1 files changed, 170 insertions, 171 deletions
diff --git a/networking/tls.c b/networking/tls.c
index 60afd30b4..81820e9a1 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -284,6 +284,145 @@ static void sha256_hash_dbg(const char *fmt, sha256_ctx_t *ctx, const void *buff
         sha256_hash(ctx, buffer, len)
 #endif /* not TLS_DEBUG >= 2 */
+// RFC 2104
+// HMAC(key, text) based on a hash H (say, sha256) is:
+// ipad = [0x36 x INSIZE]
+// opad = [0x5c x INSIZE]
+// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))
+//
+// H(key XOR opad) and H(key XOR ipad) can be precomputed
+// if we often need HMAC hmac with the same key.
+//
+// text is often given in disjoint pieces.
+static void hmac_sha256_precomputed_v(uint8_t out[SHA256_OUTSIZE],
+                sha256_ctx_t *hashed_key_xor_ipad,
+                sha256_ctx_t *hashed_key_xor_opad,
+                va_list va)
+{
+        uint8_t *text;
+        /* hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
+        /* hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
+        /* calculate out = H((key XOR ipad) + text) */
+        while ((text = va_arg(va, uint8_t*)) != NULL) {
+                unsigned text_size = va_arg(va, unsigned);
+                sha256_hash(hashed_key_xor_ipad, text, text_size);
+        }
+        sha256_end(hashed_key_xor_ipad, out);
+        /* out = H((key XOR opad) + out) */
+        sha256_hash(hashed_key_xor_opad, out, SHA256_OUTSIZE);
+        sha256_end(hashed_key_xor_opad, out);
+}
+static void hmac_sha256(uint8_t out[SHA256_OUTSIZE], uint8_t *key, unsigned key_size, ...)
+{
+        sha256_ctx_t hashed_key_xor_ipad;
+        sha256_ctx_t hashed_key_xor_opad;
+        uint8_t key_xor_ipad[SHA256_INSIZE];
+        uint8_t key_xor_opad[SHA256_INSIZE];
+        uint8_t tempkey[SHA256_OUTSIZE];
+        va_list va;
+        int i;
+        va_start(va, key_size);
+        // "The authentication key can be of any length up to INSIZE, the
+        // block length of the hash function.  Applications that use keys longer
+        // than INSIZE bytes will first hash the key using H and then use the
+        // resultant OUTSIZE byte string as the actual key to HMAC."
+        if (key_size > SHA256_INSIZE) {
+                hash_sha256(tempkey, key, key_size);
+                key = tempkey;
+                key_size = SHA256_OUTSIZE;
+        }
+        for (i = 0; i < key_size; i++) {
+                key_xor_ipad[i] = key[i] ^ 0x36;
+                key_xor_opad[i] = key[i] ^ 0x5c;
+        }
+        for (; i < SHA256_INSIZE; i++) {
+                key_xor_ipad[i] = 0x36;
+                key_xor_opad[i] = 0x5c;
+        }
+        sha256_begin(&hashed_key_xor_ipad);
+        sha256_hash(&hashed_key_xor_ipad, key_xor_ipad, SHA256_INSIZE);
+        sha256_begin(&hashed_key_xor_opad);
+        sha256_hash(&hashed_key_xor_opad, key_xor_opad, SHA256_INSIZE);
+        hmac_sha256_precomputed_v(out, &hashed_key_xor_ipad, &hashed_key_xor_opad, va);
+        va_end(va);
+}
+// RFC 5246:
+// 5.  HMAC and the Pseudorandom Function
+//...
+// In this section, we define one PRF, based on HMAC.  This PRF with the
+// SHA-256 hash function is used for all cipher suites defined in this
+// document and in TLS documents published prior to this document when
+// TLS 1.2 is negotiated.
+//...
+//    P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
+//                           HMAC_hash(secret, A(2) + seed) +
+//                           HMAC_hash(secret, A(3) + seed) + ...
+// where + indicates concatenation.
