aboutsummaryrefslogtreecommitdiff
path: root/networking/tls.c
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2018-11-23 17:21:38 +0100
committerDenys Vlasenko <vda.linux@googlemail.com>2018-11-23 17:48:07 +0100
commit83e5c627e1b2c7f34d694696d0c3d5a3ce25dc59 (patch)
tree3bdffe7c29ee5213ba4278da9b0ee116c2806d78 /networking/tls.c
parent03ad7ae08189ed88dd7e0fcb6c6001fbf3b12efb (diff)
downloadbusybox-w32-83e5c627e1b2c7f34d694696d0c3d5a3ce25dc59.tar.gz
busybox-w32-83e5c627e1b2c7f34d694696d0c3d5a3ce25dc59.tar.bz2
busybox-w32-83e5c627e1b2c7f34d694696d0c3d5a3ce25dc59.zip
tls: add support for TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher
function old new delta xwrite_encrypted 209 605 +396 GHASH - 395 +395 aes_encrypt_1 - 382 +382 GMULT - 192 +192 tls_xread_record 489 659 +170 aes_encrypt_one_block - 65 +65 aesgcm_setkey - 58 +58 FlattenSzInBits - 52 +52 tls_handshake 1890 1941 +51 xwrite_and_update_handshake_hash 46 81 +35 xorbuf - 24 +24 aes_setkey - 16 +16 psRsaEncryptPub 413 421 +8 stty_main 1221 1227 +6 ssl_client_main 138 143 +5 next_token 841 845 +4 spawn_ssl_client 218 219 +1 volume_id_probe_hfs_hfsplus 564 563 -1 read_package_field 232 230 -2 i2cdetect_main 674 672 -2 fail_hunk 139 136 -3 parse_expr 891 883 -8 curve25519 802 793 -9 aes_cbc_decrypt 971 958 -13 xwrite_handshake_record 43 - -43 aes_cbc_encrypt 644 172 -472 ------------------------------------------------------------------------------ (add/remove: 9/1 grow/shrink: 9/8 up/down: 1860/-553) Total: 1307 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'networking/tls.c')
-rw-r--r--networking/tls.c360
1 files changed, 278 insertions, 82 deletions
diff --git a/networking/tls.c b/networking/tls.c
index fba66f6f0..38a965ad6 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -13,16 +13,17 @@
13//kbuild:lib-$(CONFIG_TLS) += tls_pstm_mul_comba.o 13//kbuild:lib-$(CONFIG_TLS) += tls_pstm_mul_comba.o
14//kbuild:lib-$(CONFIG_TLS) += tls_pstm_sqr_comba.o 14//kbuild:lib-$(CONFIG_TLS) += tls_pstm_sqr_comba.o
15//kbuild:lib-$(CONFIG_TLS) += tls_aes.o 15//kbuild:lib-$(CONFIG_TLS) += tls_aes.o
16//kbuild:lib-$(CONFIG_TLS) += tls_aesgcm.o
16//kbuild:lib-$(CONFIG_TLS) += tls_rsa.o 17//kbuild:lib-$(CONFIG_TLS) += tls_rsa.o
17//kbuild:lib-$(CONFIG_TLS) += tls_fe.o 18//kbuild:lib-$(CONFIG_TLS) += tls_fe.o
18////kbuild:lib-$(CONFIG_TLS) += tls_aes_gcm.o
19 19
20#include "tls.h" 20#include "tls.h"
21 21
22//Tested against kernel.org:
23//TLS 1.2 22//TLS 1.2
24#define TLS_MAJ 3 23#define TLS_MAJ 3
25#define TLS_MIN 3 24#define TLS_MIN 3
25
26//Tested against kernel.org:
26//#define CIPHER_ID TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA // ok, recvs SERVER_KEY_EXCHANGE *** matrixssl uses this on my box 27//#define CIPHER_ID TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA // ok, recvs SERVER_KEY_EXCHANGE *** matrixssl uses this on my box
27//#define CIPHER_ID TLS_RSA_WITH_AES_256_CBC_SHA256 // ok, no SERVER_KEY_EXCHANGE 28//#define CIPHER_ID TLS_RSA_WITH_AES_256_CBC_SHA256 // ok, no SERVER_KEY_EXCHANGE
28//#define CIPHER_ID TLS_DH_anon_WITH_AES_256_CBC_SHA // SSL_ALERT_HANDSHAKE_FAILURE 29//#define CIPHER_ID TLS_DH_anon_WITH_AES_256_CBC_SHA // SSL_ALERT_HANDSHAKE_FAILURE
@@ -36,7 +37,7 @@
36//#define CIPHER_ID TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 37//#define CIPHER_ID TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
37//#define CIPHER_ID TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 // SSL_ALERT_HANDSHAKE_FAILURE 38//#define CIPHER_ID TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 // SSL_ALERT_HANDSHAKE_FAILURE
38//#define CIPHER_ID TLS_RSA_WITH_AES_256_GCM_SHA384 // ok, no SERVER_KEY_EXCHANGE 39//#define CIPHER_ID TLS_RSA_WITH_AES_256_GCM_SHA384 // ok, no SERVER_KEY_EXCHANGE
39//#define CIPHER_ID TLS_RSA_WITH_AES_128_GCM_SHA256 // ok, no SERVER_KEY_EXCHANGE *** select this? 40//#define CIPHER_ID TLS_RSA_WITH_AES_128_GCM_SHA256 // ok, no SERVER_KEY_EXCHANGE
40 41
41// works against "openssl s_server -cipher NULL" 42// works against "openssl s_server -cipher NULL"
42// and against wolfssl-3.9.10-stable/examples/server/server.c: 43// and against wolfssl-3.9.10-stable/examples/server/server.c:
@@ -60,6 +61,11 @@
60// bug #11456: host is.gd accepts only ECDHE-ECDSA-foo (the simplest which works: ECDHE-ECDSA-AES128-SHA 0xC009) 61// bug #11456: host is.gd accepts only ECDHE-ECDSA-foo (the simplest which works: ECDHE-ECDSA-AES128-SHA 0xC009)
61#define CIPHER_ID3 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 62#define CIPHER_ID3 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
