search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mime: add support for GMIME 3.0 API
[siplcs.git] / src / core / sipe-tls.c
blobb0235d50e713ba41904a41aec54863c7e9549097
1 /**
2 * @file sipe-tls.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2011-2016 SIPE Project <http://sipe.sourceforge.net/>
7 *
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 *
23 *
24 * TLS Protocol Version 1.0/1.1/1.2 - Handshake Messages
25 *
26 * TLS-DSK uses the handshake messages during authentication and session key
27 * exchange. This module *ONLY* implements this part of the TLS specification!
28 *
29 * Specification references:
30 *
31 * - RFC2246: http://www.ietf.org/rfc/rfc2246.txt
32 * - RFC3546: http://www.ietf.org/rfc/rfc3546.txt
33 * - RFC4346: http://www.ietf.org/rfc/rfc4346.txt
34 * - RFC5246: http://www.ietf.org/rfc/rfc5246.txt
35 */
36
37 #include <stdlib.h>
38 #include <string.h>
39 #include <stdarg.h>
40
41 #include <glib.h>
42
43 #include "sipe-common.h"
44 #include "sipe-backend.h"
45 #include "sipe-cert-crypto.h"
46 #include "sipe-crypt.h"
47 #include "sipe-digest.h"
48 #include "sipe-svc.h"
49 #include "sipe-tls.h"
50
51 /*
52 * Private part of TLS state tracking
53 */
54 enum tls_handshake_state {
55 TLS_HANDSHAKE_STATE_START,
56 TLS_HANDSHAKE_STATE_SERVER_HELLO,
57 TLS_HANDSHAKE_STATE_FINISHED,
58 TLS_HANDSHAKE_STATE_COMPLETED,
59 TLS_HANDSHAKE_STATE_FAILED
60 };
61
62 struct tls_internal_state {
63 struct sipe_tls_state common;
64 gpointer certificate;
65 enum tls_handshake_state state;
66 guchar *msg_current;
67 gsize msg_remainder;
68 GHashTable *data;
69 GString *debug;
70 gpointer md5_context;
71 gpointer sha1_context;
72 gpointer server_certificate;
73 struct sipe_tls_random client_random;
74 struct sipe_tls_random server_random;
75 struct sipe_tls_random pre_master_secret;
76 gsize mac_length;
77 gsize key_length;
78 guchar *master_secret;
79 guchar *key_block;
80 guchar *tls_dsk_key_block;
81 const guchar *client_write_mac_secret;
82 const guchar *server_write_mac_secret;
83 const guchar *client_write_secret;
84 const guchar *server_write_secret;
85 const guchar *client_write_iv;
86 const guchar *server_write_iv;
87 void (*mac_func)(const guchar *key, gsize key_length,
88 const guchar *data, gsize data_length,
89 guchar *digest);
90 gpointer cipher_context;
91 guint64 sequence_number;
92 gboolean stream_cipher;
93 gboolean encrypted;
94 gboolean expected;
95 };
96
97 /*
98 * TLS messages & layout descriptors
99 */
100
101 /* constants */
102 #define TLS_VECTOR_MAX8 255 /* 2^8 - 1 */
103 #define TLS_VECTOR_MAX16 65535 /* 2^16 - 1 */
104 #define TLS_VECTOR_MAX24 16777215 /* 2^24 - 1 */
105
106 #define TLS_PROTOCOL_VERSION_1_0 0x0301
107 #define TLS_PROTOCOL_VERSION_1_1 0x0302
108 #define TLS_PROTOCOL_VERSION_1_2 0x0303
109
110 /* CipherSuites */
111 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003
112 #define TLS_RSA_WITH_RC4_128_MD5 0x0004
113 #define TLS_RSA_WITH_RC4_128_SHA 0x0005
114 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
115 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
116
117 #define TLS_AES_CBC_BLOCK_LENGTH 16 /* bytes */
118
119 /* CompressionMethods */
120 #define TLS_COMP_METHOD_NULL 0
121
122 /* various array lengths */
123 #define TLS_ARRAY_RANDOM_LENGTH 32
124 #define TLS_ARRAY_MASTER_SECRET_LENGTH 48
125 #define TLS_ARRAY_VERIFY_LENGTH 12
126
127 #define TLS_RECORD_HEADER_LENGTH 5
128 #define TLS_RECORD_OFFSET_TYPE 0
129 #define TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC 20
130 #define TLS_RECORD_TYPE_HANDSHAKE 22
131 #define TLS_RECORD_OFFSET_VERSION 1
132 #define TLS_RECORD_OFFSET_LENGTH 3
133
134 #define TLS_HANDSHAKE_HEADER_LENGTH 4
135 #define TLS_HANDSHAKE_OFFSET_TYPE 0
136 #define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 1
137 #define TLS_HANDSHAKE_TYPE_SERVER_HELLO 2
138 #define TLS_HANDSHAKE_TYPE_CERTIFICATE 11
139 #define TLS_HANDSHAKE_TYPE_CERTIFICATE_REQ 13
140 #define TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE 14
141 #define TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY 15
142 #define TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE 16
143 #define TLS_HANDSHAKE_TYPE_FINISHED 20
144 #define TLS_HANDSHAKE_OFFSET_LENGTH 1
145
146 struct layout_descriptor;
147 typedef gboolean parse_func(struct tls_internal_state *state,
148 const struct layout_descriptor *desc);
149
150 /* Defines the strictest alignment requirement */
151 struct tls_compile_integer;
152 typedef void compile_func(struct tls_internal_state *state,
153 const struct layout_descriptor *desc,
154 const struct tls_compile_integer *data);
155
156 struct layout_descriptor {
157 const gchar *label;
158 parse_func *parser;
159 compile_func *compiler;
160 gsize min; /* 0 for fixed/array */
161 gsize max;
162 gsize offset;
163 };
164
165 #define TLS_LAYOUT_DESCRIPTOR_END { NULL, NULL, NULL, 0, 0, 0 }
166 #define TLS_LAYOUT_IS_VALID(desc) (desc->label)
167
168 struct msg_descriptor {
169 const struct msg_descriptor *next;
170 const gchar *description;
171 const struct layout_descriptor *layouts;
172 guint type;
173 };
174
175 /* parsed data */
176 struct tls_parsed_integer {
177 guint value;
178 };
179
180 struct tls_parsed_array {
181 gsize length; /* bytes */
182 const guchar data[0];
183 };
184
185 /* compile data */
186 struct tls_compile_integer {
187 gsize value;
188 };
189
190 struct tls_compile_array {
191 gsize elements; /* unused */
192 guchar placeholder[];
193 };
194
195 struct tls_compile_random {
196 gsize elements; /* unused */
197 guchar random[TLS_ARRAY_RANDOM_LENGTH];
198 };
199
200 struct tls_compile_verify {
201 gsize elements; /* unused */
202 guchar verify[TLS_ARRAY_VERIFY_LENGTH];
203 };
204
205 struct tls_compile_vector {
206 gsize elements; /* VECTOR */
207 guint placeholder[];
208 };
209
210 struct tls_compile_sessionid {
211 gsize elements; /* VECTOR */
212 };
213
214 struct tls_compile_cipher {
215 gsize elements; /* VECTOR */
216 guint suites[5];
217 };
218
219 struct tls_compile_compression {
220 gsize elements; /* VECTOR */
221 guint methods[1];
222 };
223
224 /* compiled message */
225 struct tls_compiled_message {
226 gsize size;
227 guchar data[];
228 };
229
230 /*
231 * Random byte buffers
232 */
233 void sipe_tls_fill_random(struct sipe_tls_random *random,
234 guint bits)
235 {
236 guint bytes = ((bits + 15) / 16) * 2;
237 guint16 *p = g_malloc(bytes);
238
239 SIPE_DEBUG_INFO("sipe_tls_fill_random: %d bits -> %d bytes",
240 bits, bytes);
241
242 random->buffer = (guint8*) p;
243 random->length = bytes;
244
245 for (bytes /= 2; bytes; bytes--)
246 *p++ = rand() & 0xFFFF;
247 }
248
249 void sipe_tls_free_random(struct sipe_tls_random *random)
250 {
251 g_free(random->buffer);
252 }
253
254 /*
255 * TLS message debugging
256 */
257 static void debug_hex(struct tls_internal_state *state,
258 gsize alternative_length)
259 {
260 GString *str = state->debug;
261 const guchar *bytes;
262 gsize length;
263 gint count;
264
265 if (!str) return;
266
267 bytes = state->msg_current;
268 length = alternative_length ? alternative_length : state->msg_remainder;
269 count = -1;
270
271 while (length-- > 0) {
272 if (++count == 0) {
273 /* do nothing */;
274 } else if ((count % 16) == 0) {
275 g_string_append(str, "\n");
276 } else if ((count % 8) == 0) {
277 g_string_append(str, " ");
278 }
279 g_string_append_printf(str, " %02X", *bytes++);
280 }
281 g_string_append(str, "\n");
282 }
283
284 #define debug_print(state, string) \
285 if (state->debug) g_string_append(state->debug, string)
286 #define debug_printf(state, format, ...) \
287 if (state->debug) g_string_append_printf(state->debug, format, __VA_ARGS__)
288
289 /* Analyzer only needs the debugging functions */
290 #ifndef _SIPE_COMPILING_ANALYZER
291
292 static void debug_secrets(struct tls_internal_state *state,
