6 * Copyright (C) 2011-2015 SIPE Project <http://sipe.sourceforge.net/>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 * TLS Protocol Version 1.0/1.1/1.2 - Handshake Messages
26 * TLS-DSK uses the handshake messages during authentication and session key
27 * exchange. This module *ONLY* implements this part of the TLS specification!
29 * Specification references:
31 * - RFC2246: http://www.ietf.org/rfc/rfc2246.txt
32 * - RFC3546: http://www.ietf.org/rfc/rfc3546.txt
33 * - RFC4346: http://www.ietf.org/rfc/rfc4346.txt
42 #include "sipe-common.h"
43 #include "sipe-backend.h"
44 #include "sipe-cert-crypto.h"
45 #include "sipe-crypt.h"
46 #include "sipe-digest.h"
51 * Private part of TLS state tracking
53 enum tls_handshake_state
{
54 TLS_HANDSHAKE_STATE_START
,
55 TLS_HANDSHAKE_STATE_SERVER_HELLO
,
56 TLS_HANDSHAKE_STATE_FINISHED
,
57 TLS_HANDSHAKE_STATE_COMPLETED
,
58 TLS_HANDSHAKE_STATE_FAILED
61 struct tls_internal_state
{
62 struct sipe_tls_state common
;
64 enum tls_handshake_state state
;
71 gpointer sha1_context
;
72 gpointer server_certificate
;
73 struct sipe_tls_random client_random
;
74 struct sipe_tls_random server_random
;
75 struct sipe_tls_random pre_master_secret
;
78 guchar
*master_secret
;
80 guchar
*tls_dsk_key_block
;
81 const guchar
*client_write_mac_secret
;
82 const guchar
*server_write_mac_secret
;
83 const guchar
*client_write_secret
;
84 const guchar
*server_write_secret
;
85 void (*mac_func
)(const guchar
*key
, gsize key_length
,
86 const guchar
*data
, gsize data_length
,
88 gpointer cipher_context
;
89 guint64 sequence_number
;
94 * TLS messages & layout descriptors
98 #define TLS_VECTOR_MAX8 255 /* 2^8 - 1 */
99 #define TLS_VECTOR_MAX16 65535 /* 2^16 - 1 */
100 #define TLS_VECTOR_MAX24 16777215 /* 2^24 - 1 */
102 #define TLS_PROTOCOL_VERSION_1_0 0x0301
103 #define TLS_PROTOCOL_VERSION_1_1 0x0302
104 #define TLS_PROTOCOL_VERSION_1_2 0x0303
107 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003
108 #define TLS_RSA_WITH_RC4_128_MD5 0x0004
109 #define TLS_RSA_WITH_RC4_128_SHA 0x0005
110 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
111 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
113 /* CompressionMethods */
114 #define TLS_COMP_METHOD_NULL 0
116 /* various array lengths */
117 #define TLS_ARRAY_RANDOM_LENGTH 32
118 #define TLS_ARRAY_MASTER_SECRET_LENGTH 48
119 #define TLS_ARRAY_VERIFY_LENGTH 12
121 #define TLS_RECORD_HEADER_LENGTH 5
122 #define TLS_RECORD_OFFSET_TYPE 0
123 #define TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC 20
124 #define TLS_RECORD_TYPE_HANDSHAKE 22
125 #define TLS_RECORD_OFFSET_VERSION 1
126 #define TLS_RECORD_OFFSET_LENGTH 3
128 #define TLS_HANDSHAKE_HEADER_LENGTH 4
129 #define TLS_HANDSHAKE_OFFSET_TYPE 0
130 #define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 1
131 #define TLS_HANDSHAKE_TYPE_SERVER_HELLO 2
132 #define TLS_HANDSHAKE_TYPE_CERTIFICATE 11
133 #define TLS_HANDSHAKE_TYPE_CERTIFICATE_REQ 13
134 #define TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE 14
135 #define TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY 15
136 #define TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE 16
137 #define TLS_HANDSHAKE_TYPE_FINISHED 20
138 #define TLS_HANDSHAKE_OFFSET_LENGTH 1
140 struct layout_descriptor
;
141 typedef gboolean
parse_func(struct tls_internal_state
*state
,
142 const struct layout_descriptor
*desc
);
144 /* Defines the strictest alignment requirement */
145 struct tls_compile_integer
;
146 typedef void compile_func(struct tls_internal_state
*state
,
147 const struct layout_descriptor
*desc
,
148 const struct tls_compile_integer
*data
);
150 struct layout_descriptor
{
153 compile_func
*compiler
;
154 gsize min
; /* 0 for fixed/array */
159 #define TLS_LAYOUT_DESCRIPTOR_END { NULL, NULL, NULL, 0, 0, 0 }
160 #define TLS_LAYOUT_IS_VALID(desc) (desc->label)
162 struct msg_descriptor
{
163 const struct msg_descriptor
*next
;
164 const gchar
*description
;
165 const struct layout_descriptor
*layouts
;
170 struct tls_parsed_integer
{
174 struct tls_parsed_array
{
175 gsize length
; /* bytes */
176 const guchar data
[0];
180 struct tls_compile_integer
{
184 struct tls_compile_array
{
185 gsize elements
; /* unused */
186 guchar placeholder
[];
189 struct tls_compile_random
{
190 gsize elements
; /* unused */
191 guchar random
[TLS_ARRAY_RANDOM_LENGTH
];
194 struct tls_compile_verify
{
195 gsize elements
; /* unused */
196 guchar verify
[TLS_ARRAY_VERIFY_LENGTH
];
199 struct tls_compile_vector
{
200 gsize elements
; /* VECTOR */
204 struct tls_compile_sessionid
{
205 gsize elements
; /* VECTOR */
208 struct tls_compile_cipher
{
209 gsize elements
; /* VECTOR */
213 struct tls_compile_compression
{
214 gsize elements
; /* VECTOR */
218 /* compiled message */
219 struct tls_compiled_message
{
225 * Random byte buffers
227 void sipe_tls_fill_random(struct sipe_tls_random
*random
,
230 guint bytes
= ((bits
+ 15) / 16) * 2;
231 guint16
*p
= g_malloc(bytes
);
233 SIPE_DEBUG_INFO("sipe_tls_fill_random: %d bits -> %d bytes",
236 random
->buffer
= (guint8
*) p
;
237 random
->length
= bytes
;
239 for (bytes
/= 2; bytes
; bytes
--)
240 *p
++ = rand() & 0xFFFF;
243 void sipe_tls_free_random(struct sipe_tls_random
*random
)
245 g_free(random
->buffer
);
249 * TLS message debugging
251 static void debug_hex(struct tls_internal_state
*state
,
252 gsize alternative_length
)
254 GString
*str
= state
->debug
;
261 bytes
= state
->msg_current
;
262 length
= alternative_length
? alternative_length
: state
->msg_remainder
;
265 while (length
-- > 0) {
268 } else if ((count
% 16) == 0) {
269 g_string_append(str
, "\n");
270 } else if ((count
% 8) == 0) {
271 g_string_append(str
, " ");
273 g_string_append_printf(str
, " %02X", *bytes
++);
275 g_string_append(str
, "\n");
278 #define debug_print(state, string) \
279 if (state->debug) g_string_append(state->debug, string)
280 #define debug_printf(state, format, ...) \