62 63
64// ftp.openbsd.org only supports ECDHE-RSA-AESnnn-GCM-SHAnnn or ECDHE-RSA-CHACHA20-POLY1305
65#define CIPHER_ID4 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
66
67#define NUM_CIPHERS 4
68
63 69
64#define TLS_DEBUG 0 70#define TLS_DEBUG 0
65#define TLS_DEBUG_HASH 0 71#define TLS_DEBUG_HASH 0
@@ -207,7 +213,6 @@ enum {
207 SHA1_OUTSIZE = 20, 213 SHA1_OUTSIZE = 20,
208 SHA256_OUTSIZE = 32, 214 SHA256_OUTSIZE = 32,
209 215
210 AES_BLOCKSIZE = 16,
211 AES128_KEYSIZE = 16, 216 AES128_KEYSIZE = 16,
212 AES256_KEYSIZE = 32, 217 AES256_KEYSIZE = 32,
213 218
@@ -216,7 +221,7 @@ enum {
216 RECHDR_LEN = 5, 221 RECHDR_LEN = 5,
217 222
218 /* 8 = 3+5. 3 extra bytes result in record data being 32-bit aligned */ 223 /* 8 = 3+5. 3 extra bytes result in record data being 32-bit aligned */
219 OUTBUF_PFX = 8 + AES_BLOCKSIZE, /* header + IV */ 224 OUTBUF_PFX = 8 + AES_BLOCK_SIZE, /* header + IV */
220 OUTBUF_SFX = TLS_MAX_MAC_SIZE + TLS_MAX_CRYPTBLOCK_SIZE, /* MAC + padding */ 225 OUTBUF_SFX = TLS_MAX_MAC_SIZE + TLS_MAX_CRYPTBLOCK_SIZE, /* MAC + padding */
221 226
222 // RFC 5246 227 // RFC 5246
@@ -263,8 +268,11 @@ struct record_hdr {
263}; 268};
264 269
265enum { 270enum {
266 KEY_ALG_RSA, 271 NEED_EC_KEY = 1 << 0,
267 KEY_ALG_ECDSA, 272 GOT_CERT_RSA_KEY_ALG = 1 << 1,
273 GOT_CERT_ECDSA_KEY_ALG = 1 << 2,
274 GOT_EC_KEY = 1 << 3,
275 ENCRYPTION_AESGCM = 1 << 4,
268}; 276};
269struct tls_handshake_data { 277struct tls_handshake_data {
270 /* In bbox, md5/sha1/sha256 ctx's are the same structure */ 278 /* In bbox, md5/sha1/sha256 ctx's are the same structure */
@@ -273,14 +281,14 @@ struct tls_handshake_data {
273 uint8_t client_and_server_rand32[2 * 32]; 281 uint8_t client_and_server_rand32[2 * 32];
274 uint8_t master_secret[48]; 282 uint8_t master_secret[48];
275 283
276 smallint key_alg;
277//TODO: store just the DER key here, parse/use/delete it when sending client key 284//TODO: store just the DER key here, parse/use/delete it when sending client key
278//this way it will stay key type agnostic here. 285//this way it will stay key type agnostic here.
279 psRsaKey_t server_rsa_pub_key; 286 psRsaKey_t server_rsa_pub_key;
280 uint8_t ecc_pub_key32[32]; 287 uint8_t ecc_pub_key32[32];
281 288
282 unsigned saved_client_hello_size; 289/* HANDSHAKE HASH: */
283 uint8_t saved_client_hello[1]; 290 //unsigned saved_client_hello_size;
291 //uint8_t saved_client_hello[1];
284}; 292};
285 293
286 294
@@ -609,7 +617,7 @@ static void *tls_get_zeroed_outbuf(tls_state_t *tls, int len)
609 return record; 617 return record;
610} 618}
611 619
612static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type) 620static void xwrite_encrypted_and_hmac_signed(tls_state_t *tls, unsigned size, unsigned type)
613{ 621{
614 uint8_t *buf = tls->outbuf + OUTBUF_PFX; 622 uint8_t *buf = tls->outbuf + OUTBUF_PFX;
615 struct record_hdr *xhdr; 623 struct record_hdr *xhdr;
@@ -619,7 +627,7 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
619 if (CIPHER_ID1 != TLS_RSA_WITH_NULL_SHA256 /* if "no encryption" can't be selected */ 627 if (CIPHER_ID1 != TLS_RSA_WITH_NULL_SHA256 /* if "no encryption" can't be selected */
620 || tls->cipher_id != TLS_RSA_WITH_NULL_SHA256 /* or if it wasn't selected */ 628 || tls->cipher_id != TLS_RSA_WITH_NULL_SHA256 /* or if it wasn't selected */
621 ) { 629 ) {
622 xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCKSIZE); /* place for IV */ 630 xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCK_SIZE); /* place for IV */
623 } 631 }
624 632
625 xhdr->type = type; 633 xhdr->type = type;
@@ -722,7 +730,7 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
722 // AES_128_CBC Block 16 16 16 730 // AES_128_CBC Block 16 16 16
723 // AES_256_CBC Block 32 16 16 731 // AES_256_CBC Block 32 16 16
724 732
725 tls_get_random(buf - AES_BLOCKSIZE, AES_BLOCKSIZE); /* IV */ 733 tls_get_random(buf - AES_BLOCK_SIZE, AES_BLOCK_SIZE); /* IV */
726 dbg("before crypt: 5 hdr + %u data + %u hash bytes\n", 734 dbg("before crypt: 5 hdr + %u data + %u hash bytes\n",
727 size - tls->MAC_size, tls->MAC_size); 735 size - tls->MAC_size, tls->MAC_size);
728 736
@@ -742,23 +750,24 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
742 // If you need no bytes to reach BLOCKSIZE, you have to pad a full 750 // If you need no bytes to reach BLOCKSIZE, you have to pad a full
743 // BLOCKSIZE with bytes of value (BLOCKSIZE-1). 751 // BLOCKSIZE with bytes of value (BLOCKSIZE-1).