293 const gchar *label,
294 const guchar *secret,
295 gsize secret_length)
296 {
297 if (state->debug && secret) {
298 g_string_append_printf(state->debug, "%s (%3" G_GSIZE_FORMAT ") = ",
299 label, secret_length);
300 while (secret_length--)
301 g_string_append_printf(state->debug, "%02X", *secret++);
302 SIPE_DEBUG_INFO_NOFORMAT(state->debug->str);
303 g_string_truncate(state->debug, 0);
304 }
305 }
306
307 /*
308 * TLS Pseudorandom Function (PRF) - RFC2246, Section 5
309 */
310 static guchar *sipe_tls_p_md5(const guchar *secret,
311 gsize secret_length,
312 const guchar *seed,
313 gsize seed_length,
314 gsize output_length)
315 {
316 guchar *output = NULL;
317
318 /*
319 * output_length == 0 -> illegal
320 * output_length == 1..16 -> iterations = 1
321 * output_length == 17..32 -> iterations = 2
322 */
323 if (secret && seed && (output_length > 0)) {
324 guint iterations = (output_length + SIPE_DIGEST_HMAC_MD5_LENGTH - 1) / SIPE_DIGEST_HMAC_MD5_LENGTH;
325 guchar *concat = g_malloc(SIPE_DIGEST_HMAC_MD5_LENGTH + seed_length);
326 guchar A[SIPE_DIGEST_HMAC_MD5_LENGTH];
327 guchar *p;
328
329 SIPE_DEBUG_INFO("p_md5: secret %" G_GSIZE_FORMAT " bytes, seed %" G_GSIZE_FORMAT " bytes",
330 secret_length, seed_length);
331 SIPE_DEBUG_INFO("p_md5: output %" G_GSIZE_FORMAT " bytes -> %d iterations",
332 output_length, iterations);
333
334 /* A(1) = HMAC_MD5(secret, A(0)), A(0) = seed */
335 sipe_digest_hmac_md5(secret, secret_length,
336 seed, seed_length,
337 A);
338
339 /* Each iteration adds SIPE_DIGEST_HMAC_MD5_LENGTH bytes */
340 p = output = g_malloc(iterations * SIPE_DIGEST_HMAC_MD5_LENGTH);
341
342 while (iterations-- > 0) {
343 /* P_MD5(i) = HMAC_MD5(secret, A(i) + seed), i = 1, 2, ... */
344 guchar P[SIPE_DIGEST_HMAC_MD5_LENGTH];
345 memcpy(concat, A, SIPE_DIGEST_HMAC_MD5_LENGTH);
346 memcpy(concat + SIPE_DIGEST_HMAC_MD5_LENGTH, seed, seed_length);
347 sipe_digest_hmac_md5(secret, secret_length,
348 concat, SIPE_DIGEST_HMAC_MD5_LENGTH + seed_length,
349 P);
350 memcpy(p, P, SIPE_DIGEST_HMAC_MD5_LENGTH);
351 p += SIPE_DIGEST_HMAC_MD5_LENGTH;
352
353 /* A(i+1) = HMAC_MD5(secret, A(i)) */
354 sipe_digest_hmac_md5(secret, secret_length,
355 A, SIPE_DIGEST_HMAC_MD5_LENGTH,
356 A);
357 }
358 g_free(concat);
359 }
360
361 return(output);
362 }
363
364 guchar *sipe_tls_p_sha1(const guchar *secret,
365 gsize secret_length,
366 const guchar *seed,
367 gsize seed_length,
368 gsize output_length)
369 {
370 guchar *output = NULL;
371
372 /*
373 * output_length == 0 -> illegal
374 * output_length == 1..20 -> iterations = 1
375 * output_length == 21..40 -> iterations = 2
376 */
377 if (secret && seed && (output_length > 0)) {
378 guint iterations = (output_length + SIPE_DIGEST_HMAC_SHA1_LENGTH - 1) / SIPE_DIGEST_HMAC_SHA1_LENGTH;
379 guchar *concat = g_malloc(SIPE_DIGEST_HMAC_SHA1_LENGTH + seed_length);
380 guchar A[SIPE_DIGEST_HMAC_SHA1_LENGTH];
381 guchar *p;
382
383 SIPE_DEBUG_INFO("p_sha1: secret %" G_GSIZE_FORMAT " bytes, seed %" G_GSIZE_FORMAT " bytes",
384 secret_length, seed_length);
385 SIPE_DEBUG_INFO("p_sha1: output %" G_GSIZE_FORMAT " bytes -> %d iterations",
386 output_length, iterations);
387
388 /* A(1) = HMAC_SHA1(secret, A(0)), A(0) = seed */
389 sipe_digest_hmac_sha1(secret, secret_length,
390 seed, seed_length,
391 A);
392
393 /* Each iteration adds SIPE_DIGEST_HMAC_SHA1_LENGTH bytes */
394 p = output = g_malloc(iterations * SIPE_DIGEST_HMAC_SHA1_LENGTH);
395
396 while (iterations-- > 0) {
397 /* P_SHA1(i) = HMAC_SHA1(secret, A(i) + seed), i = 1, 2, ... */
398 guchar P[SIPE_DIGEST_HMAC_SHA1_LENGTH];
399 memcpy(concat, A, SIPE_DIGEST_HMAC_SHA1_LENGTH);
400 memcpy(concat + SIPE_DIGEST_HMAC_SHA1_LENGTH, seed, seed_length);
401 sipe_digest_hmac_sha1(secret, secret_length,
402 concat, SIPE_DIGEST_HMAC_SHA1_LENGTH + seed_length,
403 P);
404 memcpy(p, P, SIPE_DIGEST_HMAC_SHA1_LENGTH);
405 p += SIPE_DIGEST_HMAC_SHA1_LENGTH;
406
407 /* A(i+1) = HMAC_SHA1(secret, A(i)) */
408 sipe_digest_hmac_sha1(secret, secret_length,
409 A, SIPE_DIGEST_HMAC_SHA1_LENGTH,
410 A);
411 }
412 g_free(concat);
413 }
414
415 return(output);
416 }
417
418 static guchar *sipe_tls_prf(SIPE_UNUSED_PARAMETER struct tls_internal_state *state,
419 const guchar *secret,
420 gsize secret_length,
421 const guchar *label,
422 gsize label_length,
423 const guchar *seed,
424 gsize seed_length,
425 gsize output_length)
426 {
427 gsize half = (secret_length + 1) / 2;
428 gsize newseed_length = label_length + seed_length;
429 /* secret: used as S1; secret2: last half of original secret (S2) */
430 guchar *secret2 = g_memdup(secret + secret_length - half, half);
431 guchar *newseed = g_malloc(newseed_length);
432 guchar *md5, *dest;
433 guchar *sha1, *src;
434 gsize count;
435
436 /* make Coverity happy - lengths could be 0 */
437 if (!secret2 || !newseed) {
438 g_free(secret2);
439 g_free(newseed);
440 return(NULL);
441 }
442
443 /*
444 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
445 * P_SHA-1(S2, label + seed);
446 */
447 memcpy(newseed, label, label_length);
448 memcpy(newseed + label_length, seed, seed_length);
449 #undef __SIPE_TLS_CRYPTO_DEBUG
450 #ifdef __SIPE_TLS_CRYPTO_DEBUG
451 debug_secrets(state, "sipe_tls_prf: secret ",
452 secret, secret_length);
453 debug_secrets(state, "sipe_tls_prf: combined seed ",
454 newseed, newseed_length);
455 SIPE_DEBUG_INFO("total seed length %" G_GSIZE_FORMAT,
456 newseed_length);
457 debug_secrets(state, "sipe_tls_prf: S1 ",
458 secret, half);
459 debug_secrets(state, "sipe_tls_prf: S2 ",
460 secret2, half);
461 #endif
462 md5 = sipe_tls_p_md5(secret, half, newseed, newseed_length, output_length);
463 sha1 = sipe_tls_p_sha1(secret2, half, newseed, newseed_length, output_length);
464 #ifdef __SIPE_TLS_CRYPTO_DEBUG
465 debug_secrets(state, "sipe_tls_prf: P_md5() ",
466 md5, output_length);
467 debug_secrets(state, "sipe_tls_prf: P_sha1() ",
468 sha1, output_length);
469 #endif
470 for (dest = md5, src = sha1, count = output_length;
471 count > 0;
472 count--)
473 *dest++ ^= *src++;
474
475 g_free(sha1);
476 g_free(newseed);
477 g_free(secret2);
478
479 #ifdef __SIPE_TLS_CRYPTO_DEBUG
480 debug_secrets(state, "sipe_tls_prf: PRF() ",
481 md5, output_length);
482 #endif
483
484 return(md5);
485 }
486
487 #endif /* !_SIPE_COMPILING_ANALYZER */
488
489 /*
490 * TLS data parsers
491 *
492 * Low-level data conversion routines
493 *
494 * - host alignment agnostic, i.e. can fetch a word from uneven address
495 * - TLS -> host endianess conversion
496 * - no length check, caller has to do it
497 * - don't modify state
498 */
499 static guint lowlevel_integer_to_host(const guchar *bytes,
500 gsize length)
501 {
502 guint sum = 0;
503 while (length--) sum = (sum << 8) + *bytes++;
504 return(sum);
505 }
506
507 /*
508 * Generic data type parser routines
509 */
510 static gboolean msg_remainder_check(struct tls_internal_state *state,
511 const gchar *label,
512 gsize length)
513 {
514 if (length > state->msg_remainder) {
515 SIPE_DEBUG_ERROR("msg_remainder_check: '%s' expected %" G_GSIZE_FORMAT " bytes, remaining %" G_GSIZE_FORMAT,
516 label, length, state->msg_remainder);
517 return(FALSE);
518 }
519 return(TRUE);
520 }
521
522 static gboolean parse_integer_quiet(struct tls_internal_state *state,
523 const gchar *label,
524 gsize length,
525 guint *result)
526 {
527 if (!msg_remainder_check(state, label, length)) return(FALSE);
528 *result = lowlevel_integer_to_host(state->msg_current, length);
529 state->msg_current += length;
530 state->msg_remainder -= length;
531 return(TRUE);
532 }
533
534 static gboolean parse_integer(struct tls_internal_state *state,
535 const struct layout_descriptor *desc)
536 {
537 guint value;
538 if (!parse_integer_quiet(state, desc->label, desc->max, &value))
539 return(FALSE);