+// A() is defined as:
+//    A(0) = seed
+//    A(1) = HMAC_hash(secret, A(0)) = HMAC_hash(secret, seed)
+//    A(i) = HMAC_hash(secret, A(i-1))
+// P_hash can be iterated as many times as necessary to produce the
+// required quantity of data.  For example, if P_SHA256 is being used to
+// create 80 bytes of data, it will have to be iterated three times
+// (through A(3)), creating 96 bytes of output data; the last 16 bytes
+// of the final iteration will then be discarded, leaving 80 bytes of
+// output data.
+//
+// TLS's PRF is created by applying P_hash to the secret as:
+//
+//    PRF(secret, label, seed) = P_<hash>(secret, label + seed)
+//
+// The label is an ASCII string.
+static void tls_prf_hmac_sha256(
+                uint8_t *outbuf, unsigned outbuf_size,
+                uint8_t *secret, unsigned secret_size,
+                const char *label,
+                uint8_t *seed, unsigned seed_size)
+{
+        uint8_t a[SHA256_OUTSIZE];
+        uint8_t *out_p = outbuf;
+        unsigned label_size = strlen(label);
+        /* In P_hash() calculation, "seed" is "label + seed": */
+#define SEED   label, label_size, seed, seed_size
+#define SECRET secret, secret_size
+#define A      a, (int)(sizeof(a))
+        /* A(1) = HMAC_hash(secret, seed) */
+        hmac_sha256(a, SECRET, SEED, NULL);
+//TODO: convert hmac_sha256 to precomputed
+        for(;;) {
+                /* HMAC_hash(secret, A(1) + seed) */
+                if (outbuf_size <= SHA256_OUTSIZE) {
+                        /* Last, possibly incomplete, block */
+                        /* (use a[] as temp buffer) */
+                        hmac_sha256(a, SECRET, A, SEED, NULL);
+                        memcpy(out_p, a, outbuf_size);
+                        return;
+                }
+                /* Not last block. Store directly to result buffer */
+                hmac_sha256(out_p, SECRET, A, SEED, NULL);
+                out_p += SHA256_OUTSIZE;
+                outbuf_size -= SHA256_OUTSIZE;
+                /* A(2) = HMAC_hash(secret, A(1)) */
+                hmac_sha256(a, SECRET, A, NULL);
+        }
+#undef A
+#undef SECRET
+#undef SEED
+}
 static
 tls_state_t *new_tls_state(void)
 {
@@ -293,11 +432,13 @@ tls_state_t *new_tls_state(void)
        return tls;
 }
-static void hmac_sha256(uint8_t out[SHA256_OUTSIZE], uint8_t *key, unsigned key_size, ...);
+static void tls_error_die(tls_state_t *tls)
-static void xwrite_and_hash(tls_state_t *tls, /*const*/ void *buf, unsigned size)
 {
-// rfc5246
+        dump_tls_record(tls->inbuf, tls->insize + tls->tail);
+        xfunc_die();
+}
+// RFC 5246
 // 6.2.3.1.  Null or Standard Stream Cipher
 //
 // Stream ciphers (including BulkCipherAlgorithm.null; see Appendix A.6)
@@ -310,18 +451,14 @@ static void xwrite_and_hash(tls_state_t *tls, /*const*/ void *buf, unsigned size
 //    } GenericStreamCipher;
 //
 // The MAC is generated as:
-//
 //    MAC(MAC_write_key, seq_num +
 //                          TLSCompressed.type +
 //                          TLSCompressed.version +
 //                          TLSCompressed.length +
 //                          TLSCompressed.fragment);
-//
 // where "+" denotes concatenation.
-//
 // seq_num
 //    The sequence number for this record.
-//
 // MAC
 //    The MAC algorithm specified by SecurityParameters.mac_algorithm.