744 // It's ok to have more than minimum padding, but we do minimum. 752 // It's ok to have more than minimum padding, but we do minimum.
745 padding_length = (~size) & (AES_BLOCKSIZE - 1); 753 padding_length = (~size) & (AES_BLOCK_SIZE - 1);
746 do { 754 do {
747 buf[size++] = padding_length; /* padding */ 755 buf[size++] = padding_length; /* padding */
748 } while ((size & (AES_BLOCKSIZE - 1)) != 0); 756 } while ((size & (AES_BLOCK_SIZE - 1)) != 0);
749 757
750 /* Encrypt content+MAC+padding in place */ 758 /* Encrypt content+MAC+padding in place */
759//optimize key setup
751 aes_cbc_encrypt( 760 aes_cbc_encrypt(
752 tls->client_write_key, tls->key_size, /* selects 128/256 */ 761 tls->client_write_key, tls->key_size, /* selects 128/256 */
753 buf - AES_BLOCKSIZE, /* IV */ 762 buf - AES_BLOCK_SIZE, /* IV */
754 buf, size, /* plaintext */ 763 buf, size, /* plaintext */
755 buf /* ciphertext */ 764 buf /* ciphertext */
756 ); 765 );
757 766
758 /* Write out */ 767 /* Write out */
759 dbg("writing 5 + %u IV + %u encrypted bytes, padding_length:0x%02x\n", 768 dbg("writing 5 + %u IV + %u encrypted bytes, padding_length:0x%02x\n",
760 AES_BLOCKSIZE, size, padding_length); 769 AES_BLOCK_SIZE, size, padding_length);
761 size += AES_BLOCKSIZE; /* + IV */ 770 size += AES_BLOCK_SIZE; /* + IV */
762 xhdr->len16_hi = size >> 8; 771 xhdr->len16_hi = size >> 8;
763 xhdr->len16_lo = size & 0xff; 772 xhdr->len16_lo = size & 0xff;
764 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size); 773 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
@@ -766,23 +775,109 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
766 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size); 775 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size);
767} 776}
768 777
778/* Example how GCM encryption combines nonce, aad, input and generates
779 * "header | exp_nonce | encrypted output | tag":
780 * nonce:0d 6a 26 31 00 00 00 00 00 00 00 01 (implicit 4 bytes (derived from master secret), then explicit 8 bytes)
781 * aad: 00 00 00 00 00 00 00 01 17 03 03 00 1c
782 * in: 47 45 54 20 2f 69 6e 64 65 78 2e 68 74 6d 6c 20 48 54 54 50 2f 31 2e 30 0d 0a 0d 0a "GET /index.html HTTP/1.0\r\n\r\n" (0x1c bytes)
783 * out: f7 8a b2 8f 78 0e f6 d5 76 17 2e b5 6d 46 59 56 8b 46 9f 0b d9 2c 35 28 13 66 19 be
784 * tag: c2 86 ce 4a 50 4a d0 aa 50 b3 76 5c 49 2a 3f 33
785 * sent: 17 03 03 00 34|00 00 00 00 00 00 00 01|f7 8a b2 8f 78 0e f6 d5 76 17 2e b5 6d 46 59 56 8b 46 9f 0b d9 2c 35 28 13 66 19 be|c2 86 ce 4a 50 4a d0 aa 50 b3 76 5c 49 2a 3f 33
786 * .............................................^^ buf points here
787 */
788static void xwrite_encrypted_aesgcm(tls_state_t *tls, unsigned size, unsigned type)
789{
790//go for [16]
791 uint8_t aad[13];
792 uint8_t nonce[12 + 4]; /* +4 creates space for AES block counter */
793 uint8_t scratch[AES_BLOCK_SIZE]; //[16]
794 uint8_t authtag[AES_BLOCK_SIZE]; //[16]
795 uint8_t *buf;
796 struct record_hdr *xhdr;
797 unsigned remaining;
798 unsigned cnt;
799
800 buf = tls->outbuf + OUTBUF_PFX; /* see above for the byte it points to */
801 dump_hex("xwrite_encrypted_aesgcm plaintext:%s\n", buf, size);
802
803 xhdr = (void*)(buf - 8 - RECHDR_LEN);
804 xhdr->type = type; /* do it here so that "type" param no longer used */
805
806 aad[8] = type;
807 aad[9] = TLS_MAJ;
808 aad[10] = TLS_MIN;
809 aad[11] = size >> 8;
810 aad[12] = size & 0xff;
811
812 memcpy(nonce, tls->client_write_IV, 4);
813 memcpy(nonce + 4, &tls->write_seq64_be, 8);
814 memcpy(aad, &tls->write_seq64_be, 8);
815 memcpy(buf - 8, &tls->write_seq64_be, 8);
816//optimize
817 /* seq64 is not used later in this func, can increment here */
818 tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));
819