281 if (state->debug) g_string_append_printf(state->debug, format, __VA_ARGS__)
283 /* Analyzer only needs the debugging functions */
284 #ifndef _SIPE_COMPILING_ANALYZER
286 static void debug_secrets(struct tls_internal_state
*state
,
288 const guchar
*secret
,
291 if (state
->debug
&& secret
) {
292 g_string_append_printf(state
->debug
, "%s (%3" G_GSIZE_FORMAT
") = ",
293 label
, secret_length
);
294 while (secret_length
--)
295 g_string_append_printf(state
->debug
, "%02X", *secret
++);
296 SIPE_DEBUG_INFO_NOFORMAT(state
->debug
->str
);
297 g_string_truncate(state
->debug
, 0);
302 * TLS Pseudorandom Function (PRF) - RFC2246, Section 5
304 static guchar
*sipe_tls_p_md5(const guchar
*secret
,
310 guchar
*output
= NULL
;
313 * output_length == 0 -> illegal
314 * output_length == 1..16 -> iterations = 1
315 * output_length == 17..32 -> iterations = 2
317 if (secret
&& seed
&& (output_length
> 0)) {
318 guint iterations
= (output_length
+ SIPE_DIGEST_HMAC_MD5_LENGTH
- 1) / SIPE_DIGEST_HMAC_MD5_LENGTH
;
319 guchar
*concat
= g_malloc(SIPE_DIGEST_HMAC_MD5_LENGTH
+ seed_length
);
320 guchar A
[SIPE_DIGEST_HMAC_MD5_LENGTH
];
323 SIPE_DEBUG_INFO("p_md5: secret %" G_GSIZE_FORMAT
" bytes, seed %" G_GSIZE_FORMAT
" bytes",
324 secret_length
, seed_length
);
325 SIPE_DEBUG_INFO("p_md5: output %" G_GSIZE_FORMAT
" bytes -> %d iterations",
326 output_length
, iterations
);
328 /* A(1) = HMAC_MD5(secret, A(0)), A(0) = seed */
329 sipe_digest_hmac_md5(secret
, secret_length
,
333 /* Each iteration adds SIPE_DIGEST_HMAC_MD5_LENGTH bytes */
334 p
= output
= g_malloc(iterations
* SIPE_DIGEST_HMAC_MD5_LENGTH
);
336 while (iterations
-- > 0) {
337 /* P_MD5(i) = HMAC_MD5(secret, A(i) + seed), i = 1, 2, ... */
338 guchar P
[SIPE_DIGEST_HMAC_MD5_LENGTH
];
339 memcpy(concat
, A
, SIPE_DIGEST_HMAC_MD5_LENGTH
);
340 memcpy(concat
+ SIPE_DIGEST_HMAC_MD5_LENGTH
, seed
, seed_length
);
341 sipe_digest_hmac_md5(secret
, secret_length
,
342 concat
, SIPE_DIGEST_HMAC_MD5_LENGTH
+ seed_length
,
344 memcpy(p
, P
, SIPE_DIGEST_HMAC_MD5_LENGTH
);
345 p
+= SIPE_DIGEST_HMAC_MD5_LENGTH
;
347 /* A(i+1) = HMAC_MD5(secret, A(i)) */
348 sipe_digest_hmac_md5(secret
, secret_length
,
349 A
, SIPE_DIGEST_HMAC_MD5_LENGTH
,
358 guchar
*sipe_tls_p_sha1(const guchar
*secret
,
364 guchar
*output
= NULL
;
367 * output_length == 0 -> illegal
368 * output_length == 1..20 -> iterations = 1
369 * output_length == 21..40 -> iterations = 2
371 if (secret
&& seed
&& (output_length
> 0)) {
372 guint iterations
= (output_length
+ SIPE_DIGEST_HMAC_SHA1_LENGTH
- 1) / SIPE_DIGEST_HMAC_SHA1_LENGTH
;
373 guchar
*concat
= g_malloc(SIPE_DIGEST_HMAC_SHA1_LENGTH
+ seed_length
);
374 guchar A
[SIPE_DIGEST_HMAC_SHA1_LENGTH
];
377 SIPE_DEBUG_INFO("p_sha1: secret %" G_GSIZE_FORMAT
" bytes, seed %" G_GSIZE_FORMAT
" bytes",
378 secret_length
, seed_length
);
379 SIPE_DEBUG_INFO("p_sha1: output %" G_GSIZE_FORMAT
" bytes -> %d iterations",
380 output_length
, iterations
);
382 /* A(1) = HMAC_SHA1(secret, A(0)), A(0) = seed */
383 sipe_digest_hmac_sha1(secret
, secret_length
,
387 /* Each iteration adds SIPE_DIGEST_HMAC_SHA1_LENGTH bytes */
388 p
= output
= g_malloc(iterations
* SIPE_DIGEST_HMAC_SHA1_LENGTH
);
390 while (iterations
-- > 0) {
391 /* P_SHA1(i) = HMAC_SHA1(secret, A(i) + seed), i = 1, 2, ... */
392 guchar P
[SIPE_DIGEST_HMAC_SHA1_LENGTH
];
393 memcpy(concat
, A
, SIPE_DIGEST_HMAC_SHA1_LENGTH
);
394 memcpy(concat
+ SIPE_DIGEST_HMAC_SHA1_LENGTH
, seed
, seed_length
);
395 sipe_digest_hmac_sha1(secret
, secret_length
,
396 concat
, SIPE_DIGEST_HMAC_SHA1_LENGTH
+ seed_length
,
398 memcpy(p
, P
, SIPE_DIGEST_HMAC_SHA1_LENGTH
);
399 p
+= SIPE_DIGEST_HMAC_SHA1_LENGTH
;
401 /* A(i+1) = HMAC_SHA1(secret, A(i)) */
402 sipe_digest_hmac_sha1(secret
, secret_length
,
403 A
, SIPE_DIGEST_HMAC_SHA1_LENGTH
,
412 static guchar
*sipe_tls_prf(SIPE_UNUSED_PARAMETER
struct tls_internal_state
*state
,
413 const guchar
*secret
,
421 gsize half
= (secret_length
+ 1) / 2;
422 gsize newseed_length
= label_length
+ seed_length
;
423 /* secret: used as S1; secret2: last half of original secret (S2) */
424 guchar
*secret2
= g_memdup(secret
+ secret_length
- half
, half
);
425 guchar
*newseed
= g_malloc(newseed_length
);
430 /* make Coverity happy - lengths could be 0 */
431 if (!secret2
|| !newseed
) {
438 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
439 * P_SHA-1(S2, label + seed);
441 memcpy(newseed
, label
, label_length
);
442 memcpy(newseed
+ label_length
, seed
, seed_length
);
443 #undef __SIPE_TLS_CRYPTO_DEBUG
444 #ifdef __SIPE_TLS_CRYPTO_DEBUG
445 debug_secrets(state
, "sipe_tls_prf: secret ",
446 secret
, secret_length
);
447 debug_secrets(state
, "sipe_tls_prf: combined seed ",
448 newseed
, newseed_length
);
449 SIPE_DEBUG_INFO("total seed length %" G_GSIZE_FORMAT
,
451 debug_secrets(state
, "sipe_tls_prf: S1 ",
453 debug_secrets(state
, "sipe_tls_prf: S2 ",
456 md5
= sipe_tls_p_md5(secret
, half
, newseed
, newseed_length
, output_length
);
457 sha1
= sipe_tls_p_sha1(secret2
, half
, newseed
, newseed_length
, output_length
);
458 #ifdef __SIPE_TLS_CRYPTO_DEBUG
459 debug_secrets(state
, "sipe_tls_prf: P_md5() ",
461 debug_secrets(state
, "sipe_tls_prf: P_sha1() ",
462 sha1
, output_length
);
464 for (dest
= md5
, src
= sha1
, count
= output_length
;
473 #ifdef __SIPE_TLS_CRYPTO_DEBUG
474 debug_secrets(state
, "sipe_tls_prf: PRF() ",
481 #endif /* !_SIPE_COMPILING_ANALYZER */
486 * Low-level data conversion routines
488 * - host alignment agnostic, i.e. can fetch a word from uneven address
489 * - TLS -> host endianess conversion
490 * - no length check, caller has to do it
491 * - don't modify state
493 static guint
lowlevel_integer_to_host(const guchar
*bytes
,
497 while (length
--) sum
= (sum
<< 8) + *bytes
++;
502 * Generic data type parser routines
504 static gboolean
msg_remainder_check(struct tls_internal_state
*state
,
508 if (length
> state
->msg_remainder
) {
509 SIPE_DEBUG_ERROR("msg_remainder_check: '%s' expected %" G_GSIZE_FORMAT