540 debug_printf(state, "%s/INTEGER%" G_GSIZE_FORMAT " = %d\n",
541 desc->label, desc->max, value);
542 if (state->data) {
543 struct tls_parsed_integer *save = g_new0(struct tls_parsed_integer, 1);
544 save->value = value;
545 g_hash_table_insert(state->data, (gpointer) desc->label, save);
546 }
547 return(TRUE);
548 }
549
550 static gboolean parse_array(struct tls_internal_state *state,
551 const struct layout_descriptor *desc)
552 {
553 if (!msg_remainder_check(state, desc->label, desc->max))
554 return(FALSE);
555 debug_printf(state, "%s/ARRAY[%" G_GSIZE_FORMAT "]\n",
556 desc->label, desc->max);
557 #ifdef _SIPE_COMPILING_ANALYZER
558 if (desc->max)
559 debug_hex(state, desc->max);
560 #endif
561 if (state->data) {
562 struct tls_parsed_array *save = g_malloc0(sizeof(struct tls_parsed_array) +
563 desc->max);
564 save->length = desc->max;
565 memcpy((guchar *)save->data, state->msg_current, desc->max);
566 g_hash_table_insert(state->data, (gpointer) desc->label, save);
567
568 }
569 state->msg_current += desc->max;
570 state->msg_remainder -= desc->max;
571 return(TRUE);
572 }
573
574 static gboolean parse_vector(struct tls_internal_state *state,
575 const struct layout_descriptor *desc)
576 {
577 guint length;
578 if (!parse_integer_quiet(state, desc->label,
579 (desc->max > TLS_VECTOR_MAX16) ? 3 :
580 (desc->max > TLS_VECTOR_MAX8) ? 2 : 1,
581 &length))
582 return(FALSE);
583 if (length < desc->min) {
584 SIPE_DEBUG_ERROR("parse_vector: '%s' too short %d, expected %" G_GSIZE_FORMAT,
585 desc->label, length, desc->min);
586 return(FALSE);
587 }
588 debug_printf(state, "%s/VECTOR<%d>\n", desc->label, length);
589 #ifdef _SIPE_COMPILING_ANALYZER
590 if (length)
591 debug_hex(state, length);
592 #endif
593 if (state->data) {
594 struct tls_parsed_array *save = g_malloc0(sizeof(struct tls_parsed_array) +
595 length);
596 save->length = length;
597 memcpy((guchar *)save->data, state->msg_current, length);
598 g_hash_table_insert(state->data, (gpointer) desc->label, save);
599 }
600 state->msg_current += length;
601 state->msg_remainder -= length;
602 return(TRUE);
603 }
604
605 /*
606 * Specific data type parser routines
607 */
608
609 /* TBD... */
610
611 /*
612 * TLS data compilers
613 *
614 * Low-level data conversion routines
615 *
616 * - host alignment agnostic, i.e. can fetch a word from uneven address
617 * - host -> TLS host endianess conversion
618 * - don't modify state
619 */
620 static void lowlevel_integer_to_tls(guchar *bytes,
621 gsize length,
622 guint value)
623 {
624 while (length--) {
625 bytes[length] = value & 0xFF;
626 value >>= 8;
627 }
628 }
629
630 /*
631 * Generic data type compiler routines
632 */
633 static void compile_integer(struct tls_internal_state *state,
634 const struct layout_descriptor *desc,
635 const struct tls_compile_integer *data)
636 {
637 lowlevel_integer_to_tls(state->msg_current, desc->max, data->value);
638 state->msg_current += desc->max;
639 }
640
641 static void compile_array(struct tls_internal_state *state,
642 const struct layout_descriptor *desc,
643 const struct tls_compile_integer *data)
644 {
645 const struct tls_compile_array *array = (struct tls_compile_array *) data;
646 memcpy(state->msg_current, array->placeholder, desc->max);
647 state->msg_current += desc->max;
648 }
649
650 static void compile_vector(struct tls_internal_state *state,
651 const struct layout_descriptor *desc,
652 const struct tls_compile_integer *data)
653 {
654 const struct tls_compile_vector *vector = (struct tls_compile_vector *) data;
655 gsize length = vector->elements;
656 gsize length_field = (desc->max > TLS_VECTOR_MAX16) ? 3 :
657 (desc->max > TLS_VECTOR_MAX8) ? 2 : 1;
658
659 lowlevel_integer_to_tls(state->msg_current, length_field, length);
660 state->msg_current += length_field;
661 memcpy(state->msg_current, vector->placeholder, length);
662 state->msg_current += length;
663 }
664
665 static void compile_vector_int2(struct tls_internal_state *state,
666 const struct layout_descriptor *desc,
667 const struct tls_compile_integer *data)
668 {
669 const struct tls_compile_vector *vector = (struct tls_compile_vector *) data;
670 gsize elements = vector->elements;
671 gsize length = elements * sizeof(guint16);
672 gsize length_field = (desc->max > TLS_VECTOR_MAX16) ? 3 :
673 (desc->max > TLS_VECTOR_MAX8) ? 2 : 1;
674 const guint *p = vector->placeholder;
675
676 lowlevel_integer_to_tls(state->msg_current, length_field, length);
677 state->msg_current += length_field;
678 while (elements--) {
679 lowlevel_integer_to_tls(state->msg_current, sizeof(guint16), *p++);
680 state->msg_current += sizeof(guint16);
681 }
682 }
683
684 /*
685 * Specific data type compiler routines
686 */
687
688 /* TBD... */
689
690 /*
691 * TLS handshake message layout descriptors
692 */
693 struct ClientHello_host {
694 struct tls_compile_integer protocol_version;
695 struct tls_compile_random random;
696 struct tls_compile_sessionid sessionid;
697 struct tls_compile_cipher cipher;
698 struct tls_compile_compression compression;
699 };
700 #define CLIENTHELLO_OFFSET(a) offsetof(struct ClientHello_host, a)
701
702 static const struct layout_descriptor ClientHello_l[] = {
703 { "Client Protocol Version", parse_integer, compile_integer, 0, 2, CLIENTHELLO_OFFSET(protocol_version) },
704 { "Random", parse_array, compile_array, 0, TLS_ARRAY_RANDOM_LENGTH, CLIENTHELLO_OFFSET(random) },
705 { "SessionID", parse_vector, compile_vector, 0, 32, CLIENTHELLO_OFFSET(sessionid) },
706 { "CipherSuite", parse_vector, compile_vector_int2, 2, TLS_VECTOR_MAX16, CLIENTHELLO_OFFSET(cipher)},
707 { "CompressionMethod", parse_vector, compile_vector, 1, TLS_VECTOR_MAX8, CLIENTHELLO_OFFSET(compression) },
708 TLS_LAYOUT_DESCRIPTOR_END
709 };
710 static const struct msg_descriptor ClientHello_m = {
711 NULL, "Client Hello", ClientHello_l, TLS_HANDSHAKE_TYPE_CLIENT_HELLO
712 };
713
714 static const struct layout_descriptor ServerHello_l[] = {
715 { "Server Protocol Version", parse_integer, NULL, 0, 2, 0 },
716 { "Random", parse_array, NULL, 0, TLS_ARRAY_RANDOM_LENGTH, 0 },
717 { "SessionID", parse_vector, NULL, 0, 32, 0 },
718 { "CipherSuite", parse_integer, NULL, 0, 2, 0 },
719 { "CompressionMethod", parse_integer, NULL, 0, 1, 0 },
720 TLS_LAYOUT_DESCRIPTOR_END
721 };
722 static const struct msg_descriptor ServerHello_m = {
723 &ClientHello_m, "Server Hello", ServerHello_l, TLS_HANDSHAKE_TYPE_SERVER_HELLO
724 };
725
726 struct Certificate_host {
727 struct tls_compile_vector certificate;
728 };
729 #define CERTIFICATE_OFFSET(a) offsetof(struct Certificate_host, a)
730
731 static const struct layout_descriptor Certificate_l[] = {
732 { "Certificate", parse_vector, compile_vector, 0, TLS_VECTOR_MAX24, CERTIFICATE_OFFSET(certificate) },
733 TLS_LAYOUT_DESCRIPTOR_END
734 };
735 static const struct msg_descriptor Certificate_m = {
736 &ServerHello_m, "Certificate", Certificate_l, TLS_HANDSHAKE_TYPE_CERTIFICATE
737 };
738
739 static const struct layout_descriptor CertificateRequest_l[] = {
740 { "CertificateType", parse_vector, NULL, 1, TLS_VECTOR_MAX8, 0 },
741 { "DistinguishedName", parse_vector, NULL, 0, TLS_VECTOR_MAX16, 0 },
742 TLS_LAYOUT_DESCRIPTOR_END
743 };
744 static const struct msg_descriptor CertificateRequest_m = {
745 &Certificate_m, "Certificate Request", CertificateRequest_l, TLS_HANDSHAKE_TYPE_CERTIFICATE_REQ
746 };
747
748 static const struct layout_descriptor ServerHelloDone_l[] = {
749 TLS_LAYOUT_DESCRIPTOR_END
750 };
751 static const struct msg_descriptor ServerHelloDone_m = {
752 &CertificateRequest_m, "Server Hello Done", ServerHelloDone_l, TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE
753 };
754
755 struct ClientKeyExchange_host {
756 struct tls_compile_vector secret;
757 };
758 #define CLIENTKEYEXCHANGE_OFFSET(a) offsetof(struct ClientKeyExchange_host, a)