820#define COUNTER(v) (*(uint32_t*)(v + 12))
821
822 cnt = 1;
823 remaining = size;
824 while (remaining != 0) {
825 unsigned n;
826
827 cnt++;
828 COUNTER(nonce) = htonl(cnt); /* yes, first cnt here is 2 (!) */
829 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
830 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
831 xorbuf(buf, scratch, n);
832 buf += n;
833 remaining -= n;
834 }
835
836//optimize fixed sizes
837 aesgcm_GHASH(tls->H, aad, sizeof(aad), tls->outbuf + OUTBUF_PFX, size, authtag, sizeof(authtag));
838 COUNTER(nonce) = htonl(1);
839 aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
840 xorbuf(authtag, scratch, sizeof(authtag));
841
842 memcpy(buf, authtag, sizeof(authtag));
843#undef COUNTER
844
845 /* Write out */
846 xhdr = (void*)(tls->outbuf + OUTBUF_PFX - 8 - RECHDR_LEN);
847 size += 8 + sizeof(authtag);
848 /*xhdr->type = type; - already is */
849 xhdr->proto_maj = TLS_MAJ;
850 xhdr->proto_min = TLS_MIN;
851 xhdr->len16_hi = size >> 8;
852 xhdr->len16_lo = size & 0xff;
853 size += RECHDR_LEN;
854 dump_raw_out(">> %s\n", xhdr, size);
855 xwrite(tls->ofd, xhdr, size);
856 dbg("wrote %u bytes\n", size);
857}
858
859static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
860{
861 if (!(tls->flags & ENCRYPTION_AESGCM)) {
862 xwrite_encrypted_and_hmac_signed(tls, size, type);
863 return;
864 }
865 xwrite_encrypted_aesgcm(tls, size, type);
866}
867
769static void xwrite_handshake_record(tls_state_t *tls, unsigned size) 868static void xwrite_handshake_record(tls_state_t *tls, unsigned size)
770{ 869{
771 //if (!tls->encrypt_on_write) { 870 uint8_t *buf = tls->outbuf + OUTBUF_PFX;
772 uint8_t *buf = tls->outbuf + OUTBUF_PFX; 871 struct record_hdr *xhdr = (void*)(buf - RECHDR_LEN);
773 struct record_hdr *xhdr = (void*)(buf - RECHDR_LEN);
774 872
775 xhdr->type = RECORD_TYPE_HANDSHAKE; 873 xhdr->type = RECORD_TYPE_HANDSHAKE;
776 xhdr->proto_maj = TLS_MAJ; 874 xhdr->proto_maj = TLS_MAJ;
777 xhdr->proto_min = TLS_MIN; 875 xhdr->proto_min = TLS_MIN;
778 xhdr->len16_hi = size >> 8; 876 xhdr->len16_hi = size >> 8;
779 xhdr->len16_lo = size & 0xff; 877 xhdr->len16_lo = size & 0xff;
780 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size); 878 dump_raw_out(">> %s\n", xhdr, RECHDR_LEN + size);
781 xwrite(tls->ofd, xhdr, RECHDR_LEN + size); 879 xwrite(tls->ofd, xhdr, RECHDR_LEN + size);
782 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size); 880 dbg("wrote %u bytes\n", (int)RECHDR_LEN + size);
783 // return;
784 //}
785 //xwrite_encrypted(tls, size, RECORD_TYPE_HANDSHAKE);
786} 881}
787 882
788static void xwrite_and_update_handshake_hash(tls_state_t *tls, unsigned size) 883static void xwrite_and_update_handshake_hash(tls_state_t *tls, unsigned size)
@@ -826,6 +921,52 @@ static const char *alert_text(int code)
826 return itoa(code); 921 return itoa(code);
827} 922}
828 923
924static void tls_aesgcm_decrypt(tls_state_t *tls, uint8_t *buf, int size)
925{
926//go for [16]
927 //uint8_t aad[13];
928 uint8_t nonce[12 + 4]; /* +4 creates space for AES block counter */
929 uint8_t scratch[AES_BLOCK_SIZE]; //[16]
930 //uint8_t authtag[AES_BLOCK_SIZE]; //[16]
931 unsigned remaining;
932 unsigned cnt;
933
934 //aad[8] = type;
935 //aad[9] = TLS_MAJ;
936 //aad[10] = TLS_MIN;
937 //aad[11] = size >> 8;
938 //aad[12] = size & 0xff;
939
940 memcpy(nonce, tls->server_write_IV, 4);
941 memcpy(nonce + 4, buf, 8);
942 buf += 8;
943
944#define COUNTER(v) (*(uint32_t*)(v + 12))
945
946 cnt = 1;
947 remaining = size;
948 while (remaining != 0) {
949 unsigned n;
950
951 cnt++;
952 COUNTER(nonce) = htonl(cnt); /* yes, first cnt here is 2 (!) */
953 aes_encrypt_one_block(&tls->aes_decrypt, nonce, scratch);
954 n = remaining > AES_BLOCK_SIZE ? AES_BLOCK_SIZE : remaining;