" bytes, remaining %" G_GSIZE_FORMAT
,
510 label
, length
, state
->msg_remainder
);
516 static gboolean
parse_integer_quiet(struct tls_internal_state
*state
,
521 if (!msg_remainder_check(state
, label
, length
)) return(FALSE
);
522 *result
= lowlevel_integer_to_host(state
->msg_current
, length
);
523 state
->msg_current
+= length
;
524 state
->msg_remainder
-= length
;
528 static gboolean
parse_integer(struct tls_internal_state
*state
,
529 const struct layout_descriptor
*desc
)
532 if (!parse_integer_quiet(state
, desc
->label
, desc
->max
, &value
))
534 debug_printf(state
, "%s/INTEGER%" G_GSIZE_FORMAT
" = %d\n",
535 desc
->label
, desc
->max
, value
);
537 struct tls_parsed_integer
*save
= g_new0(struct tls_parsed_integer
, 1);
539 g_hash_table_insert(state
->data
, (gpointer
) desc
->label
, save
);
544 static gboolean
parse_array(struct tls_internal_state
*state
,
545 const struct layout_descriptor
*desc
)
547 if (!msg_remainder_check(state
, desc
->label
, desc
->max
))
549 debug_printf(state
, "%s/ARRAY[%" G_GSIZE_FORMAT
"]\n",
550 desc
->label
, desc
->max
);
551 #ifdef _SIPE_COMPILING_ANALYZER
553 debug_hex(state
, desc
->max
);
556 struct tls_parsed_array
*save
= g_malloc0(sizeof(struct tls_parsed_array
) +
558 save
->length
= desc
->max
;
559 memcpy((guchar
*)save
->data
, state
->msg_current
, desc
->max
);
560 g_hash_table_insert(state
->data
, (gpointer
) desc
->label
, save
);
563 state
->msg_current
+= desc
->max
;
564 state
->msg_remainder
-= desc
->max
;
568 static gboolean
parse_vector(struct tls_internal_state
*state
,
569 const struct layout_descriptor
*desc
)
572 if (!parse_integer_quiet(state
, desc
->label
,
573 (desc
->max
> TLS_VECTOR_MAX16
) ? 3 :
574 (desc
->max
> TLS_VECTOR_MAX8
) ? 2 : 1,
577 if (length
< desc
->min
) {
578 SIPE_DEBUG_ERROR("parse_vector: '%s' too short %d, expected %" G_GSIZE_FORMAT
,
579 desc
->label
, length
, desc
->min
);
582 debug_printf(state
, "%s/VECTOR<%d>\n", desc
->label
, length
);
583 #ifdef _SIPE_COMPILING_ANALYZER
585 debug_hex(state
, length
);
588 struct tls_parsed_array
*save
= g_malloc0(sizeof(struct tls_parsed_array
) +
590 save
->length
= length
;
591 memcpy((guchar
*)save
->data
, state
->msg_current
, length
);
592 g_hash_table_insert(state
->data
, (gpointer
) desc
->label
, save
);
594 state
->msg_current
+= length
;
595 state
->msg_remainder
-= length
;
600 * Specific data type parser routines
608 * Low-level data conversion routines
610 * - host alignment agnostic, i.e. can fetch a word from uneven address
611 * - host -> TLS host endianess conversion
612 * - don't modify state
614 static void lowlevel_integer_to_tls(guchar
*bytes
,
619 bytes
[length
] = value
& 0xFF;
625 * Generic data type compiler routines
627 static void compile_integer(struct tls_internal_state
*state
,
628 const struct layout_descriptor
*desc
,
629 const struct tls_compile_integer
*data
)
631 lowlevel_integer_to_tls(state
->msg_current
, desc
->max
, data
->value
);
632 state
->msg_current
+= desc
->max
;
635 static void compile_array(struct tls_internal_state
*state
,
636 const struct layout_descriptor
*desc
,
637 const struct tls_compile_integer
*data
)
639 const struct tls_compile_array
*array
= (struct tls_compile_array
*) data
;
640 memcpy(state
->msg_current
, array
->placeholder
, desc
->max
);
641 state
->msg_current
+= desc
->max
;
644 static void compile_vector(struct tls_internal_state
*state
,
645 const struct layout_descriptor
*desc
,
646 const struct tls_compile_integer
*data
)
648 const struct tls_compile_vector
*vector
= (struct tls_compile_vector
*) data
;
649 gsize length
= vector
->elements
;
650 gsize length_field
= (desc
->max
> TLS_VECTOR_MAX16
) ? 3 :
651 (desc
->max
> TLS_VECTOR_MAX8
) ? 2 : 1;
653 lowlevel_integer_to_tls(state
->msg_current
, length_field
, length
);
654 state
->msg_current
+= length_field
;
655 memcpy(state
->msg_current
, vector
->placeholder
, length
);
656 state
->msg_current
+= length
;
659 static void compile_vector_int2(struct tls_internal_state
*state
,
660 const struct layout_descriptor
*desc
,
661 const struct tls_compile_integer
*data
)
663 const struct tls_compile_vector
*vector
= (struct tls_compile_vector
*) data
;
664 gsize elements
= vector
->elements
;
665 gsize length
= elements
* sizeof(guint16
);
666 gsize length_field
= (desc
->max
> TLS_VECTOR_MAX16
) ? 3 :
667 (desc
->max
> TLS_VECTOR_MAX8
) ? 2 : 1;
668 const guint
*p
= vector
->placeholder
;
670 lowlevel_integer_to_tls(state
->msg_current
, length_field
, length
);
671 state
->msg_current
+= length_field
;
673 lowlevel_integer_to_tls(state
->msg_current
, sizeof(guint16
), *p
++);
674 state
->msg_current
+= sizeof(guint16
);
679 * Specific data type compiler routines
685 * TLS handshake message layout descriptors
687 struct ClientHello_host
{
688 struct tls_compile_integer protocol_version
;
689 struct tls_compile_random random
;
690 struct tls_compile_sessionid sessionid
;
691 struct tls_compile_cipher cipher
;
692 struct tls_compile_compression compression
;
694 #define CLIENTHELLO_OFFSET(a) offsetof(struct ClientHello_host, a)
696 static const struct layout_descriptor ClientHello_l
[] = {
697 { "Client Protocol Version", parse_integer
, compile_integer
, 0, 2, CLIENTHELLO_OFFSET(protocol_version
) },
698 { "Random", parse_array
, compile_array
, 0, TLS_ARRAY_RANDOM_LENGTH
, CLIENTHELLO_OFFSET(random
) },
699 { "SessionID", parse_vector
, compile_vector
, 0, 32, CLIENTHELLO_OFFSET(sessionid
) },
700 { "CipherSuite", parse_vector
, compile_vector_int2
, 2, TLS_VECTOR_MAX16
, CLIENTHELLO_OFFSET(cipher
)},
701 { "CompressionMethod", parse_vector
, compile_vector
, 1, TLS_VECTOR_MAX8
, CLIENTHELLO_OFFSET(compression
) },
702 TLS_LAYOUT_DESCRIPTOR_END
704 static const struct msg_descriptor ClientHello_m
= {
705 NULL
, "Client Hello", ClientHello_l
, TLS_HANDSHAKE_TYPE_CLIENT_HELLO
708 static const struct layout_descriptor ServerHello_l
[] = {
709 { "Server Protocol Version", parse_integer