759
760 static const struct layout_descriptor ClientKeyExchange_l[] = {
761 { "Exchange Keys", parse_vector, compile_vector, 0, TLS_VECTOR_MAX16, CLIENTKEYEXCHANGE_OFFSET(secret) },
762 TLS_LAYOUT_DESCRIPTOR_END
763 };
764 static const struct msg_descriptor ClientKeyExchange_m = {
765 &ServerHelloDone_m, "Client Key Exchange", ClientKeyExchange_l, TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE
766 };
767
768 struct CertificateVerify_host {
769 struct tls_compile_vector signature;
770 };
771 #define CERTIFICATEVERIFY_OFFSET(a) offsetof(struct CertificateVerify_host, a)
772
773 static const struct layout_descriptor CertificateVerify_l[] = {
774 { "Signature", parse_vector, compile_vector, 0, TLS_VECTOR_MAX16, CERTIFICATEVERIFY_OFFSET(signature) },
775 TLS_LAYOUT_DESCRIPTOR_END
776 };
777 static const struct msg_descriptor CertificateVerify_m = {
778 &ClientKeyExchange_m, "Certificate Verify", CertificateVerify_l, TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY
779 };
780
781 struct Finished_host {
782 struct tls_compile_verify verify;
783 };
784 #define FINISHED_OFFSET(a) offsetof(struct Finished_host, a)
785
786 static const struct layout_descriptor Finished_l[] = {
787 { "Verify Data", parse_array, compile_array, 0, TLS_ARRAY_VERIFY_LENGTH, FINISHED_OFFSET(verify) },
788 TLS_LAYOUT_DESCRIPTOR_END
789 };
790 static const struct msg_descriptor Finished_m = {
791 &CertificateVerify_m, "Finished", Finished_l, TLS_HANDSHAKE_TYPE_FINISHED
792 };
793
794 #define HANDSHAKE_MSG_DESCRIPTORS &Finished_m
795
796 /*
797 * TLS message parsers
798 */
799 static gboolean handshake_parse(struct tls_internal_state *state,
800 guint expected_type)
801 {
802 const guchar *bytes = state->msg_current;
803 gsize length = state->msg_remainder;
804 gboolean success = FALSE;
805
806 while (length > 0) {
807 const struct msg_descriptor *desc;
808 gsize msg_length;
809 guint msg_type;
810
811 /* header check */
812 if (length < TLS_HANDSHAKE_HEADER_LENGTH) {
813 debug_print(state, "CORRUPTED HANDSHAKE HEADER");
814 break;
815 }
816
817 /* msg length check */
818 msg_length = lowlevel_integer_to_host(bytes + TLS_HANDSHAKE_OFFSET_LENGTH,
819 3);
820 if (msg_length > length) {
821 debug_print(state, "HANDSHAKE MESSAGE TOO LONG");
822 break;
823 }
824
825 /* msg type */
826 msg_type = bytes[TLS_HANDSHAKE_OFFSET_TYPE];
827 for (desc = HANDSHAKE_MSG_DESCRIPTORS;
828 desc;
829 desc = desc->next)
830 if (msg_type == desc->type)
831 break;
832
833 debug_printf(state, "TLS handshake (%" G_GSIZE_FORMAT " bytes) (%d)",
834 msg_length, msg_type);
835
836 if (msg_type == expected_type)
837 state->expected = TRUE;
838
839 state->msg_current = (guchar *) bytes + TLS_HANDSHAKE_HEADER_LENGTH;
840 state->msg_remainder = msg_length;
841
842 if (desc && desc->layouts) {
843 const struct layout_descriptor *ldesc = desc->layouts;
844
845 debug_printf(state, "%s\n", desc->description);
846
847 while (TLS_LAYOUT_IS_VALID(ldesc)) {
848 success = ldesc->parser(state, ldesc);
849 if (!success)
850 break;
851 ldesc++;
852 }
853 if (!success)
854 break;
855 } else {
856 debug_print(state, "ignored\n");
857 debug_hex(state, 0);
858 }
859
860 /* next message */
861 bytes += TLS_HANDSHAKE_HEADER_LENGTH + msg_length;
862 length -= TLS_HANDSHAKE_HEADER_LENGTH + msg_length;
863 if (length > 0) {
864 debug_print(state, "------\n");
865 } else {
866 success = TRUE;
867 }
868 }
869
870 return(success);
871 }
872
873 static void free_parse_data(struct tls_internal_state *state)
874 {
875 if (state->data) {
876 g_hash_table_destroy(state->data);
877 state->data = NULL;
878 }
879 }
880
881 static gboolean tls_record_parse(struct tls_internal_state *state,
882 gboolean incoming,
883 guint expected)
884 {
885 const guchar *bytes = incoming ? state->common.in_buffer : state->common.out_buffer;
886 gsize length = incoming ? state->common.in_length : state->common.out_length;
887 guint version;
888 const gchar *version_str;
889 gsize record_length;
890 gboolean success = TRUE;
891
892 /* reject empty incoming messages */
893 if (incoming && (length == 0)) {
894 SIPE_DEBUG_ERROR_NOFORMAT("tls_record_parse: empty TLS message received");
895 return(FALSE);
896 }
897
898 #ifndef _SIPE_COMPILING_ANALYZER
899 debug_printf(state, "TLS MESSAGE %s\n", incoming ? "INCOMING" : "OUTGOING");
900 #endif
901
902 /* Collect parser data for incoming messages */
903 if (incoming)
904 state->data = g_hash_table_new_full(g_str_hash, g_str_equal,
905 NULL, g_free);
906
907 state->expected = FALSE;
908 while (success && (length > 0)) {
909
910 /* truncated header check */
911 if (length < TLS_RECORD_HEADER_LENGTH) {
912 SIPE_DEBUG_ERROR("tls_record_parse: too short TLS record header (%" G_GSIZE_FORMAT " bytes)",
913 length);
914 success = FALSE;
915 break;
916 }
917
918 /* protocol version check */
919 version = lowlevel_integer_to_host(bytes + TLS_RECORD_OFFSET_VERSION, 2);
920 if (version < TLS_PROTOCOL_VERSION_1_0) {
921 SIPE_DEBUG_ERROR_NOFORMAT("tls_record_parse: SSL1/2/3 not supported");
922 success = FALSE;
923 break;
924 }
925 switch (version) {
926 case TLS_PROTOCOL_VERSION_1_0:
927 version_str = "1.0 (RFC2246)";
928 break;
929 case TLS_PROTOCOL_VERSION_1_1:
930 version_str = "1.1 (RFC4346)";
931 break;
932 case TLS_PROTOCOL_VERSION_1_2:
933 version_str = "1.2 (RFC5246)";
934 break;
935 default:
936 version_str = "<future protocol version>";
937 break;
938 }
939
940 /* record length check */
941 record_length = TLS_RECORD_HEADER_LENGTH +
942 lowlevel_integer_to_host(bytes + TLS_RECORD_OFFSET_LENGTH, 2);
943 if (record_length > length) {
944 SIPE_DEBUG_ERROR_NOFORMAT("tls_record_parse: record too long");
945 success = FALSE;
946 break;
947 }
948
949 /* TLS record header OK */
950 debug_printf(state, "TLS %s record (%" G_GSIZE_FORMAT " bytes)\n",
951 version_str, record_length);
952 state->msg_current = (guchar *) bytes + TLS_RECORD_HEADER_LENGTH;
953 state->msg_remainder = record_length - TLS_RECORD_HEADER_LENGTH;
954
955 /* Analyzer only needs the debugging functions */
956 #ifndef _SIPE_COMPILING_ANALYZER
957 /* Add incoming message contents to digest contexts */
958 if (incoming) {
959 sipe_digest_md5_update(state->md5_context,
960 state->msg_current,
961 state->msg_remainder);
962 sipe_digest_sha1_update(state->sha1_context,
963 state->msg_current,
964 state->msg_remainder);
965 }
966 #endif /* !_SIPE_COMPILING_ANALYZER */
967
968 switch (bytes[TLS_RECORD_OFFSET_TYPE]) {
969 case TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC:
970 debug_print(state, "Change Cipher Spec\n");
971 if (incoming)
972 state->encrypted = TRUE;
973 if (expected == TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC)
974 state->expected = TRUE;
975 break;
976
977 case TLS_RECORD_TYPE_HANDSHAKE:
978 if (incoming && state->encrypted) {
979 debug_print(state, "Encrypted handshake message\n");
980 debug_hex(state, 0);
981 } else {
982 success = handshake_parse(state, expected);
983 }
984 break;
985
986 default:
987 debug_print(state, "Unsupported TLS message\n");
988 debug_hex(state, 0);
989 break;
990 }
991
992 /* next fragment */
993 bytes += record_length;
994 length -= record_length;
995 }
996
997 #ifndef _SIPE_COMPILING_ANALYZER
998 if (incoming && !state->expected) {
999 SIPE_DEBUG_ERROR("tls_record_parse: did not find expected msg type %d",
1000 expected);
1001 success = FALSE;
1002 }
1003 #endif
1004
1005 if (!success)
1006 free_parse_data(state);
1007
1008 if (state->debug) {
1009 SIPE_DEBUG_INFO_NOFORMAT(state->debug->str);
1010 g_string_truncate(state->debug, 0);
1011 }
1012
1013 return(success);
1014 }
1015
1016 /* Analyzer only needs the debugging functions */
1017 #ifndef _SIPE_COMPILING_ANALYZER
1018
1019 /*
1020 * TLS message compiler
1021 */
1022 static void compile_tls_record(struct tls_internal_state *state,
1023 ...)