955 xorbuf(buf, scratch, n);
956 buf += n;
957 remaining -= n;
958 }
959
960////optimize fixed sizes
961 //aesgcm_GHASH(tls->H, aad, sizeof(aad), tls->outbuf + OUTBUF_PFX, size, authtag, sizeof(authtag));
962 //COUNTER(nonce) = htonl(1);
963 //aes_encrypt_one_block(&tls->aes_encrypt, nonce, scratch);
964 //xorbuf(authtag, scratch, sizeof(authtag));
965
966 //memcmp(buf, authtag, sizeof(authtag)) || DIE("HASH DOES NOT MATCH!");
967#undef COUNTER
968}
969
829static int tls_xread_record(tls_state_t *tls, const char *expected) 970static int tls_xread_record(tls_state_t *tls, const char *expected)
830{ 971{
831 struct record_hdr *xhdr; 972 struct record_hdr *xhdr;
@@ -896,34 +1037,44 @@ static int tls_xread_record(tls_state_t *tls, const char *expected)
896 sz = target - RECHDR_LEN; 1037 sz = target - RECHDR_LEN;
897 1038
898 /* Needs to be decrypted? */ 1039 /* Needs to be decrypted? */
899 if (tls->min_encrypted_len_on_read > tls->MAC_size) { 1040 if (tls->min_encrypted_len_on_read != 0) {
900 uint8_t *p = tls->inbuf + RECHDR_LEN; 1041 if (sz < (int)tls->min_encrypted_len_on_read)
901 int padding_len; 1042 bb_error_msg_and_die("bad encrypted len:%u", sz);
902 1043
903 if (sz & (AES_BLOCKSIZE-1) 1044 if (tls->flags & ENCRYPTION_AESGCM) {
904 || sz < (int)tls->min_encrypted_len_on_read 1045 /* AESGCM */
905 ) { 1046 uint8_t *p = tls->inbuf + RECHDR_LEN;
906 bb_error_msg_and_die("bad encrypted len:%u < %u", 1047
907 sz, tls->min_encrypted_len_on_read); 1048 sz -= 8 + AES_BLOCK_SIZE; /* we will overwrite nonce, drop hash */
1049 tls_aesgcm_decrypt(tls, p, sz);
1050 memmove(p, p + 8, sz);
1051 dbg("encrypted size:%u\n", sz);
1052 } else
1053 if (tls->min_encrypted_len_on_read > tls->MAC_size) {
1054 /* AES+SHA */
1055 uint8_t *p = tls->inbuf + RECHDR_LEN;
1056 int padding_len;
1057
1058 if (sz & (AES_BLOCK_SIZE-1))
1059 bb_error_msg_and_die("bad encrypted len:%u", sz);
1060
1061 /* Decrypt content+MAC+padding, moving it over IV in the process */
1062 sz -= AES_BLOCK_SIZE; /* we will overwrite IV now */
1063 aes_cbc_decrypt(
1064 tls->server_write_key, tls->key_size, /* selects 128/256 */
1065 p, /* IV */
1066 p + AES_BLOCK_SIZE, sz, /* ciphertext */
1067 p /* plaintext */
1068 );
1069 padding_len = p[sz - 1];
1070 dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len);
1071 padding_len++;
1072 sz -= tls->MAC_size + padding_len; /* drop MAC and padding */
1073 } else {
1074 /* if nonzero, then it's TLS_RSA_WITH_NULL_SHA256: drop MAC */
1075 /* else: no encryption yet on input, subtract zero = NOP */
1076 sz -= tls->min_encrypted_len_on_read;
908 } 1077 }
909 /* Decrypt content+MAC+padding, moving it over IV in the process */
910 sz -= AES_BLOCKSIZE; /* we will overwrite IV now */
911 aes_cbc_decrypt(
912 tls->server_write_key, tls->key_size, /* selects 128/256 */
913 p, /* IV */
914 p + AES_BLOCKSIZE, sz, /* ciphertext */
915 p /* plaintext */
916 );
917 padding_len = p[sz - 1];
918 dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len);
919 padding_len++;
920 sz -= tls->MAC_size + padding_len; /* drop MAC and padding */
921 //if (sz < 0)
922 // bb_error_msg_and_die("bad padding size:%u", padding_len);
923 } else {
924 /* if nonzero, then it's TLS_RSA_WITH_NULL_SHA256: drop MAC */
925 /* else: no encryption yet on input, subtract zero = NOP */
926 sz -= tls->min_encrypted_len_on_read;
927 } 1078 }
928 if (sz < 0) 1079 if (sz < 0)
929 bb_error_msg_and_die("encrypted data too short"); 1080 bb_error_msg_and_die("encrypted data too short");
@@ -964,7 +1115,8 @@ static int tls_xread_record(tls_state_t *tls, const char *expected)
964 * in our FINISHED record must include data of incoming packets too! 1115 * in our FINISHED record must include data of incoming packets too!