, NULL
, 0, 2, 0 },
710 { "Random", parse_array
, NULL
, 0, TLS_ARRAY_RANDOM_LENGTH
, 0 },
711 { "SessionID", parse_vector
, NULL
, 0, 32, 0 },
712 { "CipherSuite", parse_integer
, NULL
, 0, 2, 0 },
713 { "CompressionMethod", parse_integer
, NULL
, 0, 1, 0 },
714 TLS_LAYOUT_DESCRIPTOR_END
716 static const struct msg_descriptor ServerHello_m
= {
717 &ClientHello_m
, "Server Hello", ServerHello_l
, TLS_HANDSHAKE_TYPE_SERVER_HELLO
720 struct Certificate_host
{
721 struct tls_compile_vector certificate
;
723 #define CERTIFICATE_OFFSET(a) offsetof(struct Certificate_host, a)
725 static const struct layout_descriptor Certificate_l
[] = {
726 { "Certificate", parse_vector
, compile_vector
, 0, TLS_VECTOR_MAX24
, CERTIFICATE_OFFSET(certificate
) },
727 TLS_LAYOUT_DESCRIPTOR_END
729 static const struct msg_descriptor Certificate_m
= {
730 &ServerHello_m
, "Certificate", Certificate_l
, TLS_HANDSHAKE_TYPE_CERTIFICATE
733 static const struct layout_descriptor CertificateRequest_l
[] = {
734 { "CertificateType", parse_vector
, NULL
, 1, TLS_VECTOR_MAX8
, 0 },
735 { "DistinguishedName", parse_vector
, NULL
, 0, TLS_VECTOR_MAX16
, 0 },
736 TLS_LAYOUT_DESCRIPTOR_END
738 static const struct msg_descriptor CertificateRequest_m
= {
739 &Certificate_m
, "Certificate Request", CertificateRequest_l
, TLS_HANDSHAKE_TYPE_CERTIFICATE_REQ
742 static const struct layout_descriptor ServerHelloDone_l
[] = {
743 TLS_LAYOUT_DESCRIPTOR_END
745 static const struct msg_descriptor ServerHelloDone_m
= {
746 &CertificateRequest_m
, "Server Hello Done", ServerHelloDone_l
, TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
749 struct ClientKeyExchange_host
{
750 struct tls_compile_vector secret
;
752 #define CLIENTKEYEXCHANGE_OFFSET(a) offsetof(struct ClientKeyExchange_host, a)
754 static const struct layout_descriptor ClientKeyExchange_l
[] = {
755 { "Exchange Keys", parse_vector
, compile_vector
, 0, TLS_VECTOR_MAX16
, CLIENTKEYEXCHANGE_OFFSET(secret
) },
756 TLS_LAYOUT_DESCRIPTOR_END
758 static const struct msg_descriptor ClientKeyExchange_m
= {
759 &ServerHelloDone_m
, "Client Key Exchange", ClientKeyExchange_l
, TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE
762 struct CertificateVerify_host
{
763 struct tls_compile_vector signature
;
765 #define CERTIFICATEVERIFY_OFFSET(a) offsetof(struct CertificateVerify_host, a)
767 static const struct layout_descriptor CertificateVerify_l
[] = {
768 { "Signature", parse_vector
, compile_vector
, 0, TLS_VECTOR_MAX16
, CERTIFICATEVERIFY_OFFSET(signature
) },
769 TLS_LAYOUT_DESCRIPTOR_END
771 static const struct msg_descriptor CertificateVerify_m
= {
772 &ClientKeyExchange_m
, "Certificate Verify", CertificateVerify_l
, TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY
775 struct Finished_host
{
776 struct tls_compile_verify verify
;
778 #define FINISHED_OFFSET(a) offsetof(struct Finished_host, a)
780 static const struct layout_descriptor Finished_l
[] = {
781 { "Verify Data", parse_array
, compile_array
, 0, TLS_ARRAY_VERIFY_LENGTH
, FINISHED_OFFSET(verify
) },
782 TLS_LAYOUT_DESCRIPTOR_END
784 static const struct msg_descriptor Finished_m
= {
785 &CertificateVerify_m
, "Finished", Finished_l
, TLS_HANDSHAKE_TYPE_FINISHED
788 #define HANDSHAKE_MSG_DESCRIPTORS &Finished_m
791 * TLS message parsers
793 static gboolean
handshake_parse(struct tls_internal_state
*state
)
795 const guchar
*bytes
= state
->msg_current
;
796 gsize length
= state
->msg_remainder
;
797 gboolean success
= FALSE
;
800 const struct msg_descriptor
*desc
;
805 if (length
< TLS_HANDSHAKE_HEADER_LENGTH
) {
806 debug_print(state
, "CORRUPTED HANDSHAKE HEADER");
810 /* msg length check */
811 msg_length
= lowlevel_integer_to_host(bytes
+ TLS_HANDSHAKE_OFFSET_LENGTH
,
813 if (msg_length
> length
) {
814 debug_print(state
, "HANDSHAKE MESSAGE TOO LONG");
819 msg_type
= bytes
[TLS_HANDSHAKE_OFFSET_TYPE
];
820 for (desc
= HANDSHAKE_MSG_DESCRIPTORS
;
823 if (msg_type
== desc
->type
)
826 debug_printf(state
, "TLS handshake (%" G_GSIZE_FORMAT
" bytes) (%d)",
827 msg_length
, msg_type
);
829 state
->msg_current
= (guchar
*) bytes
+ TLS_HANDSHAKE_HEADER_LENGTH
;
830 state
->msg_remainder
= msg_length
;
832 if (desc
&& desc
->layouts
) {
833 const struct layout_descriptor
*ldesc
= desc
->layouts
;
835 debug_printf(state
, "%s\n", desc
->description
);
836 while (TLS_LAYOUT_IS_VALID(ldesc
)) {
837 success
= ldesc
->parser(state
, ldesc
);
845 debug_print(state
, "ignored\n");
850 bytes
+= TLS_HANDSHAKE_HEADER_LENGTH
+ msg_length
;
851 length
-= TLS_HANDSHAKE_HEADER_LENGTH
+ msg_length
;
853 debug_print(state
, "------\n");
862 static void free_parse_data(struct tls_internal_state
*state
)
865 g_hash_table_destroy(state
->data
);
870 static gboolean
tls_record_parse(struct tls_internal_state
*state
,
873 const guchar
*bytes
= incoming
? state
->common
.in_buffer
: state
->common
.out_buffer
;
874 gsize length
= incoming
? state
->common
.in_length
: state
->common
.out_length
;
876 const gchar
*version_str
;
878 gboolean success
= TRUE
;
880 /* reject empty incoming messages */
881 if (incoming
&& (length
== 0)) {
882 SIPE_DEBUG_ERROR_NOFORMAT("tls_record_parse: empty TLS message received");
886 #ifndef _SIPE_COMPILING_ANALYZER
887 debug_printf(state
, "TLS MESSAGE %s\n", incoming
? "INCOMING" : "OUTGOING");
890 /* Collect parser data for incoming messages */
892 state
->data
= g_hash_table_new_full(g_str_hash
, g_str_equal
,
895 while (success
&& (length
> 0)) {
897 /* truncated header check */
898 if (length
< TLS_RECORD_HEADER_LENGTH
) {
899 SIPE_DEBUG_ERROR("tls_record_parse: too short TLS record header (%" G_GSIZE_FORMAT
" bytes)",
905 /* protocol version check */
906 version
= lowlevel_integer_to_host(bytes
+ TLS_RECORD_OFFSET_VERSION
, 2);
907 if (version
< TLS_PROTOCOL_VERSION_1_0
) {
908 SIPE_DEBUG_ERROR_NOFORMAT("tls_record_parse: SSL1/2/3 not supported");
913 case TLS_PROTOCOL_VERSION_1_0
:
914 version_str
= "1.0 (RFC2246)";
916 case TLS_PROTOCOL_VERSION_1_1