1024 {
1025 gsize total_size = 0;
1026 guchar *current;
1027 va_list ap;
1028
1029 /* calculate message size */
1030 va_start(ap, state);
1031 while (1) {
1032 const struct tls_compiled_message *msg = va_arg(ap, struct tls_compiled_message *);
1033 if (!msg) break;
1034 total_size += msg->size;
1035 }
1036 va_end(ap);
1037
1038 SIPE_DEBUG_INFO("compile_tls_record: total size %" G_GSIZE_FORMAT,
1039 total_size);
1040
1041 state->common.out_buffer = current = g_malloc(total_size + TLS_RECORD_HEADER_LENGTH);
1042 state->common.out_length = total_size + TLS_RECORD_HEADER_LENGTH;
1043
1044 /* add TLS record header */
1045 current[TLS_RECORD_OFFSET_TYPE] = TLS_RECORD_TYPE_HANDSHAKE;
1046 lowlevel_integer_to_tls(current + TLS_RECORD_OFFSET_VERSION, 2,
1047 TLS_PROTOCOL_VERSION_1_0);
1048 lowlevel_integer_to_tls(current + TLS_RECORD_OFFSET_LENGTH, 2,
1049 total_size);
1050 current += TLS_RECORD_HEADER_LENGTH;
1051
1052 /* copy messages */
1053 va_start(ap, state);
1054 while (1) {
1055 const struct tls_compiled_message *msg = va_arg(ap, struct tls_compiled_message *);
1056 if (!msg) break;
1057
1058 memcpy(current, msg->data, msg->size);
1059 current += msg->size;
1060 }
1061 va_end(ap);
1062 }
1063
1064 static void compile_encrypted_tls_record(struct tls_internal_state *state,
1065 const struct tls_compiled_message *msg)
1066 {
1067 guchar *plaintext;
1068 gsize plaintext_length; /* header + content */
1069 guchar *mac;
1070 gsize mac_length;
1071 guchar *message;
1072 guchar *encrypted;
1073 gsize message_length; /* header + content + MAC */
1074 gsize padding_length; /* for block cipher */
1075 gsize encrypted_length; /* header + encrypted data */
1076
1077 /* Create plaintext TLS record */
1078 compile_tls_record(state, msg, NULL);
1079 plaintext = state->common.out_buffer;
1080 plaintext_length = state->common.out_length;
1081 if (plaintext_length == 0) /* make Coverity happy */
1082 return;
1083
1084 /* Prepare encryption buffer */
1085 message_length = plaintext_length + state->mac_length;
1086 if (state->stream_cipher) {
1087 padding_length = 0;
1088 encrypted_length = message_length;
1089 } else {
1090 if (message_length < TLS_RECORD_HEADER_LENGTH) /* make Coverity happy */
1091 return;
1092 padding_length = TLS_AES_CBC_BLOCK_LENGTH - (message_length - TLS_RECORD_HEADER_LENGTH + 1) % TLS_AES_CBC_BLOCK_LENGTH;
1093 encrypted_length = message_length + padding_length + 1;
1094 }
1095 SIPE_DEBUG_INFO("compile_encrypted_tls_record: total size %" G_GSIZE_FORMAT,
1096 encrypted_length - TLS_RECORD_HEADER_LENGTH);
1097 message = g_malloc(message_length);
1098 memcpy(message, plaintext, plaintext_length);
1099 lowlevel_integer_to_tls(message + TLS_RECORD_OFFSET_LENGTH, 2,
1100 encrypted_length - TLS_RECORD_HEADER_LENGTH);
1101
1102 /*
1103 * Calculate MAC and append to message
1104 *
1105 * HMAC_hash(client_write_mac_secret,
1106 * sequence_number + type + version + length + fragment)
1107 * \--- == original TLS record ---/
1108 */
1109 mac_length = sizeof(guint64) + plaintext_length;
1110 mac = g_malloc(mac_length);
1111 lowlevel_integer_to_tls(mac,
1112 sizeof(guint64),
1113 state->sequence_number++);
1114 memcpy(mac + sizeof(guint64), plaintext, plaintext_length);
1115 g_free(plaintext);
1116 state->mac_func(state->client_write_mac_secret,
1117 state->mac_length,
1118 mac,
1119 mac_length,
1120 message + plaintext_length);
1121 g_free(mac);
1122
1123 encrypted = g_malloc(encrypted_length);
1124 /* header (unencrypted) */
1125 memcpy(encrypted, message, TLS_RECORD_HEADER_LENGTH);
1126 if (state->stream_cipher) {
1127 /* ENCRYPT(content + MAC) */
1128 sipe_crypt_tls_stream(state->cipher_context,
1129 message + TLS_RECORD_HEADER_LENGTH,
1130 encrypted_length - TLS_RECORD_HEADER_LENGTH,
1131 encrypted + TLS_RECORD_HEADER_LENGTH);
1132 } else {
1133 /* TLS 1.0 GenericBlockCipher */
1134 /* content + MAC */
1135 memcpy(encrypted + TLS_RECORD_HEADER_LENGTH,
1136 message + TLS_RECORD_HEADER_LENGTH,
1137 message_length - TLS_RECORD_HEADER_LENGTH);
1138
1139 /* padding + padding_length */
1140 memset(encrypted + message_length,
1141 padding_length,
1142 padding_length + 1);
1143
1144 /* ENCRYPT(content + MAC + padding + padding_length) */
1145 sipe_crypt_tls_block(state->client_write_secret,
1146 state->key_length,
1147 state->client_write_iv,
1148 TLS_AES_CBC_BLOCK_LENGTH,
1149 encrypted + TLS_RECORD_HEADER_LENGTH,
1150 encrypted_length - TLS_RECORD_HEADER_LENGTH,
1151 encrypted + TLS_RECORD_HEADER_LENGTH);
1152 }
1153 g_free(message);
1154
1155 /* swap buffers */
1156 state->common.out_buffer = encrypted;
1157 state->common.out_length = encrypted_length;
1158 }
1159
1160 static struct tls_compiled_message *compile_handshake_msg(struct tls_internal_state *state,
1161 const struct msg_descriptor *desc,
1162 gpointer data,
1163 gsize size)
1164 {
1165 /*
1166 * Estimate the size of the compiled message
1167 *
1168 * The data structures in the host format have zero or more padding
1169 * bytes added by the compiler to ensure correct element alignments.
1170 * So the sizeof() of the data structure is always equal or greater
1171 * than the space needed for the compiled data. By adding the space
1172 * required for the headers we arrive at a safe estimate
1173 *
1174 * Therefore we don't need space checks in the compiler functions
1175 */
1176 gsize total_size = sizeof(struct tls_compiled_message) +
1177 size + TLS_HANDSHAKE_HEADER_LENGTH;
1178 struct tls_compiled_message *msg = g_malloc(total_size);
1179 guchar *handshake = msg->data;
1180 const struct layout_descriptor *ldesc = desc->layouts;
1181 gsize length;
1182
1183 SIPE_DEBUG_INFO("compile_handshake_msg: buffer size %" G_GSIZE_FORMAT,
1184 total_size);
1185
1186 /* add TLS handshake header */
1187 handshake[TLS_HANDSHAKE_OFFSET_TYPE] = desc->type;
1188 state->msg_current = handshake + TLS_HANDSHAKE_HEADER_LENGTH;
1189
1190 while (TLS_LAYOUT_IS_VALID(ldesc)) {
1191 /*
1192 * Avoid "cast increases required alignment" errors
1193 *
1194 * (void *) tells the compiler that we know what we're
1195 * doing, i.e. we know that the calculated address
1196 * points to correctly aligned data.