 //
@@ -345,23 +482,26 @@ static void xwrite_and_hash(tls_state_t *tls, /*const*/ void *buf, unsigned size
 // MD5       HMAC-MD5        16            16
 // SHA       HMAC-SHA1       20            20
 // SHA256    HMAC-SHA256     32            32
+static void xwrite_and_hash(tls_state_t *tls, /*const*/ void *buf, unsigned size)
+{
        uint8_t mac_hash[SHA256_OUTSIZE];
        struct record_hdr *xhdr = buf;
        if (tls->encrypt_on_write) {
+//TODO: convert hmac_sha256 to precomputed
                hmac_sha256(mac_hash,
                        tls->client_write_MAC_key, sizeof(tls->client_write_MAC_key),
                        &tls->write_seq64_be, sizeof(tls->write_seq64_be),
                        buf, size,
                NULL);
                tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));
+                /* Temporarily change for writing */
                xhdr->len16_lo += SHA256_OUTSIZE;
-//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIXME
        }
        xwrite(tls->fd, buf, size);
        dbg("wrote %u bytes\n", size);
        if (tls->encrypt_on_write) {
                xwrite(tls->fd, mac_hash, sizeof(mac_hash));
                dbg("wrote %u bytes of hash\n", (int)sizeof(mac_hash));
@@ -374,12 +514,6 @@ static void xwrite_and_hash(tls_state_t *tls, /*const*/ void *buf, unsigned size
        }
 }
-static void tls_error_die(tls_state_t *tls)
-{
-        dump_tls_record(tls->inbuf, tls->insize + tls->tail);
-        xfunc_die();
-}
 static int xread_tls_block(tls_state_t *tls)
 {
        struct record_hdr *xhdr;
@@ -417,7 +551,7 @@ static int xread_tls_block(tls_state_t *tls)
        target -= sizeof(*xhdr);
        /* RFC 5246 is not saying it explicitly, but sha256 hash
-         * in our FINISHED packet must include hashes of incoming packets too!
+         * in our FINISHED record must include data of incoming packets too!
         */
        if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE) {
                sha256_hash_dbg("<< sha256:%s", &tls->handshake_sha256_ctx, tls->inbuf + 5, target);
@@ -427,23 +561,9 @@ static int xread_tls_block(tls_state_t *tls)
        return target;
 }
-static int xread_tls_handshake_block(tls_state_t *tls, int min_len)
+/*
-{
+ * DER parsing routines
-        struct record_hdr *xhdr;
+ */
-        int len = xread_tls_block(tls);
-        xhdr = (void*)tls->inbuf;
-        if (len < min_len
-         || xhdr->type != RECORD_TYPE_HANDSHAKE
-         || xhdr->proto_maj != TLS_MAJ
-         || xhdr->proto_min != TLS_MIN
-        ) {
-                tls_error_die(tls);
-        }
-        dbg("got HANDSHAKE\n");
-        return len;
-}
 static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end)
 {
        unsigned len, len1;
@@ -653,147 +773,26 @@ static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
        dbg("server_rsa_pub_key.size:%d\n", tls->server_rsa_pub_key.size);
 }
-// RFC 2104: HMAC(key, text) based on a hash H (say, sha256) is:
+/*
-// ipad = [0x36 x INSIZE]
+ * TLS Handshake routines
-// opad = [0x5c x INSIZE]
+ */
-// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))
+static int xread_tls_handshake_block(tls_state_t *tls, int min_len)
-//
-// H(key XOR opad) and H(key XOR ipad) can be precomputed
-// if we often need HMAC hmac with the same key.
-//
-// text is often given in disjoint pieces.
-static void hmac_sha256_precomputed_v(uint8_t out[SHA256_OUTSIZE],
-                sha256_ctx_t *hashed_key_xor_ipad,
-                sha256_ctx_t *hashed_key_xor_opad,
-                va_list va)
-{
-        uint8_t *text;
-        /* hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
-        /* hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
-        /* calculate out = H((key XOR ipad) + text) */
-        while ((text = va_arg(va, uint8_t*)) != NULL) {
-                unsigned text_size = va_arg(va, unsigned);
-                sha256_hash(hashed_key_xor_ipad, text, text_size);
-        }
-        sha256_end(hashed_key_xor_ipad, out);
-        /* out = H((key XOR opad) + out) */
-        sha256_hash(hashed_key_xor_opad, out, SHA256_OUTSIZE);
-        sha256_end(hashed_key_xor_opad, out);
-}
-static void hmac_sha256(uint8_t out[SHA256_OUTSIZE], uint8_t *key, unsigned key_size, ...)