:
917 version_str
= "1.1 (RFC4346)";
919 case TLS_PROTOCOL_VERSION_1_2
:
920 version_str
= "1.2 (RFC5246)";
923 version_str
= "<future protocol version>";
927 /* record length check */
928 record_length
= TLS_RECORD_HEADER_LENGTH
+
929 lowlevel_integer_to_host(bytes
+ TLS_RECORD_OFFSET_LENGTH
, 2);
930 if (record_length
> length
) {
931 SIPE_DEBUG_ERROR_NOFORMAT("tls_record_parse: record too long");
936 /* TLS record header OK */
937 debug_printf(state
, "TLS %s record (%" G_GSIZE_FORMAT
" bytes)\n",
938 version_str
, record_length
);
939 state
->msg_current
= (guchar
*) bytes
+ TLS_RECORD_HEADER_LENGTH
;
940 state
->msg_remainder
= record_length
- TLS_RECORD_HEADER_LENGTH
;
942 /* Analyzer only needs the debugging functions */
943 #ifndef _SIPE_COMPILING_ANALYZER
944 /* Add incoming message contents to digest contexts */
946 sipe_digest_md5_update(state
->md5_context
,
948 state
->msg_remainder
);
949 sipe_digest_sha1_update(state
->sha1_context
,
951 state
->msg_remainder
);
953 #endif /* !_SIPE_COMPILING_ANALYZER */
955 switch (bytes
[TLS_RECORD_OFFSET_TYPE
]) {
956 case TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC
:
957 debug_print(state
, "Change Cipher Spec\n");
958 if (incoming
) state
->encrypted
= TRUE
;
961 case TLS_RECORD_TYPE_HANDSHAKE
:
962 if (incoming
&& state
->encrypted
) {
963 debug_print(state
, "Encrypted handshake message\n");
966 success
= handshake_parse(state
);
971 debug_print(state
, "Unsupported TLS message\n");
977 bytes
+= record_length
;
978 length
-= record_length
;
982 free_parse_data(state
);
985 SIPE_DEBUG_INFO_NOFORMAT(state
->debug
->str
);
986 g_string_truncate(state
->debug
, 0);
992 /* Analyzer only needs the debugging functions */
993 #ifndef _SIPE_COMPILING_ANALYZER
996 * TLS message compiler
998 static void compile_tls_record(struct tls_internal_state
*state
,
1001 gsize total_size
= 0;
1005 /* calculate message size */
1006 va_start(ap
, state
);
1008 const struct tls_compiled_message
*msg
= va_arg(ap
, struct tls_compiled_message
*);
1010 total_size
+= msg
->size
;
1014 SIPE_DEBUG_INFO("compile_tls_record: total size %" G_GSIZE_FORMAT
,
1017 state
->common
.out_buffer
= current
= g_malloc(total_size
+ TLS_RECORD_HEADER_LENGTH
);
1018 state
->common
.out_length
= total_size
+ TLS_RECORD_HEADER_LENGTH
;
1020 /* add TLS record header */
1021 current
[TLS_RECORD_OFFSET_TYPE
] = TLS_RECORD_TYPE_HANDSHAKE
;
1022 lowlevel_integer_to_tls(current
+ TLS_RECORD_OFFSET_VERSION
, 2,
1023 TLS_PROTOCOL_VERSION_1_0
);
1024 lowlevel_integer_to_tls(current
+ TLS_RECORD_OFFSET_LENGTH
, 2,
1026 current
+= TLS_RECORD_HEADER_LENGTH
;
1029 va_start(ap
, state
);
1031 const struct tls_compiled_message
*msg
= va_arg(ap
, struct tls_compiled_message
*);
1034 memcpy(current
, msg
->data
, msg
->size
);
1035 current
+= msg
->size
;
1040 static void compile_encrypted_tls_record(struct tls_internal_state
*state
,
1041 const struct tls_compiled_message
*msg
)
1044 gsize plaintext_length
;
1049 gsize encrypted_length
;
1051 /* Create plaintext TLS record */
1052 compile_tls_record(state
, msg
, NULL
);
1053 plaintext
= state
->common
.out_buffer
;
1054 plaintext_length
= state
->common
.out_length
;
1055 if (plaintext_length
== 0) /* make Coverity happy */
1058 /* Prepare encryption buffer */
1059 encrypted_length
= plaintext_length
+ state
->mac_length
;
1060 SIPE_DEBUG_INFO("compile_encrypted_tls_record: total size %" G_GSIZE_FORMAT
,
1061 encrypted_length
- TLS_RECORD_HEADER_LENGTH
);
1062 message
= g_malloc(encrypted_length
);
1063 memcpy(message
, plaintext
, plaintext_length
);
1064 lowlevel_integer_to_tls(message
+ TLS_RECORD_OFFSET_LENGTH
, 2,
1065 encrypted_length
- TLS_RECORD_HEADER_LENGTH
);
1070 * HMAC_hash(client_write_mac_secret,
1071 * sequence_number + type + version + length + fragment)
1072 * \--- == original TLS record ---/
1074 mac_length
= sizeof(guint64
) + plaintext_length
;
1075 mac
= g_malloc(mac_length
);
1076 lowlevel_integer_to_tls(mac
,
1078 state
->sequence_number
++);
1079 memcpy(mac
+ sizeof(guint64
), plaintext
, plaintext_length
);
1081 state
->mac_func(state
->client_write_mac_secret
,
1085 message
+ plaintext_length
);
1088 /* Encrypt message + MAC */
1089 encrypted
= g_malloc(encrypted_length
);
1090 memcpy(encrypted
, message
, TLS_RECORD_HEADER_LENGTH
);
1091 sipe_crypt_tls_stream(state
->cipher_context
,
1092 message
+ TLS_RECORD_HEADER_LENGTH
,
1093 encrypted_length
- TLS_RECORD_HEADER_LENGTH
,
1094 encrypted
+ TLS_RECORD_HEADER_LENGTH
);
1098 state
->common
.out_buffer
= encrypted
;
1099 state
->common
.out_length
= encrypted_length
;
1102 static struct tls_compiled_message
*compile_handshake_msg(struct tls_internal_state
*state
,
1103 const struct msg_descriptor
*desc
,
1108 * Estimate the size of the compiled message
1110 * The data structures in the host format have zero or more padding
1111 * bytes added by the compiler to ensure correct element alignments.
1112 * So the sizeof() of the data structure is always equal or greater
1113 * than the space needed for the compiled data. By adding the space
1114 * required for the headers we arrive at a safe estimate
1116 * Therefore we don't need space checks in the compiler functions
1118 gsize total_size
= sizeof(struct tls_compiled_message
) +
1119 size
+ TLS_HANDSHAKE_HEADER_LENGTH
;
1120 struct tls_compiled_message
*msg
= g_malloc(total_size
);
1121 guchar
*handshake
= msg
->data
;
1122 const struct layout_descriptor
*ldesc
= desc
->layouts
;
1125 SIPE_DEBUG_INFO("compile_handshake_msg: buffer size %" G_GSIZE_FORMAT
,
1128 /* add TLS handshake header */
1129 handshake
[TLS_HANDSHAKE_OFFSET_TYPE
] = desc
->type
;
1130 state
->msg_current
= handshake
+ TLS_HANDSHAKE_HEADER_LENGTH
;
1132 while (TLS_LAYOUT_IS_VALID(ldesc
)) {
1134 * Avoid "cast increases required alignment" errors
1136 * (void *) tells the compiler that we know what we're
1137 * doing, i.e. we know that the calculated address
1138 * points to correctly aligned data.