1197 */
1198 ldesc->compiler(state, ldesc,
1199 (void *) ((guchar *) data + ldesc->offset));
1200 ldesc++;
1201 }
1202
1203 length = state->msg_current - handshake - TLS_HANDSHAKE_HEADER_LENGTH;
1204 lowlevel_integer_to_tls(handshake + TLS_HANDSHAKE_OFFSET_LENGTH,
1205 3, length);
1206 SIPE_DEBUG_INFO("compile_handshake_msg: (%d)%s, size %" G_GSIZE_FORMAT,
1207 desc->type, desc->description, length);
1208
1209 msg->size = length + TLS_HANDSHAKE_HEADER_LENGTH;
1210
1211 /* update digest contexts */
1212 sipe_digest_md5_update(state->md5_context, handshake, msg->size);
1213 sipe_digest_sha1_update(state->sha1_context, handshake, msg->size);
1214
1215 return(msg);
1216 }
1217
1218 /*
1219 * Specific TLS data verficiation & message compilers
1220 */
1221 static struct tls_compiled_message *tls_client_certificate(struct tls_internal_state *state)
1222 {
1223 struct Certificate_host *certificate;
1224 gsize certificate_length = sipe_cert_crypto_raw_length(state->certificate);
1225 struct tls_compiled_message *msg;
1226
1227 /* setup our response */
1228 /* Client Certificate is VECTOR_MAX24 of VECTOR_MAX24s */
1229 certificate = g_malloc0(sizeof(struct Certificate_host) + 3 +
1230 certificate_length);
1231 certificate->certificate.elements = certificate_length + 3;
1232 lowlevel_integer_to_tls((guchar *) certificate->certificate.placeholder, 3,
1233 certificate_length);
1234 memcpy((guchar *) certificate->certificate.placeholder + 3,
1235 sipe_cert_crypto_raw(state->certificate),
1236 certificate_length);
1237
1238 msg = compile_handshake_msg(state, &Certificate_m, certificate,
1239 sizeof(struct Certificate_host) + certificate_length + 3);
1240 g_free(certificate);
1241
1242 return(msg);
1243 }
1244
1245 static gboolean check_cipher_suite(struct tls_internal_state *state)
1246 {
1247 struct tls_parsed_integer *cipher_suite = g_hash_table_lookup(state->data,
1248 "CipherSuite");
1249 const gchar *label_mac = NULL;
1250 const gchar *label_cipher = NULL;
1251
1252 if (!cipher_suite) {
1253 SIPE_DEBUG_ERROR_NOFORMAT("check_cipher_suite: server didn't specify the cipher suite");
1254 return(FALSE);
1255 }
1256
1257 switch (cipher_suite->value) {
1258 case TLS_RSA_EXPORT_WITH_RC4_40_MD5:
1259 state->mac_length = SIPE_DIGEST_HMAC_MD5_LENGTH;
1260 state->key_length = 40 / 8;
1261 state->mac_func = sipe_digest_hmac_md5;
1262 state->stream_cipher = TRUE;
1263 label_mac = "MD5";
1264 label_cipher = "RC4 stream";
1265 state->common.algorithm = SIPE_TLS_DIGEST_ALGORITHM_MD5;
1266 break;
1267
1268 case TLS_RSA_WITH_RC4_128_MD5:
1269 state->mac_length = SIPE_DIGEST_HMAC_MD5_LENGTH;
1270 state->key_length = 128 / 8;
1271 state->mac_func = sipe_digest_hmac_md5;
1272 state->stream_cipher = TRUE;
1273 label_mac = "MD5";
1274 label_cipher = "RC4 stream";
1275 state->common.algorithm = SIPE_TLS_DIGEST_ALGORITHM_MD5;
1276 break;
1277
1278 case TLS_RSA_WITH_RC4_128_SHA:
1279 state->mac_length = SIPE_DIGEST_HMAC_SHA1_LENGTH;
1280 state->key_length = 128 / 8;
1281 state->mac_func = sipe_digest_hmac_sha1;
1282 state->stream_cipher = TRUE;
1283 label_mac = "SHA-1";
1284 label_cipher = "RC4 stream";
1285 state->common.algorithm = SIPE_TLS_DIGEST_ALGORITHM_SHA1;
1286 break;
1287
1288 case TLS_RSA_WITH_AES_128_CBC_SHA:
1289 state->mac_length = SIPE_DIGEST_HMAC_SHA1_LENGTH;
1290 state->key_length = 128 / 8;
1291 state->mac_func = sipe_digest_hmac_sha1;
1292 state->stream_cipher = FALSE;
1293 label_mac = "SHA-1";
1294 label_cipher = "AES-CBC block";
1295 state->common.algorithm = SIPE_TLS_DIGEST_ALGORITHM_SHA1;
1296 break;
1297
1298 case TLS_RSA_WITH_AES_256_CBC_SHA:
1299 state->mac_length = SIPE_DIGEST_HMAC_SHA1_LENGTH;
1300 state->key_length = 256 / 8;
1301 state->mac_func = sipe_digest_hmac_sha1;
1302 state->stream_cipher = FALSE;
1303 label_mac = "SHA-1";
1304 label_cipher = "AES-CBC block";
1305 state->common.algorithm = SIPE_TLS_DIGEST_ALGORITHM_SHA1;
1306 break;
1307
1308 default:
1309 SIPE_DEBUG_ERROR("check_cipher_suite: unsupported cipher suite %d",
1310 cipher_suite->value);
1311 break;
1312 }
1313
1314 if (label_cipher && label_mac)
1315 SIPE_DEBUG_INFO("check_cipher_suite: KEY(%s cipher) %" G_GSIZE_FORMAT ", MAC(%s) %" G_GSIZE_FORMAT,
1316 label_cipher, state->key_length,
1317 label_mac, state->mac_length);
1318
1319 return(label_cipher && label_mac);
1320 }
1321
1322 static void tls_calculate_secrets(struct tls_internal_state *state)
1323 {
1324 gsize length = 2 * (state->mac_length + state->key_length +
1325 (state->stream_cipher ? 0 : TLS_AES_CBC_BLOCK_LENGTH));
1326 guchar *random;
1327
1328 /* Generate pre-master secret */
1329 sipe_tls_fill_random(&state->pre_master_secret,
1330 TLS_ARRAY_MASTER_SECRET_LENGTH * 8); /* bits */
1331 lowlevel_integer_to_tls(state->pre_master_secret.buffer, 2,
1332 TLS_PROTOCOL_VERSION_1_0);
1333 debug_secrets(state, "tls_calculate_secrets: pre-master secret",
1334 state->pre_master_secret.buffer,
1335 state->pre_master_secret.length);
1336
1337 /*
1338 * Calculate master secret
1339 *
1340 * master_secret = PRF(pre_master_secret,
1341 * "master secret",
1342 * ClientHello.random + ServerHello.random)
1343 */
1344 random = g_malloc(TLS_ARRAY_RANDOM_LENGTH * 2);
1345 memcpy(random,
1346 state->client_random.buffer,
1347 TLS_ARRAY_RANDOM_LENGTH);
1348 memcpy(random + TLS_ARRAY_RANDOM_LENGTH,
1349 state->server_random.buffer,
1350 TLS_ARRAY_RANDOM_LENGTH);
1351 state->master_secret = sipe_tls_prf(state,
1352 state->pre_master_secret.buffer,
1353 state->pre_master_secret.length,
1354 (guchar *) "master secret",
1355 13,
1356 random,
1357 TLS_ARRAY_RANDOM_LENGTH * 2,
1358 TLS_ARRAY_MASTER_SECRET_LENGTH);
1359 debug_secrets(state, "tls_calculate_secrets: master secret ",
1360 state->master_secret,
1361 TLS_ARRAY_MASTER_SECRET_LENGTH);
1362
1363 /*
1364 * Calculate session key material
1365 *
1366 * key_block = PRF(master_secret,
1367 * "key expansion",
1368 * ServerHello.random + ClientHello.random)
1369 */
1370 SIPE_DEBUG_INFO("tls_calculate_secrets: key_block length %" G_GSIZE_FORMAT,
1371 length);
1372 memcpy(random,
1373 state->server_random.buffer,
1374 TLS_ARRAY_RANDOM_LENGTH);
1375 memcpy(random + TLS_ARRAY_RANDOM_LENGTH,
1376 state->client_random.buffer,
1377 TLS_ARRAY_RANDOM_LENGTH);
1378 state->key_block = sipe_tls_prf(state,
1379 state->master_secret,
1380 TLS_ARRAY_MASTER_SECRET_LENGTH,
1381 (guchar *) "key expansion",
1382 13,
1383 random,
1384 TLS_ARRAY_RANDOM_LENGTH * 2,
1385 length);
1386 g_free(random);
1387 debug_secrets(state, "tls_calculate_secrets: key block ",
1388 state->key_block, length);
1389
1390 /* partition key block */
1391 state->client_write_mac_secret = state->key_block;
1392 state->server_write_mac_secret = state->key_block + state->mac_length;
1393 state->client_write_secret = state->key_block + 2 * state->mac_length;
1394 state->server_write_secret = state->key_block + 2 * state->mac_length + state->key_length;
1395
1396 /* initialize stream cipher context */
1397 if (state->stream_cipher) {
1398 state->cipher_context = sipe_crypt_tls_start(state->client_write_secret,
1399 state->key_length);
1400 } else {
1401 state->client_write_iv = state->key_block + 2 * (state->mac_length + state->key_length);
1402 state->server_write_iv = state->key_block + 2 * (state->mac_length + state->key_length) + TLS_AES_CBC_BLOCK_LENGTH;
1403 }
1404 }
1405
1406 #if 0 /* NOT NEEDED? */
1407 /* signing */
1408 static guchar *tls_pkcs1_private_padding(SIPE_UNUSED_PARAMETER struct tls_internal_state *state,
1409 const guchar *data,
1410 gsize data_length,
1411 gsize buffer_length)
1412 {
1413 gsize pad_length;
1414 guchar *pad_buffer;
1415
1416 if (data_length + 3 > buffer_length) ||
1417 (buffer_length == 0)) /* this is dead code, but makes Coverity happy */)
1418 return(NULL);
1419
1420 pad_length = buffer_length - data_length - 3;
1421 pad_buffer = g_malloc(buffer_length);
1422
1423 /* PKCS1 private key block padding */
1424 pad_buffer[0] = 0; /* +1 */
1425 pad_buffer[1] = 1; /* +2 */
1426 memset(pad_buffer + 2, 0xFF, pad_length);
1427 pad_buffer[2 + pad_length] = 0; /* +3 */