-{
-        sha256_ctx_t hashed_key_xor_ipad;
-        sha256_ctx_t hashed_key_xor_opad;
-        uint8_t key_xor_ipad[SHA256_INSIZE];
-        uint8_t key_xor_opad[SHA256_INSIZE];
-        uint8_t tempkey[SHA256_OUTSIZE];
-        va_list va;
-        int i;
-        va_start(va, key_size);
-        // "The authentication key can be of any length up to INSIZE, the
-        // block length of the hash function.  Applications that use keys longer
-        // than INSIZE bytes will first hash the key using H and then use the
-        // resultant OUTSIZE byte string as the actual key to HMAC."
-        if (key_size > SHA256_INSIZE) {
-                hash_sha256(tempkey, key, key_size);
-                key = tempkey;
-                key_size = SHA256_OUTSIZE;
-        }
-        for (i = 0; i < key_size; i++) {
-                key_xor_ipad[i] = key[i] ^ 0x36;
-                key_xor_opad[i] = key[i] ^ 0x5c;
-        }
-        for (; i < SHA256_INSIZE; i++) {
-                key_xor_ipad[i] = 0x36;
-                key_xor_opad[i] = 0x5c;
-        }
-        sha256_begin(&hashed_key_xor_ipad);
-        sha256_hash(&hashed_key_xor_ipad, key_xor_ipad, SHA256_INSIZE);
-        sha256_begin(&hashed_key_xor_opad);
-        sha256_hash(&hashed_key_xor_opad, key_xor_opad, SHA256_INSIZE);
-        hmac_sha256_precomputed_v(out, &hashed_key_xor_ipad, &hashed_key_xor_opad, va);
-        va_end(va);
-}
-// RFC 5246:
-// 5.  HMAC and the Pseudorandom Function
-//...
-// In this section, we define one PRF, based on HMAC.  This PRF with the
-// SHA-256 hash function is used for all cipher suites defined in this
-// document and in TLS documents published prior to this document when
-// TLS 1.2 is negotiated.
-//...
-//    P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
-//                           HMAC_hash(secret, A(2) + seed) +
-//                           HMAC_hash(secret, A(3) + seed) + ...
-// where + indicates concatenation.
-// A() is defined as:
-//    A(0) = seed
-//    A(1) = HMAC_hash(secret, A(0)) = HMAC_hash(secret, seed)
-//    A(i) = HMAC_hash(secret, A(i-1))
-// P_hash can be iterated as many times as necessary to produce the
-// required quantity of data.  For example, if P_SHA256 is being used to
-// create 80 bytes of data, it will have to be iterated three times
-// (through A(3)), creating 96 bytes of output data; the last 16 bytes
-// of the final iteration will then be discarded, leaving 80 bytes of
-// output data.
-//
-// TLS's PRF is created by applying P_hash to the secret as:
-//
-//    PRF(secret, label, seed) = P_<hash>(secret, label + seed)
-//
-// The label is an ASCII string.