1140 ldesc
->compiler(state
, ldesc
,
1141 (void *) ((guchar
*) data
+ ldesc
->offset
));
1145 length
= state
->msg_current
- handshake
- TLS_HANDSHAKE_HEADER_LENGTH
;
1146 lowlevel_integer_to_tls(handshake
+ TLS_HANDSHAKE_OFFSET_LENGTH
,
1148 SIPE_DEBUG_INFO("compile_handshake_msg: (%d)%s, size %" G_GSIZE_FORMAT
,
1149 desc
->type
, desc
->description
, length
);
1151 msg
->size
= length
+ TLS_HANDSHAKE_HEADER_LENGTH
;
1153 /* update digest contexts */
1154 sipe_digest_md5_update(state
->md5_context
, handshake
, msg
->size
);
1155 sipe_digest_sha1_update(state
->sha1_context
, handshake
, msg
->size
);
1161 * Specific TLS data verficiation & message compilers
1163 static struct tls_compiled_message
*tls_client_certificate(struct tls_internal_state
*state
)
1165 struct Certificate_host
*certificate
;
1166 gsize certificate_length
= sipe_cert_crypto_raw_length(state
->certificate
);
1167 struct tls_compiled_message
*msg
;
1169 /* setup our response */
1170 /* Client Certificate is VECTOR_MAX24 of VECTOR_MAX24s */
1171 certificate
= g_malloc0(sizeof(struct Certificate_host
) + 3 +
1172 certificate_length
);
1173 certificate
->certificate
.elements
= certificate_length
+ 3;
1174 lowlevel_integer_to_tls((guchar
*) certificate
->certificate
.placeholder
, 3,
1175 certificate_length
);
1176 memcpy((guchar
*) certificate
->certificate
.placeholder
+ 3,
1177 sipe_cert_crypto_raw(state
->certificate
),
1178 certificate_length
);
1180 msg
= compile_handshake_msg(state
, &Certificate_m
, certificate
,
1181 sizeof(struct Certificate_host
) + certificate_length
+ 3);
1182 g_free(certificate
);
1187 static gboolean
check_cipher_suite(struct tls_internal_state
*state
)
1189 struct tls_parsed_integer
*cipher_suite
= g_hash_table_lookup(state
->data
,
1191 const gchar
*label_mac
= NULL
;
1192 const gchar
*label_cipher
= NULL
;
1194 if (!cipher_suite
) {
1195 SIPE_DEBUG_ERROR_NOFORMAT("check_cipher_suite: server didn't specify the cipher suite");
1199 switch (cipher_suite
->value
) {
1200 case TLS_RSA_EXPORT_WITH_RC4_40_MD5
:
1201 state
->mac_length
= SIPE_DIGEST_HMAC_MD5_LENGTH
;
1202 state
->key_length
= 40 / 8;
1203 state
->mac_func
= sipe_digest_hmac_md5
;
1205 label_cipher
= "RC4";
1206 state
->common
.algorithm
= SIPE_TLS_DIGEST_ALGORITHM_MD5
;
1207 state
->cipher_type
= SIPE_CRYPT_STREAM_RC4
;
1210 case TLS_RSA_WITH_RC4_128_MD5
:
1211 state
->mac_length
= SIPE_DIGEST_HMAC_MD5_LENGTH
;
1212 state
->key_length
= 128 / 8;
1213 state
->mac_func
= sipe_digest_hmac_md5
;
1215 label_cipher
= "RC4";
1216 state
->common
.algorithm
= SIPE_TLS_DIGEST_ALGORITHM_MD5
;
1217 state
->cipher_type
= SIPE_CRYPT_STREAM_RC4
;
1220 case TLS_RSA_WITH_RC4_128_SHA
:
1221 state
->mac_length
= SIPE_DIGEST_HMAC_SHA1_LENGTH
;
1222 state
->key_length
= 128 / 8;
1223 state
->mac_func
= sipe_digest_hmac_sha1
;
1224 label_mac
= "SHA-1";
1225 label_cipher
= "RC4";
1226 state
->common
.algorithm
= SIPE_TLS_DIGEST_ALGORITHM_SHA1
;
1227 state
->cipher_type
= SIPE_CRYPT_STREAM_RC4
;
1230 case TLS_RSA_WITH_AES_128_CBC_SHA
:
1231 state
->mac_length
= SIPE_DIGEST_HMAC_SHA1_LENGTH
;
1232 state
->key_length
= 128 / 8;
1233 state
->mac_func
= sipe_digest_hmac_sha1
;
1234 label_mac
= "SHA-1";
1235 label_cipher
= "AES-CBC";
1236 state
->common
.algorithm
= SIPE_TLS_DIGEST_ALGORITHM_SHA1
;
1237 state
->cipher_type
= SIPE_CRYPT_STREAM_AES_CBC
;
1240 case TLS_RSA_WITH_AES_256_CBC_SHA
:
1241 state
->mac_length
= SIPE_DIGEST_HMAC_SHA1_LENGTH
;
1242 state
->key_length
= 256 / 8;
1243 state
->mac_func
= sipe_digest_hmac_sha1
;
1244 label_mac
= "SHA-1";
1245 label_cipher
= "AES-CBC";
1246 state
->common
.algorithm
= SIPE_TLS_DIGEST_ALGORITHM_SHA1
;
1247 state
->cipher_type
= SIPE_CRYPT_STREAM_AES_CBC
;
1251 SIPE_DEBUG_ERROR("check_cipher_suite: unsupported cipher suite %d",
1252 cipher_suite
->value
);
1256 if (label_cipher
&& label_mac
)
1257 SIPE_DEBUG_INFO("check_cipher_suite: KEY(stream cipher %s) %" G_GSIZE_FORMAT
", MAC(%s) %" G_GSIZE_FORMAT
,
1258 label_cipher
, state
->key_length
,
1259 label_mac
, state
->mac_length
);
1261 return(label_cipher
&& label_mac
);
1264 static void tls_calculate_secrets(struct tls_internal_state
*state
)
1266 gsize length
= 2 * (state
->mac_length
+ state
->key_length
);
1269 /* Generate pre-master secret */
1270 sipe_tls_fill_random(&state
->pre_master_secret
,
1271 TLS_ARRAY_MASTER_SECRET_LENGTH
* 8); /* bits */
1272 lowlevel_integer_to_tls(state
->pre_master_secret
.buffer
, 2,
1273 TLS_PROTOCOL_VERSION_1_0
);
1274 debug_secrets(state
, "tls_calculate_secrets: pre-master secret",
1275 state
->pre_master_secret
.buffer
,
1276 state
->pre_master_secret
.length
);
1279 * Calculate master secret
1281 * master_secret = PRF(pre_master_secret,
1283 * ClientHello.random + ServerHello.random)
1285 random
= g_malloc(TLS_ARRAY_RANDOM_LENGTH
* 2);
1287 state
->client_random
.buffer
,
1288 TLS_ARRAY_RANDOM_LENGTH
);
1289 memcpy(random
+ TLS_ARRAY_RANDOM_LENGTH
,
1290 state
->server_random
.buffer
,
1291 TLS_ARRAY_RANDOM_LENGTH
);
1292 state
->master_secret
= sipe_tls_prf(state
,
1293 state
->pre_master_secret
.buffer
,
1294 state
->pre_master_secret
.length
,
1295 (guchar
*) "master secret",
1298 TLS_ARRAY_RANDOM_LENGTH
* 2,
1299 TLS_ARRAY_MASTER_SECRET_LENGTH
);
1300 debug_secrets(state
, "tls_calculate_secrets: master secret ",
1301 state
->master_secret
,
1302 TLS_ARRAY_MASTER_SECRET_LENGTH
);
1305 * Calculate session key material
1307 * key_block = PRF(master_secret,
1309 * ServerHello.random + ClientHello.random)
1311 SIPE_DEBUG_INFO("tls_calculate_secrets: key_block length %" G_GSIZE_FORMAT
,
1314 state
->server_random
.buffer
,
1315 TLS_ARRAY_RANDOM_LENGTH
);
1316 memcpy(random
+ TLS_ARRAY_RANDOM_LENGTH
,
1317 state
->client_random
.buffer
,
1318 TLS_ARRAY_RANDOM_LENGTH
);
1319 state
->key_block
= sipe_tls_prf(state
,
1320 state
->master_secret
,
1321 TLS_ARRAY_MASTER_SECRET_LENGTH
,
1322 (guchar
*) "key expansion",
1325 TLS_ARRAY_RANDOM_LENGTH
* 2,
1328 debug_secrets(state
, "tls_calculate_secrets: key block ",
1329 state
->key_block
, length
);
1331 /* partition key block */
1332 state
->client_write_mac_secret
= state
->key_block
;
1333 state
->server_write_mac_secret
= state
->key_block
+ state
->mac_length
;
1334 state
->client_write_secret
= state
->key_block
+ 2 * state
->mac_length
;
1335 state
->server_write_secret
= state
->key_block
+ 2 * state
->mac_length
+ state
->key_length
;
1337 /* initialize cipher context */
1338 state
->cipher_context
= sipe_crypt_tls_start(state
->cipher_type
,
1339 state
->client_write_secret
,
1343 #if 0 /* NOT NEEDED? */
1345 static guchar
*tls_pkcs1_private_padding(SIPE_UNUSED_PARAMETER
struct tls_internal_state
*state
,
1348 gsize buffer_length
)
1353 if (data_length
+ 3 > buffer_length
) ||
1354 (buffer_length
== 0)) /* this is dead code, but makes Coverity happy */)
1357 pad_length
= buffer_length
- data_length
- 3;
1358 pad_buffer
= g_malloc(buffer_length
);
1360 /* PKCS1 private key block padding */
1361 pad_buffer
[0] = 0; /* +1 */