1428 memcpy(pad_buffer + 3 + pad_length, data, data_length);
1429
1430 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1431 debug_secrets(state, "tls_pkcs1_private_padding: ",
1432 pad_buffer, buffer_length);
1433 #endif
1434
1435 return(pad_buffer);
1436 }
1437 #endif
1438
1439 /* encryption */
1440 static guchar *tls_pkcs1_public_padding(SIPE_UNUSED_PARAMETER struct tls_internal_state *state,
1441 const guchar *data,
1442 gsize data_length,
1443 gsize buffer_length)
1444 {
1445 gsize pad_length, random_count;
1446 guchar *pad_buffer, *random;
1447
1448 if ((data_length + 3 > buffer_length) ||
1449 (buffer_length == 0)) /* this is dead code, but makes Coverity happy */
1450 return(NULL);
1451
1452 pad_length = buffer_length - data_length - 3;
1453 pad_buffer = g_malloc(buffer_length);
1454
1455 /* PKCS1 public key block padding */
1456 pad_buffer[0] = 0; /* +1 */
1457 pad_buffer[1] = 2; /* +2 */
1458 for (random = pad_buffer + 2, random_count = pad_length;
1459 random_count > 0;
1460 random_count--) {
1461 guchar byte;
1462 /* non-zero random byte */
1463 while ((byte = rand() & 0xFF) == 0);
1464 *random++ = byte;
1465 }
1466 pad_buffer[2 + pad_length] = 0; /* +3 */
1467 memcpy(pad_buffer + 3 + pad_length, data, data_length);
1468
1469 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1470 debug_secrets(state, "tls_pkcs1_private_padding: ",
1471 pad_buffer, buffer_length);
1472 #endif
1473
1474 return(pad_buffer);
1475 }
1476
1477 static struct tls_compiled_message *tls_client_key_exchange(struct tls_internal_state *state)
1478 {
1479 struct tls_parsed_array *server_random;
1480 struct tls_parsed_array *server_certificate;
1481 struct ClientKeyExchange_host *exchange;
1482 gsize server_certificate_length;
1483 guchar *padded;
1484 struct tls_compiled_message *msg;
1485
1486 /* check for required data fields */
1487 if (!check_cipher_suite(state))
1488 return(NULL);
1489 server_random = g_hash_table_lookup(state->data, "Random");
1490 if (!server_random) {
1491 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: no server random");
1492 return(NULL);
1493 }
1494 server_certificate = g_hash_table_lookup(state->data, "Certificate");
1495 /* Server Certificate is VECTOR_MAX24 of VECTOR_MAX24s */
1496 if (!server_certificate || (server_certificate->length < 3)) {
1497 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: no server certificate");
1498 return(FALSE);
1499 }
1500 SIPE_DEBUG_INFO("tls_client_key_exchange: server certificate list %" G_GSIZE_FORMAT" bytes",
1501 server_certificate->length);
1502 /* first certificate is the server certificate */
1503 server_certificate_length = lowlevel_integer_to_host(server_certificate->data,
1504 3);
1505 SIPE_DEBUG_INFO("tls_client_key_exchange: server certificate %" G_GSIZE_FORMAT" bytes",
1506 server_certificate_length);
1507 if ((server_certificate_length + 3) > server_certificate->length) {
1508 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: truncated server certificate");
1509 }
1510 state->server_certificate = sipe_cert_crypto_import(server_certificate->data + 3,
1511 server_certificate_length);
1512 if (!state->server_certificate) {
1513 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: corrupted server certificate");
1514 return(FALSE);
1515 }
1516 /* server public key modulus length */
1517 server_certificate_length = sipe_cert_crypto_modulus_length(state->server_certificate);
1518 if (server_certificate_length < TLS_ARRAY_MASTER_SECRET_LENGTH) {
1519 SIPE_DEBUG_ERROR("tls_client_key_exchange: server public key strength too low (%" G_GSIZE_FORMAT ")",
1520 server_certificate_length);
1521 return(FALSE);
1522 }
1523 SIPE_DEBUG_INFO("tls_client_key_exchange: server public key strength = %" G_GSIZE_FORMAT,
1524 server_certificate_length);
1525
1526 /* found all the required fields */
1527 state->server_random.length = server_random->length;
1528 state->server_random.buffer = g_memdup(server_random->data,
1529 server_random->length);
1530 tls_calculate_secrets(state);
1531
1532 /* ClientKeyExchange */
1533 padded = tls_pkcs1_public_padding(state,
1534 state->pre_master_secret.buffer,
1535 state->pre_master_secret.length,
1536 server_certificate_length);
1537 if (!padded) {
1538 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: padding of pre-master secret failed");
1539 return(NULL);
1540 }
1541 exchange = g_malloc0(sizeof(struct ClientKeyExchange_host) +
1542 server_certificate_length);
1543 exchange->secret.elements = server_certificate_length;
1544 if (!sipe_crypt_rsa_encrypt(sipe_cert_crypto_public_key(state->server_certificate),
1545 server_certificate_length,
1546 padded,
1547 (guchar *) exchange->secret.placeholder)) {
1548 SIPE_DEBUG_ERROR_NOFORMAT("tls_client_key_exchange: encryption of pre-master secret failed");
1549 g_free(exchange);
1550 g_free(padded);
1551 return(NULL);
1552 }
1553 g_free(padded);
1554
1555 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1556 debug_secrets(state, "tls_client_key_exchange: secret (encr) ",
1557 (guchar *) exchange->secret.placeholder,
1558 server_certificate_length);
1559 #endif
1560
1561 msg = compile_handshake_msg(state, &ClientKeyExchange_m, exchange,
1562 sizeof(struct ClientKeyExchange_host) + server_certificate_length);
1563 g_free(exchange);
1564
1565 return(msg);
1566 }
1567
1568 static struct tls_compiled_message *tls_certificate_verify(struct tls_internal_state *state)
1569 {
1570 struct CertificateVerify_host *verify;
1571 struct tls_compiled_message *msg;
1572 guchar *digests = g_malloc(SIPE_DIGEST_MD5_LENGTH + SIPE_DIGEST_SHA1_LENGTH);
1573 guchar *signature;
1574 gsize length;
1575
1576 /* calculate digests */
1577 sipe_digest_md5_end(state->md5_context, digests);
1578 sipe_digest_sha1_end(state->sha1_context, digests + SIPE_DIGEST_MD5_LENGTH);
1579
1580 /* sign digests */
1581 signature = sipe_crypt_rsa_sign(sipe_cert_crypto_private_key(state->certificate),
1582 digests,
1583 SIPE_DIGEST_MD5_LENGTH + SIPE_DIGEST_SHA1_LENGTH,
1584 &length);
1585 g_free(digests);
1586 if (!signature) {
1587 SIPE_DEBUG_ERROR_NOFORMAT("tls_certificate_verify: signing of handshake digests failed");
1588 return(NULL);
1589 }
1590
1591 /* CertificateVerify */
1592 verify = g_malloc0(sizeof(struct CertificateVerify_host) +
1593 length);
1594 verify->signature.elements = length;
1595 memcpy(verify->signature.placeholder, signature, length);
1596 g_free(signature);
1597
1598 msg = compile_handshake_msg(state, &CertificateVerify_m, verify,
1599 sizeof(struct CertificateVerify_host) + length);
1600 g_free(verify);
1601
1602 return(msg);
1603 }
1604
1605 static struct tls_compiled_message *tls_client_finished(struct tls_internal_state *state)
1606 {
1607 guchar *digests = g_malloc(SIPE_DIGEST_MD5_LENGTH + SIPE_DIGEST_SHA1_LENGTH);
1608 guchar *verify;
1609 struct tls_compiled_message *cmsg;
1610 struct Finished_host msg;
1611
1612 /* calculate digests */
1613 sipe_digest_md5_end(state->md5_context, digests);
1614 sipe_digest_sha1_end(state->sha1_context, digests + SIPE_DIGEST_MD5_LENGTH);
1615
1616 /*
1617 * verify_data = PRF(master_secret, "client finished",
1618 * MD5(handshake_messages) +
1619 * SHA-1(handshake_messages)) [0..11];
1620 */
1621 verify = sipe_tls_prf(state,
1622 state->master_secret,
1623 TLS_ARRAY_MASTER_SECRET_LENGTH,
1624 (guchar *) "client finished",
1625 15,
1626 digests,
1627 SIPE_DIGEST_MD5_LENGTH + SIPE_DIGEST_SHA1_LENGTH,
1628 TLS_ARRAY_VERIFY_LENGTH);
1629 g_free(digests);
1630 memcpy(msg.verify.verify, verify, TLS_ARRAY_VERIFY_LENGTH);
1631 g_free(verify);
1632
1633 cmsg = compile_handshake_msg(state, &Finished_m, &msg, sizeof(msg));
1634
1635 return(cmsg);
1636 }
1637
1638 /*
1639 * TLS state handling
1640 */
1641
1642 static gboolean tls_client_hello(struct tls_internal_state *state)
1643 {
1644 guint32 now = time(NULL);
1645 guint32 now_N = GUINT32_TO_BE(now);
1646 struct ClientHello_host msg = {
1647 { TLS_PROTOCOL_VERSION_1_0 },
1648 { 0, { 0 } },
1649 { 0 /* empty SessionID */ },
1650 { 5,
1651 {
1652 TLS_RSA_WITH_RC4_128_MD5,
1653 TLS_RSA_WITH_RC4_128_SHA,
1654 TLS_RSA_WITH_AES_128_CBC_SHA,