965 */ 1116 */
966 if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE 1117 if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE
967 && tls->MAC_size != 0 /* do we know which hash to use? (server_hello() does not!) */ 1118/* HANDSHAKE HASH: */
1119 // && do_we_know_which_hash_to_use /* server_hello() might not know it in the future! */
968 ) { 1120 ) {
969 hash_handshake(tls, "<< hash:%s", tls->inbuf + RECHDR_LEN, sz); 1121 hash_handshake(tls, "<< hash:%s", tls->inbuf + RECHDR_LEN, sz);
970 } 1122 }
@@ -1198,16 +1350,16 @@ static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
1198 }; 1350 };
1199 if (memcmp(der, OID_RSA_KEY_ALG, sizeof(OID_RSA_KEY_ALG)) == 0) { 1351 if (memcmp(der, OID_RSA_KEY_ALG, sizeof(OID_RSA_KEY_ALG)) == 0) {
1200 dbg("RSA key\n"); 1352 dbg("RSA key\n");
1201 tls->hsd->key_alg = KEY_ALG_RSA; 1353 tls->flags |= GOT_CERT_RSA_KEY_ALG;
1202 } else 1354 } else
1203 if (memcmp(der, OID_ECDSA_KEY_ALG, sizeof(OID_ECDSA_KEY_ALG)) == 0) { 1355 if (memcmp(der, OID_ECDSA_KEY_ALG, sizeof(OID_ECDSA_KEY_ALG)) == 0) {
1204 dbg("ECDSA key\n"); 1356 dbg("ECDSA key\n");
1205 tls->hsd->key_alg = KEY_ALG_ECDSA; 1357 tls->flags |= GOT_CERT_ECDSA_KEY_ALG;
1206 } else 1358 } else
1207 bb_error_msg_and_die("not RSA or ECDSA key"); 1359 bb_error_msg_and_die("not RSA or ECDSA cert");
1208 } 1360 }
1209 1361
1210 if (tls->hsd->key_alg == KEY_ALG_RSA) { 1362 if (tls->flags & GOT_CERT_RSA_KEY_ALG) {
1211 /* parse RSA key: */ 1363 /* parse RSA key: */
1212 //based on getAsnRsaPubKey(), pkcs1ParsePrivBin() is also of note 1364 //based on getAsnRsaPubKey(), pkcs1ParsePrivBin() is also of note
1213 /* skip subjectPublicKeyInfo.algorithm */ 1365 /* skip subjectPublicKeyInfo.algorithm */
@@ -1301,7 +1453,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1301 uint8_t session_id_len; 1453 uint8_t session_id_len;
1302 /* uint8_t session_id[]; */ 1454 /* uint8_t session_id[]; */
1303 uint8_t cipherid_len16_hi, cipherid_len16_lo; 1455 uint8_t cipherid_len16_hi, cipherid_len16_lo;
1304 uint8_t cipherid[2 * (2 + !!CIPHER_ID2 + !!CIPHER_ID3)]; /* actually variable */ 1456 uint8_t cipherid[2 * (1 + NUM_CIPHERS)]; /* actually variable */
1305 uint8_t comprtypes_len; 1457 uint8_t comprtypes_len;
1306 uint8_t comprtypes[1]; /* actually variable */ 1458 uint8_t comprtypes[1]; /* actually variable */
1307 /* Extensions (SNI shown): 1459 /* Extensions (SNI shown):
@@ -1364,6 +1516,10 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1364 if ((CIPHER_ID3 >> 8) != 0) record->cipherid[6] = CIPHER_ID3 >> 8; 1516 if ((CIPHER_ID3 >> 8) != 0) record->cipherid[6] = CIPHER_ID3 >> 8;
1365 /*************************/ record->cipherid[7] = CIPHER_ID3 & 0xff; 1517 /*************************/ record->cipherid[7] = CIPHER_ID3 & 0xff;
1366#endif 1518#endif
1519#if CIPHER_ID4
1520 if ((CIPHER_ID4 >> 8) != 0) record->cipherid[6] = CIPHER_ID4 >> 8;
1521 /*************************/ record->cipherid[7] = CIPHER_ID4 & 0xff;
1522#endif
1367 1523
1368 record->comprtypes_len = 1; 1524 record->comprtypes_len = 1;
1369 /* record->comprtypes[0] = 0; */ 1525 /* record->comprtypes[0] = 0; */
@@ -1385,15 +1541,23 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1385 } 1541 }
1386 memcpy(ptr, supported_groups, sizeof(supported_groups)); 1542 memcpy(ptr, supported_groups, sizeof(supported_groups));
1387 1543
1388 dbg(">> CLIENT_HELLO\n"); 1544 tls->hsd = xzalloc(sizeof(*tls->hsd));
1389 /* Can hash it only when we know which MAC hash to use */ 1545 /* HANDSHAKE HASH: ^^^ + len if need to save saved_client_hello */
1390 /*xwrite_and_update_handshake_hash(tls, len); - WRONG! */ 1546 memcpy(tls->hsd->client_and_server_rand32, record->rand32, sizeof(record->rand32));
1391 xwrite_handshake_record(tls, len); 1547/* HANDSHAKE HASH:
1392
1393 tls->hsd = xzalloc(sizeof(*tls->hsd) + len);
1394 tls->hsd->saved_client_hello_size = len; 1548 tls->hsd->saved_client_hello_size = len;
1395 memcpy(tls->hsd->saved_client_hello, record, len); 1549 memcpy(tls->hsd->saved_client_hello, record, len);
1396 memcpy(tls->hsd->client_and_server_rand32, record->rand32, sizeof(record->rand32)); 1550 */
1551 dbg(">> CLIENT_HELLO\n");
1552 /* Can hash immediately only if we know which MAC hash to use.
1553 * So far we do know: it's sha256:
1554 */
1555 sha256_begin(&tls->hsd->handshake_hash_ctx);
1556 xwrite_and_update_handshake_hash(tls, len);
1557 /* if this would become infeasible: save tls->hsd->saved_client_hello,
1558 * use "xwrite_handshake_record(tls, len)" here,
1559 * and hash saved_client_hello later.