1362 pad_buffer
[1] = 1; /* +2 */
1363 memset(pad_buffer
+ 2, 0xFF, pad_length
);
1364 pad_buffer
[2 + pad_length
] = 0; /* +3 */
1365 memcpy(pad_buffer
+ 3 + pad_length
, data
, data_length
);
1367 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1368 debug_secrets(state
, "tls_pkcs1_private_padding: ",
1369 pad_buffer
, buffer_length
);
1377 static guchar
*tls_pkcs1_public_padding(SIPE_UNUSED_PARAMETER
struct tls_internal_state
*state
,
1380 gsize buffer_length
)
1382 gsize pad_length
, random_count
;
1383 guchar
*pad_buffer
, *random
;
1385 if ((data_length
+ 3 > buffer_length
) ||
1386 (buffer_length
== 0)) /* this is dead code, but makes Coverity happy */
1389 pad_length
= buffer_length
- data_length
- 3;
1390 pad_buffer
= g_malloc(buffer_length
);
1392 /* PKCS1 public key block padding */
1393 pad_buffer
[0] = 0; /* +1 */
1394 pad_buffer
[1] = 2; /* +2 */
1395 for (random
= pad_buffer
+ 2, random_count
= pad_length
;
1399 /* non-zero random byte */
1400 while ((byte
= rand() & 0xFF) == 0);
1403 pad_buffer
[2 + pad_length
] = 0; /* +3 */
1404 memcpy(pad_buffer
+ 3 + pad_length
, data
, data_length
);
1406 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1407 debug_secrets(state
, "tls_pkcs1_private_padding: ",
1408 pad_buffer
, buffer_length
);
1414 static struct tls_compiled_message
*tls_client_key_exchange(struct tls_internal_state
*state
)
1416 struct tls_parsed_array
*server_random
;
1417 struct tls_parsed_array
*server_certificate
;
1418 struct ClientKeyExchange_host
*exchange
;
1419 gsize server_certificate_length
;
1421 struct tls_compiled_message
*msg
;
1423 /* check for required data fields */
1424 if (!check_cipher_suite(state
))
1426 server_random
= g_hash_table_lookup(state
->data
, "Random");
1427 if (!server_random
) {
1428 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: no server random");
1431 server_certificate
= g_hash_table_lookup(state
->data
, "Certificate");
1432 /* Server Certificate is VECTOR_MAX24 of VECTOR_MAX24s */
1433 if (!server_certificate
|| (server_certificate
->length
< 3)) {
1434 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: no server certificate");
1437 SIPE_DEBUG_INFO("tls_client_key_exchange: server certificate list %" G_GSIZE_FORMAT
" bytes",
1438 server_certificate
->length
);
1439 /* first certificate is the server certificate */
1440 server_certificate_length
= lowlevel_integer_to_host(server_certificate
->data
,
1442 SIPE_DEBUG_INFO("tls_client_key_exchange: server certificate %" G_GSIZE_FORMAT
" bytes",
1443 server_certificate_length
);
1444 if ((server_certificate_length
+ 3) > server_certificate
->length
) {
1445 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: truncated server certificate");
1447 state
->server_certificate
= sipe_cert_crypto_import(server_certificate
->data
+ 3,
1448 server_certificate_length
);
1449 if (!state
->server_certificate
) {
1450 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: corrupted server certificate");
1453 /* server public key modulus length */
1454 server_certificate_length
= sipe_cert_crypto_modulus_length(state
->server_certificate
);
1455 if (server_certificate_length
< TLS_ARRAY_MASTER_SECRET_LENGTH
) {
1456 SIPE_DEBUG_ERROR("tls_client_key_exchange: server public key strength too low (%" G_GSIZE_FORMAT
")",
1457 server_certificate_length
);
1460 SIPE_DEBUG_INFO("tls_client_key_exchange: server public key strength = %" G_GSIZE_FORMAT
,
1461 server_certificate_length
);
1463 /* found all the required fields */
1464 state
->server_random
.length
= server_random
->length
;
1465 state
->server_random
.buffer
= g_memdup(server_random
->data
,
1466 server_random
->length
);
1467 tls_calculate_secrets(state
);
1469 /* ClientKeyExchange */
1470 padded
= tls_pkcs1_public_padding(state
,
1471 state
->pre_master_secret
.buffer
,
1472 state
->pre_master_secret
.length
,
1473 server_certificate_length
);
1475 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: padding of pre-master secret failed");
1478 exchange
= g_malloc0(sizeof(struct ClientKeyExchange_host
) +
1479 server_certificate_length
);
1480 exchange
->secret
.elements
= server_certificate_length
;
1481 if (!sipe_crypt_rsa_encrypt(sipe_cert_crypto_public_key(state
->server_certificate
),
1482 server_certificate_length
,
1484 (guchar
*) exchange
->secret
.placeholder
)) {
1485 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: encryption of pre-master secret failed");
1492 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1493 debug_secrets(state
, "tls_client_key_exchange: secret (encr) ",
1494 (guchar
*) exchange
->secret
.placeholder
,
1495 server_certificate_length
);
1498 msg
= compile_handshake_msg(state
, &ClientKeyExchange_m
, exchange
,
1499 sizeof(struct ClientKeyExchange_host
) + server_certificate_length
);
1505 static struct tls_compiled_message
*tls_certificate_verify(struct tls_internal_state
*state
)
1507 struct CertificateVerify_host
*verify
;
1508 struct tls_compiled_message
*msg
;
1509 guchar
*digests
= g_malloc(SIPE_DIGEST_MD5_LENGTH
+ SIPE_DIGEST_SHA1_LENGTH
);
1513 /* calculate digests */
1514 sipe_digest_md5_end(state
->md5_context
, digests
);
1515 sipe_digest_sha1_end(state
->sha1_context
, digests
+ SIPE_DIGEST_MD5_LENGTH
);
1518 signature
= sipe_crypt_rsa_sign(sipe_cert_crypto_private_key(state
->certificate
),
1520 SIPE_DIGEST_MD5_LENGTH
+ SIPE_DIGEST_SHA1_LENGTH
,
1524 SIPE_DEBUG_ERROR_NOFORMAT("tls_certificate_verify: signing of handshake digests failed");
1528 /* CertificateVerify */
1529 verify
= g_malloc0(sizeof(struct CertificateVerify_host
) +
1531 verify
->signature
.elements
= length
;
1532 memcpy(verify
->signature
.placeholder
, signature
, length
);
1535 msg
= compile_handshake_msg(state
, &CertificateVerify_m
, verify
,
1536 sizeof(struct CertificateVerify_host
) + length
);
1542 static struct tls_compiled_message
*tls_client_finished(struct tls_internal_state
*state
)
1544 guchar
*digests
= g_malloc(SIPE_DIGEST_MD5_LENGTH
+ SIPE_DIGEST_SHA1_LENGTH
);
1546 struct tls_compiled_message
*cmsg
;
1547 struct Finished_host msg
;
1549 /* calculate digests */
1550 sipe_digest_md5_end(state
->md5_context
, digests
);
1551 sipe_digest_sha1_end(state
->sha1_context
, digests
+ SIPE_DIGEST_MD5_LENGTH
);
1554 * verify_data = PRF(master_secret, "client finished",
1555 * MD5(handshake_messages) +
1556 * SHA-1(handshake_messages)) [0..11];
1558 verify
= sipe_tls_prf(state
,
1559 state
->master_secret
,
1560 TLS_ARRAY_MASTER_SECRET_LENGTH
,
1561 (guchar
*) "client finished",
1564 SIPE_DIGEST_MD5_LENGTH
+ SIPE_DIGEST_SHA1_LENGTH
,
1565 TLS_ARRAY_VERIFY_LENGTH
);
1567 memcpy(msg
.verify
.verify
, verify
, TLS_ARRAY_VERIFY_LENGTH
);
1570 cmsg
= compile_handshake_msg(state
, &Finished_m
, &msg
, sizeof(msg
));
1576 * TLS state handling
1579 static gboolean
tls_client_hello(struct tls_internal_state
*state
)
1581 guint32 now
= time(NULL
);
1582 guint32 now_N
= GUINT32_TO_BE(now
);
1583 struct ClientHello_host msg
= {