1655 TLS_RSA_WITH_AES_256_CBC_SHA,
1656 TLS_RSA_EXPORT_WITH_RC4_40_MD5
1657 }
1658 },
1659 { 1,
1660 {
1661 TLS_COMP_METHOD_NULL
1662 }
1663 }
1664 };
1665 struct tls_compiled_message *cmsg;
1666
1667 /* First 4 bytes of client_random is the current timestamp */
1668 sipe_tls_fill_random(&state->client_random,
1669 TLS_ARRAY_RANDOM_LENGTH * 8); /* -> bits */
1670 memcpy(state->client_random.buffer, &now_N, sizeof(now_N));
1671 memcpy(msg.random.random, state->client_random.buffer,
1672 TLS_ARRAY_RANDOM_LENGTH);
1673
1674 cmsg = compile_handshake_msg(state, &ClientHello_m, &msg, sizeof(msg));
1675 compile_tls_record(state, cmsg, NULL);
1676 g_free(cmsg);
1677
1678 if (sipe_backend_debug_enabled())
1679 state->debug = g_string_new("");
1680
1681 state->state = TLS_HANDSHAKE_STATE_SERVER_HELLO;
1682 return(tls_record_parse(state, FALSE, 0));
1683 }
1684
1685 static gboolean tls_server_hello(struct tls_internal_state *state)
1686 {
1687 struct tls_compiled_message *certificate = NULL;
1688 struct tls_compiled_message *exchange = NULL;
1689 struct tls_compiled_message *verify = NULL;
1690 struct tls_compiled_message *finished = NULL;
1691 gboolean success = FALSE;
1692
1693 if (!tls_record_parse(state, TRUE, TLS_HANDSHAKE_TYPE_SERVER_HELLO))
1694 return(FALSE);
1695
1696 if (((certificate = tls_client_certificate(state)) != NULL) &&
1697 ((exchange = tls_client_key_exchange(state)) != NULL) &&
1698 ((verify = tls_certificate_verify(state)) != NULL) &&
1699 ((finished = tls_client_finished(state)) != NULL)) {
1700
1701 /* Part 1 */
1702 compile_tls_record(state, certificate, exchange, verify, NULL);
1703
1704 success = tls_record_parse(state, FALSE, 0);
1705 if (success) {
1706 guchar *part1 = state->common.out_buffer;
1707 gsize part1_length = state->common.out_length;
1708 guchar *part3;
1709 gsize part3_length;
1710 guchar *merged;
1711 gsize length;
1712 /* ChangeCipherSpec is always the same */
1713 static const guchar part2[] = {
1714 TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC,
1715 (TLS_PROTOCOL_VERSION_1_0 >> 8) & 0xFF,
1716 TLS_PROTOCOL_VERSION_1_0 & 0xFF,
1717 0x00, 0x01, /* length: 1 byte */
1718 0x01 /* change_cipher_spec(1) */
1719 };
1720
1721 state->common.out_buffer = NULL;
1722
1723 /* Part 3 - this is the first encrypted record */
1724 compile_encrypted_tls_record(state, finished);
1725 part3 = state->common.out_buffer;
1726 part3_length = state->common.out_length;
1727
1728 /* merge TLS records */
1729 length = part1_length + sizeof(part2) + part3_length;
1730 merged = g_malloc(length);
1731
1732 memcpy(merged, part1, part1_length);
1733 memcpy(merged + part1_length, part2, sizeof(part2));
1734 memcpy(merged + part1_length + sizeof(part2), part3, part3_length);
1735 g_free(part3);
1736 g_free(part1);
1737
1738 /* replace output buffer with merged message */
1739 state->common.out_buffer = merged;
1740 state->common.out_length = length;
1741
1742 state->state = TLS_HANDSHAKE_STATE_FINISHED;
1743 }
1744 }
1745
1746 g_free(finished);
1747 g_free(verify);
1748 g_free(exchange);
1749 g_free(certificate);
1750 free_parse_data(state);
1751
1752 return(success);
1753 }
1754
1755 static gboolean tls_finished(struct tls_internal_state *state)
1756 {
1757 guchar *random;
1758
1759 if (!tls_record_parse(state, TRUE, TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC))
1760 return(FALSE);
1761
1762 /* we don't need the data */
1763 free_parse_data(state);
1764
1765 /*
1766 * Calculate session keys [MS-SIPAE section 3.2.5.1]
1767 *
1768 * key_material = PRF (master_secret,
1769 * "client EAP encryption",
1770 * ClientHello.random + ServerHello.random)[128]
1771 * = 4 x 32 Bytes
1772 *
1773 * client key = key_material[3rd 32 Bytes]
1774 * server key = key_material[4th 32 Bytes]
1775 */
1776 random = g_malloc(TLS_ARRAY_RANDOM_LENGTH * 2);
1777 memcpy(random,
1778 state->client_random.buffer,
1779 TLS_ARRAY_RANDOM_LENGTH);
1780 memcpy(random + TLS_ARRAY_RANDOM_LENGTH,
1781 state->server_random.buffer,
1782 TLS_ARRAY_RANDOM_LENGTH);
1783 state->tls_dsk_key_block = sipe_tls_prf(state,
1784 state->master_secret,
1785 TLS_ARRAY_MASTER_SECRET_LENGTH,
1786 (guchar *) "client EAP encryption",
1787 21,
1788 random,
1789 TLS_ARRAY_RANDOM_LENGTH * 2,
1790 4 * 32);
1791 g_free(random);
1792
1793 #ifdef __SIPE_TLS_CRYPTO_DEBUG
1794 debug_secrets(state, "tls_finished: TLS-DSK key block ",
1795 state->tls_dsk_key_block, 4 * 32);
1796 #endif
1797
1798 state->common.client_key = state->tls_dsk_key_block + 2 * 32;
1799 state->common.server_key = state->tls_dsk_key_block + 3 * 32;
1800 state->common.key_length = 32;
1801
1802 debug_secrets(state, "tls_finished: TLS-DSK client key ",
1803 state->common.client_key,
1804 state->common.key_length);
1805 debug_secrets(state, "tls_finished: TLS-DSK server key ",
1806 state->common.server_key,
1807 state->common.key_length);
1808
1809 state->common.out_buffer = NULL;
1810 state->common.out_length = 0;
1811 state->state = TLS_HANDSHAKE_STATE_COMPLETED;
1812
1813 return(TRUE);
1814 }
1815
1816 /*
1817 * TLS public API
1818 */
1819
1820 struct sipe_tls_state *sipe_tls_start(gpointer certificate)
1821 {
1822 struct tls_internal_state *state;
1823
1824 if (!certificate)
1825 return(NULL);
1826
1827 state = g_new0(struct tls_internal_state, 1);
1828 state->certificate = certificate;
1829 state->state = TLS_HANDSHAKE_STATE_START;
1830 state->md5_context = sipe_digest_md5_start();
1831 state->sha1_context = sipe_digest_sha1_start();
1832 state->common.algorithm = SIPE_TLS_DIGEST_ALGORITHM_NONE;
1833
1834 return((struct sipe_tls_state *) state);
1835 }
1836
1837 gboolean sipe_tls_next(struct sipe_tls_state *state)
1838 {
1839 /* Avoid "cast increases required alignment" errors */
1840 struct tls_internal_state *internal = (void *) state;
1841 gboolean success = FALSE;
1842
1843 if (!state)
1844 return(FALSE);
1845
1846 state->out_buffer = NULL;
1847
1848 switch (internal->state) {
1849 case TLS_HANDSHAKE_STATE_START:
1850 success = tls_client_hello(internal);
1851 break;
1852
1853 case TLS_HANDSHAKE_STATE_SERVER_HELLO:
1854 success = tls_server_hello(internal);
1855 break;
1856
1857 case TLS_HANDSHAKE_STATE_FINISHED:
1858 success = tls_finished(internal);
1859 break;
1860
1861 case TLS_HANDSHAKE_STATE_COMPLETED:
1862 case TLS_HANDSHAKE_STATE_FAILED:
1863 /* This should not happen */
1864 SIPE_DEBUG_ERROR_NOFORMAT("sipe_tls_next: called in incorrect state!");
1865 break;
1866 }
1867
1868 if (!success) {
1869 internal->state = TLS_HANDSHAKE_STATE_FAILED;
1870 }
1871
1872 return(success);
1873 }
1874
1875 guint sipe_tls_expires(struct sipe_tls_state *state)
1876 {
1877 /* Avoid "cast increases required alignment" errors */
1878 struct tls_internal_state *internal = (void *) state;
1879
1880 if (!state)
1881 return(0);
1882
1883 return(sipe_cert_crypto_expires(internal->certificate));
1884 }
1885
1886 void sipe_tls_free(struct sipe_tls_state *state)
1887 {
1888 if (state) {
1889 /* Avoid "cast increases required alignment" errors */
1890 struct tls_internal_state *internal = (void *) state;
1891
1892 free_parse_data(internal);
1893 if (internal->debug)
1894 g_string_free(internal->debug, TRUE);
1895 g_free(internal->tls_dsk_key_block);
1896 g_free(internal->key_block);
1897 g_free(internal->master_secret);
1898 sipe_tls_free_random(&internal->pre_master_secret);
1899 sipe_tls_free_random(&internal->client_random);
1900 sipe_tls_free_random(&internal->server_random);
1901 if (internal->cipher_context)
1902 sipe_crypt_tls_destroy(internal->cipher_context);
1903 if (internal->md5_context)
1904 sipe_digest_md5_destroy(internal->md5_context);
1905 if (internal->sha1_context)
1906 sipe_digest_sha1_destroy(internal->sha1_context);
1907 sipe_cert_crypto_destroy(internal->server_certificate);
1908 g_free(state->out_buffer);
1909 g_free(state);
1910 }
1911 }
1912
1913 #endif /* !_SIPE_COMPILING_ANALYZER */
1914
1915 /*
1916 Local Variables:
1917 mode: c
1918 c-file-style: "bsd"
1919 indent-tabs-mode: t
1920 tab-width: 8
1921 End:
1922 */
A third-party Pidgin plugin for Microsoft LCS/OCS