1560 */
1397} 1561}
1398 1562
1399static void get_server_hello(tls_state_t *tls) 1563static void get_server_hello(tls_state_t *tls)
@@ -1463,18 +1627,28 @@ static void get_server_hello(tls_state_t *tls)
1463 if (cipher == TLS_RSA_WITH_AES_128_CBC_SHA 1627 if (cipher == TLS_RSA_WITH_AES_128_CBC_SHA
1464 || cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 1628 || cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1465 ) { 1629 ) {
1630 if (cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
1631 tls->flags |= NEED_EC_KEY;
1466 tls->key_size = AES128_KEYSIZE; 1632 tls->key_size = AES128_KEYSIZE;
1467 tls->MAC_size = SHA1_OUTSIZE; 1633 tls->MAC_size = SHA1_OUTSIZE;
1468 } 1634 }
1469 else { /* TLS_RSA_WITH_AES_256_CBC_SHA256 */ 1635 else
1636 if (cipher == TLS_RSA_WITH_AES_256_CBC_SHA256) {
1470 tls->key_size = AES256_KEYSIZE; 1637 tls->key_size = AES256_KEYSIZE;
1471 tls->MAC_size = SHA256_OUTSIZE; 1638 tls->MAC_size = SHA256_OUTSIZE;
1472 } 1639 }
1640 else { /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
1641 tls->flags |= NEED_EC_KEY | ENCRYPTION_AESGCM;
1642 tls->key_size = AES128_KEYSIZE;
1643 /* tls->MAC_size = 0; */
1644 tls->IV_size = 4;
1645 }
1473 /* Handshake hash eventually destined to FINISHED record 1646 /* Handshake hash eventually destined to FINISHED record
1474 * is sha256 regardless of cipher 1647 * is sha256 regardless of cipher
1475 * (at least for all ciphers defined by RFC5246). 1648 * (at least for all ciphers defined by RFC5246).
1476 * It's not sha1 for AES_128_CBC_SHA - only MAC is sha1, not this hash. 1649 * It's not sha1 for AES_128_CBC_SHA - only MAC is sha1, not this hash.
1477 */ 1650 */
1651/* HANDSHAKE HASH:
1478 sha256_begin(&tls->hsd->handshake_hash_ctx); 1652 sha256_begin(&tls->hsd->handshake_hash_ctx);
1479 hash_handshake(tls, ">> client hello hash:%s", 1653 hash_handshake(tls, ">> client hello hash:%s",
1480 tls->hsd->saved_client_hello, tls->hsd->saved_client_hello_size 1654 tls->hsd->saved_client_hello, tls->hsd->saved_client_hello_size
@@ -1482,6 +1656,7 @@ static void get_server_hello(tls_state_t *tls)
1482 hash_handshake(tls, "<< server hello hash:%s", 1656 hash_handshake(tls, "<< server hello hash:%s",
1483 tls->inbuf + RECHDR_LEN, len 1657 tls->inbuf + RECHDR_LEN, len
1484 ); 1658 );
1659 */
1485} 1660}
1486 1661
1487static void get_server_cert(tls_state_t *tls) 1662static void get_server_cert(tls_state_t *tls)
@@ -1548,7 +1723,7 @@ static void process_server_key(tls_state_t *tls, int len)
1548// 64523d6216cb94c43c9b20e377d8c52c55be6703fd6730a155930c705eaf3af6 //32bytes 1723// 64523d6216cb94c43c9b20e377d8c52c55be6703fd6730a155930c705eaf3af6 //32bytes
1549//same about this item ^^^^^ 1724//same about this item ^^^^^
1550 1725
1551//seen from www.openbsd.org 1726//seen from ftp.openbsd.org
1552//(which only accepts ECDHE-RSA-AESnnn-GCM-SHAnnn and ECDHE-RSA-CHACHA20-POLY1305 ciphers): 1727//(which only accepts ECDHE-RSA-AESnnn-GCM-SHAnnn and ECDHE-RSA-CHACHA20-POLY1305 ciphers):
1553// 0c 000228 //SERVER_KEY_EXCHANGE, len 1728// 0c 000228 //SERVER_KEY_EXCHANGE, len
1554// 03 //curve_type: named curve 1729// 03 //curve_type: named curve
@@ -1572,6 +1747,7 @@ static void process_server_key(tls_state_t *tls, int len)
1572 bb_error_msg_and_die("elliptic curve is not x25519"); 1747 bb_error_msg_and_die("elliptic curve is not x25519");
1573 1748
1574 memcpy(tls->hsd->ecc_pub_key32, keybuf + 4, 32); 1749 memcpy(tls->hsd->ecc_pub_key32, keybuf + 4, 32);
1750 tls->flags |= GOT_EC_KEY;
1575 dbg("got eccPubKey\n"); 1751 dbg("got eccPubKey\n");
1576} 1752}
1577 1753
@@ -1612,7 +1788,11 @@ static void send_client_key_exchange(tls_state_t *tls)
1612 int premaster_size; 1788 int premaster_size;
1613 int len; 1789 int len;
1614 1790
1615 if (tls->hsd->key_alg == KEY_ALG_RSA) { 1791 if (!(tls->flags & NEED_EC_KEY)) {
1792 /* RSA */
1793 if (!(tls->flags & GOT_CERT_RSA_KEY_ALG))
1794 bb_error_msg("server cert is not RSA");
1795
1616 tls_get_random(rsa_premaster, sizeof(rsa_premaster)); 1796 tls_get_random(rsa_premaster, sizeof(rsa_premaster));
1617 if (TLS_DEBUG_FIXED_SECRETS) 1797 if (TLS_DEBUG_FIXED_SECRETS)
1618 memset(rsa_premaster, 0x44, sizeof(rsa_premaster)); 1798 memset(rsa_premaster, 0x44, sizeof(rsa_premaster));
@@ -1636,10 +1816,13 @@ static void send_client_key_exchange(tls_state_t *tls)
1636 premaster = rsa_premaster; 1816 premaster = rsa_premaster;
1637 premaster_size = sizeof(rsa_premaster); 1817 premaster_size = sizeof(rsa_premaster);
1638 } else { 1818 } else {
1639 /* KEY_ALG_ECDSA */ 1819 /* ECDHE */
1640 static const uint8_t basepoint9[CURVE25519_KEYSIZE] = {9}; 1820 static const uint8_t basepoint9[CURVE25519_KEYSIZE] = {9};
1641 uint8_t privkey[CURVE25519_KEYSIZE]; //[32] 1821 uint8_t privkey[CURVE25519_KEYSIZE]; //[32]