-static void tls_prf_hmac_sha256(
-                uint8_t *outbuf, unsigned outbuf_size,
-                uint8_t *secret, unsigned secret_size,
-                const char *label,
-                uint8_t *seed, unsigned seed_size)
 {
-        uint8_t a[SHA256_OUTSIZE];
+        struct record_hdr *xhdr;
-        uint8_t *out_p = outbuf;
+        int len = xread_tls_block(tls);
-        unsigned label_size = strlen(label);
-        /* In P_hash() calculation, "seed" is "label + seed": */
-#define SEED   label, label_size, seed, seed_size
-#define SECRET secret, secret_size
-#define A      a, (int)(sizeof(a))
-        /* A(1) = HMAC_hash(secret, seed) */
-        hmac_sha256(a, SECRET, SEED, NULL);
-//TODO: convert hmac_sha256 to precomputed
-        for(;;) {
+        xhdr = (void*)tls->inbuf;
-                /* HMAC_hash(secret, A(1) + seed) */
+        if (len < min_len
-                if (outbuf_size <= SHA256_OUTSIZE) {
+         || xhdr->type != RECORD_TYPE_HANDSHAKE
-                        /* Last, possibly incomplete, block */
+         || xhdr->proto_maj != TLS_MAJ
-                        /* (use a[] as temp buffer) */
+         || xhdr->proto_min != TLS_MIN
-                        hmac_sha256(a, SECRET, A, SEED, NULL);
+        ) {
-                        memcpy(out_p, a, outbuf_size);
+                tls_error_die(tls);
-                        return;
-                }
-                /* Not last block. Store directly to result buffer */
-                hmac_sha256(out_p, SECRET, A, SEED, NULL);
-                out_p += SHA256_OUTSIZE;
-                outbuf_size -= SHA256_OUTSIZE;
-                /* A(2) = HMAC_hash(secret, A(1)) */
-                hmac_sha256(a, SECRET, A, NULL);
        }
-#undef A
+        dbg("got HANDSHAKE\n");
-#undef SECRET
+        return len;
-#undef SEED
 }
-/*
- * TLS Handshake routines
- */
 static void send_client_hello(tls_state_t *tls)
 {
        struct client_hello {
@@ -1055,7 +1054,7 @@ static void send_change_cipher_spec(tls_state_t *tls)
        dbg(">> CHANGE_CIPHER_SPEC\n");
        xwrite(tls->fd, rec, sizeof(rec));
-        tls->write_seq64_be = 0;
+        /* tls->write_seq64_be = 0; - already is */
        tls->encrypt_on_write = 1;
 }

diff --git a/networking/tls.c b/networking/tls.c index 60afd30b4..81820e9a1 100644 --- a/networking/tls.c +++ b/networking/tls.c
@@ -284,6 +284,145 @@ static void sha256_hash_dbg(const char fmt, sha256_ctx_t ctx, const void *buff
284	sha256_hash(ctx, buffer, len)	284	sha256_hash(ctx, buffer, len)
285	#endif /* not TLS_DEBUG >= 2 */	285	#endif /* not TLS_DEBUG >= 2 */
286		286
		287	// RFC 2104
		288	// HMAC(key, text) based on a hash H (say, sha256) is:
		289	// ipad = [0x36 x INSIZE]
		290	// opad = [0x5c x INSIZE]
		291	// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))
		292	//
		293	// H(key XOR opad) and H(key XOR ipad) can be precomputed
		294	// if we often need HMAC hmac with the same key.
		295	//
		296	// text is often given in disjoint pieces.
		297	static void hmac_sha256_precomputed_v(uint8_t out[SHA256_OUTSIZE],
		298	sha256_ctx_t *hashed_key_xor_ipad,
		299	sha256_ctx_t *hashed_key_xor_opad,
		300	va_list va)
		301	{
		302	uint8_t *text;
		303
		304	/* hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
		305	/* hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
		306
		307	/* calculate out = H((key XOR ipad) + text) */
		308	while ((text = va_arg(va, uint8_t*)) != NULL) {
		309	unsigned text_size = va_arg(va, unsigned);
		310	sha256_hash(hashed_key_xor_ipad, text, text_size);
		311	}
		312	sha256_end(hashed_key_xor_ipad, out);
		313
		314	/* out = H((key XOR opad) + out) */
		315	sha256_hash(hashed_key_xor_opad, out, SHA256_OUTSIZE);
		316	sha256_end(hashed_key_xor_opad, out);
		317	}
		318
		319	static void hmac_sha256(uint8_t out[SHA256_OUTSIZE], uint8_t *key, unsigned key_size, ...)