1584 { TLS_PROTOCOL_VERSION_1_0
},
1586 { 0 /* empty SessionID */ },
1589 TLS_RSA_WITH_RC4_128_MD5
,
1590 TLS_RSA_WITH_RC4_128_SHA
,
1591 TLS_RSA_WITH_AES_128_CBC_SHA
,
1592 TLS_RSA_WITH_AES_256_CBC_SHA
,
1593 TLS_RSA_EXPORT_WITH_RC4_40_MD5
1598 TLS_COMP_METHOD_NULL
1602 struct tls_compiled_message
*cmsg
;
1604 /* First 4 bytes of client_random is the current timestamp */
1605 sipe_tls_fill_random(&state
->client_random
,
1606 TLS_ARRAY_RANDOM_LENGTH
* 8); /* -> bits */
1607 memcpy(state
->client_random
.buffer
, &now_N
, sizeof(now_N
));
1608 memcpy(msg
.random
.random
, state
->client_random
.buffer
,
1609 TLS_ARRAY_RANDOM_LENGTH
);
1611 cmsg
= compile_handshake_msg(state
, &ClientHello_m
, &msg
, sizeof(msg
));
1612 compile_tls_record(state
, cmsg
, NULL
);
1615 if (sipe_backend_debug_enabled())
1616 state
->debug
= g_string_new("");
1618 state
->state
= TLS_HANDSHAKE_STATE_SERVER_HELLO
;
1619 return(tls_record_parse(state
, FALSE
));
1622 static gboolean
tls_server_hello(struct tls_internal_state
*state
)
1624 struct tls_compiled_message
*certificate
= NULL
;
1625 struct tls_compiled_message
*exchange
= NULL
;
1626 struct tls_compiled_message
*verify
= NULL
;
1627 struct tls_compiled_message
*finished
= NULL
;
1628 gboolean success
= FALSE
;
1630 if (!tls_record_parse(state
, TRUE
))
1633 if (((certificate
= tls_client_certificate(state
)) != NULL
) &&
1634 ((exchange
= tls_client_key_exchange(state
)) != NULL
) &&
1635 ((verify
= tls_certificate_verify(state
)) != NULL
) &&
1636 ((finished
= tls_client_finished(state
)) != NULL
)) {
1639 compile_tls_record(state
, certificate
, exchange
, verify
, NULL
);
1641 success
= tls_record_parse(state
, FALSE
);
1643 guchar
*part1
= state
->common
.out_buffer
;
1644 gsize part1_length
= state
->common
.out_length
;
1649 /* ChangeCipherSpec is always the same */
1650 static const guchar part2
[] = {
1651 TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC
,
1652 (TLS_PROTOCOL_VERSION_1_0
>> 8) & 0xFF,
1653 TLS_PROTOCOL_VERSION_1_0
& 0xFF,
1654 0x00, 0x01, /* length: 1 byte */
1655 0x01 /* change_cipher_spec(1) */
1658 state
->common
.out_buffer
= NULL
;
1660 /* Part 3 - this is the first encrypted record */
1661 compile_encrypted_tls_record(state
, finished
);
1662 part3
= state
->common
.out_buffer
;
1663 part3_length
= state
->common
.out_length
;
1665 /* merge TLS records */
1666 length
= part1_length
+ sizeof(part2
) + part3_length
;
1667 merged
= g_malloc(length
);
1669 memcpy(merged
, part1
, part1_length
);
1670 memcpy(merged
+ part1_length
, part2
, sizeof(part2
));
1671 memcpy(merged
+ part1_length
+ sizeof(part2
), part3
, part3_length
);
1675 /* replace output buffer with merged message */
1676 state
->common
.out_buffer
= merged
;
1677 state
->common
.out_length
= length
;
1679 state
->state
= TLS_HANDSHAKE_STATE_FINISHED
;
1686 g_free(certificate
);
1687 free_parse_data(state
);
1692 static gboolean
tls_finished(struct tls_internal_state
*state
)
1696 if (!tls_record_parse(state
, TRUE
))
1699 /* we don't need the data */
1700 free_parse_data(state
);
1703 * Calculate session keys [MS-SIPAE section 3.2.5.1]
1705 * key_material = PRF (master_secret,
1706 * "client EAP encryption",
1707 * ClientHello.random + ServerHello.random)[128]
1710 * client key = key_material[3rd 32 Bytes]
1711 * server key = key_material[4th 32 Bytes]
1713 random
= g_malloc(TLS_ARRAY_RANDOM_LENGTH
* 2);
1715 state
->client_random
.buffer
,
1716 TLS_ARRAY_RANDOM_LENGTH
);
1717 memcpy(random
+ TLS_ARRAY_RANDOM_LENGTH
,
1718 state
->server_random
.buffer
,
1719 TLS_ARRAY_RANDOM_LENGTH
);
1720 state
->tls_dsk_key_block
= sipe_tls_prf(state
,
1721 state
->master_secret
,
1722 TLS_ARRAY_MASTER_SECRET_LENGTH
,
1723 (guchar
*) "client EAP encryption",
1726 TLS_ARRAY_RANDOM_LENGTH
* 2,
1730 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1731 debug_secrets(state
, "tls_finished: TLS-DSK key block ",
1732 state
->tls_dsk_key_block
, 4 * 32);
1735 state
->common
.client_key
= state
->tls_dsk_key_block
+ 2 * 32;
1736 state
->common
.server_key
= state
->tls_dsk_key_block
+ 3 * 32;
1737 state
->common
.key_length
= 32;
1739 debug_secrets(state
, "tls_finished: TLS-DSK client key ",
1740 state
->common
.client_key
,
1741 state
->common
.key_length
);
1742 debug_secrets(state
, "tls_finished: TLS-DSK server key ",
1743 state
->common
.server_key
,
1744 state
->common
.key_length
);
1746 state
->common
.out_buffer
= NULL
;
1747 state
->common
.out_length
= 0;
1748 state
->state
= TLS_HANDSHAKE_STATE_COMPLETED
;
1757 struct sipe_tls_state
*sipe_tls_start(gpointer certificate
)
1759 struct tls_internal_state
*state
;
1764 state
= g_new0(struct tls_internal_state
, 1);
1765 state
->certificate
= certificate
;
1766 state
->state
= TLS_HANDSHAKE_STATE_START
;
1767 state
->md5_context
= sipe_digest_md5_start();
1768 state
->sha1_context
= sipe_digest_sha1_start();
1769 state
->common
.algorithm
= SIPE_TLS_DIGEST_ALGORITHM_NONE
;
1771 return((struct sipe_tls_state
*) state
);
1774 gboolean
sipe_tls_next(struct sipe_tls_state
*state
)
1776 /* Avoid "cast increases required alignment" errors */
1777 struct tls_internal_state
*internal
= (void *) state
;
1778 gboolean success
= FALSE
;
1783 state
->out_buffer
= NULL
;
1785 switch (internal
->state
) {
1786 case TLS_HANDSHAKE_STATE_START
:
1787 success
= tls_client_hello(internal
);
1790 case TLS_HANDSHAKE_STATE_SERVER_HELLO
:
1791 success
= tls_server_hello(internal
);
1794 case TLS_HANDSHAKE_STATE_FINISHED
:
1795 success
= tls_finished(internal
);
1798 case TLS_HANDSHAKE_STATE_COMPLETED
:
1799 case TLS_HANDSHAKE_STATE_FAILED
:
1800 /* This should not happen */
1801 SIPE_DEBUG_ERROR_NOFORMAT("sipe_tls_next: called in incorrect state!");
1806 internal
->state
= TLS_HANDSHAKE_STATE_FAILED
;
1812 guint
sipe_tls_expires(struct sipe_tls_state
*state
)
1814 /* Avoid "cast increases required alignment" errors */
1815 struct tls_internal_state
*internal
= (void *) state
;
1820 return(sipe_cert_crypto_expires(internal
->certificate
));
1823 void sipe_tls_free(struct sipe_tls_state
*state
)
1826 /* Avoid "cast increases required alignment" errors */
1827 struct tls_internal_state
*internal
= (void *) state
;
1829 free_parse_data(internal
);
1830 if (internal
->debug
)
1831 g_string_free(internal
->debug
, TRUE
);
1832 g_free(internal
->tls_dsk_key_block
);
1833 g_free(internal
->key_block
);
1834 g_free(internal
->master_secret
);
1835 sipe_tls_free_random(&internal
->pre_master_secret
);
1836 sipe_tls_free_random(&internal
->client_random
);
1837 sipe_tls_free_random(&internal
->server_random
);
1838 if (internal
->cipher_context
)
1839 sipe_crypt_tls_destroy(internal
->cipher_context
);
1840 if (internal
->md5_context
)
1841 sipe_digest_md5_destroy(internal
->md5_context
);
1842 if (internal
->sha1_context
)
1843 sipe_digest_sha1_destroy(internal
->sha1_context
);
1844 sipe_cert_crypto_destroy(internal
->server_certificate
);
1845 g_free(state
->out_buffer
);
1850 #endif /* !_SIPE_COMPILING_ANALYZER */