = tls_safe_read(context)) > 0) {
5671 if ((res = tls_consume_stream(context)) >= 0) {
5672 res = tls_fsync(context);
5678 if (tls_established(context)) {
5683 if (context->critical_error) {
5684 fprintf(stderr, "critical error: %d\n",
5685 context->critical_error);
5686 return TLS_GENERIC_ERROR;
5693 int tls_shutdown(struct TLSContext *tls) {
5694 if (!tls || tls->fd <= 0) {
5695 return TLS_GENERIC_ERROR;
5698 tls_close_notify(tls);
5702 /* TODO configure for maximum packet data length
5703 * max is 2^14 - 5 byte header - 32 byte mac - padding which depends
5704 * on the cipher (up to 255 bytes I think).
5706 ssize_t tls_write(struct TLSContext *context, const void *buf, size_t count) {
5708 return TLS_GENERIC_ERROR;
5710 if (context->connection_status != TLS_CONNECTED) {
5711 return TLS_UNEXPECTED_MESSAGE;
5713 if (count > TLS_MAXTLS_APP_SIZE) {
5714 count = TLS_MAXTLS_APP_SIZE;
5717 if (!buf || !count) {
5721 struct TLSPacket *packet = tls_create_packet(context,
5722 TLS_APPLICATION_DATA, context->version, count);
5723 tls_packet_append(packet, buf, count);
5724 tls_packet_update(packet);
5726 tls_queue_packet(packet);
5727 /* TODO think about this. context->sync with O_NONBLOCK might be a
5730 if (context->sync) {
5732 res = tls_fsync(context);
5740 static ssize_t tls_readbuf(struct TLSContext *tls, void *buf, size_t count) {
5741 if (count > tls->application_buffer.len) {
5742 count = tls->application_buffer.len;
5746 /* TODO should have a buffer read and shift */
5747 memcpy(buf, tls->application_buffer.buffer, count);
5748 tls_buffer_shift(&tls->application_buffer, count);
5754 ssize_t tls_read(struct TLSContext *context, void *buf, size_t count) {
5756 return TLS_GENERIC_ERROR;
5759 if (context->application_buffer.len) {
5760 return tls_readbuf(context, buf, count);
5763 if (context->fd <= 0 || context->critical_error) {
5764 return TLS_GENERIC_ERROR;
5767 if (!tls_established(context)) {
5768 return TLS_GENERIC_ERROR;
5771 if (context->application_buffer.len == 0 && !context->critical_error) {
5772 /* attempt to fill buffer, unless we're already in an error
5777 while ((read_size = tls_safe_read(context)) > 0) {
5778 if (tls_consume_stream(context) > 0) {
5782 if (context->critical_error
5783 && !context->application_buffer.len) {
5784 /* if there's a critical error, don't bail if
5785 * we managed to get some data
5787 return TLS_GENERIC_ERROR;
5791 if (read_size <= 0 && context->application_buffer.len == 0) {
5792 /* can return errors as for read(2) */
5797 return tls_readbuf(context, buf, count);