1642 1822
1823 if (!(tls->flags & GOT_EC_KEY))
1824 bb_error_msg("server did not provide EC key");
1825
1643 /* Generate random private key, see RFC 7748 */ 1826 /* Generate random private key, see RFC 7748 */
1644 tls_get_random(privkey, sizeof(privkey)); 1827 tls_get_random(privkey, sizeof(privkey));
1645 privkey[0] &= 0xf8; 1828 privkey[0] &= 0xf8;
@@ -1727,23 +1910,32 @@ static void send_client_key_exchange(tls_state_t *tls)
1727 memcpy(&tmp64[32], &tls->hsd->client_and_server_rand32[0] , 32); 1910 memcpy(&tmp64[32], &tls->hsd->client_and_server_rand32[0] , 32);
1728 1911
1729 prf_hmac_sha256(/*tls,*/ 1912 prf_hmac_sha256(/*tls,*/
1730 tls->client_write_MAC_key, 2 * (tls->MAC_size + tls->key_size), 1913 tls->client_write_MAC_key, 2 * (tls->MAC_size + tls->key_size + tls->IV_size),
1731 // also fills: 1914 // also fills:
1732 // server_write_MAC_key[] 1915 // server_write_MAC_key[]
1733 // client_write_key[] 1916 // client_write_key[]
1734 // server_write_key[] 1917 // server_write_key[]
1918 // client_write_IV[]
1919 // server_write_IV[]
1735 tls->hsd->master_secret, sizeof(tls->hsd->master_secret), 1920 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
1736 "key expansion", 1921 "key expansion",
1737 tmp64, 64 1922 tmp64, 64
1738 ); 1923 );
1739 tls->client_write_key = tls->client_write_MAC_key + (2 * tls->MAC_size); 1924 tls->client_write_key = tls->client_write_MAC_key + (2 * tls->MAC_size);
1740 tls->server_write_key = tls->client_write_key + tls->key_size; 1925 tls->server_write_key = tls->client_write_key + tls->key_size;
1926 tls->client_write_IV = tls->server_write_key + tls->key_size;
1927 tls->server_write_IV = tls->client_write_IV + tls->IV_size;
1741 dump_hex("client_write_MAC_key:%s\n", 1928 dump_hex("client_write_MAC_key:%s\n",
1742 tls->client_write_MAC_key, tls->MAC_size 1929 tls->client_write_MAC_key, tls->MAC_size
1743 ); 1930 );
1744 dump_hex("client_write_key:%s\n", 1931 dump_hex("client_write_key:%s\n",
1745 tls->client_write_key, tls->key_size 1932 tls->client_write_key, tls->key_size
1746 ); 1933 );
1934 dump_hex("client_write_IV:%s\n",
1935 tls->client_write_IV, tls->IV_size
1936 );
1937 aesgcm_setkey(tls->H, &tls->aes_encrypt, tls->client_write_key, tls->key_size);
1938 aes_setkey(&tls->aes_decrypt, tls->server_write_key, tls->key_size);
1747 } 1939 }
1748} 1940}
1749 1941
@@ -1876,7 +2068,7 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
1876 // client. 2068 // client.
1877 dbg("<< SERVER_KEY_EXCHANGE len:%u\n", len); 2069 dbg("<< SERVER_KEY_EXCHANGE len:%u\n", len);
1878 dump_raw_in("<< %s\n", tls->inbuf, RECHDR_LEN + len); 2070 dump_raw_in("<< %s\n", tls->inbuf, RECHDR_LEN + len);
1879 if (tls->hsd->key_alg == KEY_ALG_ECDSA) 2071 if (tls->flags & NEED_EC_KEY)
1880 process_server_key(tls, len); 2072 process_server_key(tls, len);
1881 2073
1882 // read next handshake block 2074 // read next handshake block
@@ -1922,18 +2114,22 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
1922 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) 2114 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
1923 bad_record_die(tls, "switch to encrypted traffic", len); 2115 bad_record_die(tls, "switch to encrypted traffic", len);
1924 dbg("<< CHANGE_CIPHER_SPEC\n"); 2116 dbg("<< CHANGE_CIPHER_SPEC\n");
2117
1925 if (CIPHER_ID1 == TLS_RSA_WITH_NULL_SHA256 2118 if (CIPHER_ID1 == TLS_RSA_WITH_NULL_SHA256
1926 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256 2119 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
1927 ) { 2120 ) {
1928 tls->min_encrypted_len_on_read = tls->MAC_size; 2121 tls->min_encrypted_len_on_read = tls->MAC_size;
1929 } else { 2122 } else
1930 unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCKSIZE-1) / AES_BLOCKSIZE; 2123 if (!(tls->flags & ENCRYPTION_AESGCM)) {
2124 unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
1931 /* all incoming packets now should be encrypted and have 2125 /* all incoming packets now should be encrypted and have
1932 * at least IV + (MAC padded to blocksize): 2126 * at least IV + (MAC padded to blocksize):
1933 */ 2127 */
1934 tls->min_encrypted_len_on_read = AES_BLOCKSIZE + (mac_blocks * AES_BLOCKSIZE); 2128 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE);
1935 dbg("min_encrypted_len_on_read: %u", tls->min_encrypted_len_on_read); 2129 } else {
2130 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE;
1936 } 2131 }
2132 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read);
1937 2133
1938 /* Get (encrypted) FINISHED from the server */ 2134 /* Get (encrypted) FINISHED from the server */
1939 len = tls_xread_record(tls, "'server finished'"); 2135 len = tls_xread_record(tls, "'server finished'");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 21:22:27 +0000