		320	{
		321	sha256_ctx_t hashed_key_xor_ipad;
		322	sha256_ctx_t hashed_key_xor_opad;
		323	uint8_t key_xor_ipad[SHA256_INSIZE];
		324	uint8_t key_xor_opad[SHA256_INSIZE];
		325	uint8_t tempkey[SHA256_OUTSIZE];
		326	va_list va;
		327	int i;
		328
		329	va_start(va, key_size);
		330
		331	// "The authentication key can be of any length up to INSIZE, the
		332	// block length of the hash function. Applications that use keys longer
		333	// than INSIZE bytes will first hash the key using H and then use the
		334	// resultant OUTSIZE byte string as the actual key to HMAC."
		335	if (key_size > SHA256_INSIZE) {
		336	hash_sha256(tempkey, key, key_size);
		337	key = tempkey;
		338	key_size = SHA256_OUTSIZE;
		339	}
		340
		341	for (i = 0; i < key_size; i++) {
		342	key_xor_ipad[i] = key[i] ^ 0x36;
		343	key_xor_opad[i] = key[i] ^ 0x5c;
		344	}
		345	for (; i < SHA256_INSIZE; i++) {
		346	key_xor_ipad[i] = 0x36;
		347	key_xor_opad[i] = 0x5c;
		348	}
		349	sha256_begin(&hashed_key_xor_ipad);
		350	sha256_hash(&hashed_key_xor_ipad, key_xor_ipad, SHA256_INSIZE);
		351	sha256_begin(&hashed_key_xor_opad);
		352	sha256_hash(&hashed_key_xor_opad, key_xor_opad, SHA256_INSIZE);
		353
		354	hmac_sha256_precomputed_v(out, &hashed_key_xor_ipad, &hashed_key_xor_opad, va);
		355	va_end(va);
		356	}
		357
		358	// RFC 5246:
		359	// 5. HMAC and the Pseudorandom Function
		360	//...
		361	// In this section, we define one PRF, based on HMAC. This PRF with the
		362	// SHA-256 hash function is used for all cipher suites defined in this
		363	// document and in TLS documents published prior to this document when
		364	// TLS 1.2 is negotiated.
		365	//...
		366	// P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
		367	// HMAC_hash(secret, A(2) + seed) +
		368	// HMAC_hash(secret, A(3) + seed) + ...
		369	// where + indicates concatenation.
		370	// A() is defined as:
		371	// A(0) = seed
		372	// A(1) = HMAC_hash(secret, A(0)) = HMAC_hash(secret, seed)
		373	// A(i) = HMAC_hash(secret, A(i-1))
		374	// P_hash can be iterated as many times as necessary to produce the
		375	// required quantity of data. For example, if P_SHA256 is being used to
		376	// create 80 bytes of data, it will have to be iterated three times
		377	// (through A(3)), creating 96 bytes of output data; the last 16 bytes
		378	// of the final iteration will then be discarded, leaving 80 bytes of
		379	// output data.
		380	//
		381	// TLS's PRF is created by applying P_hash to the secret as:
		382	//
		383	// PRF(secret, label, seed) = P_<hash>(secret, label + seed)
		384	//
		385	// The label is an ASCII string.
		386	static void tls_prf_hmac_sha256(
		387	uint8_t *outbuf, unsigned outbuf_size,
		388	uint8_t *secret, unsigned secret_size,
		389	const char *label,
		390	uint8_t *seed, unsigned seed_size)
		391	{
		392	uint8_t a[SHA256_OUTSIZE];
		393	uint8_t *out_p = outbuf;
		394	unsigned label_size = strlen(label);
		395
		396	/* In P_hash() calculation, "seed" is "label + seed": */
		397	#define SEED label, label_size, seed, seed_size
		398	#define SECRET secret, secret_size
		399	#define A a, (int)(sizeof(a))
		400
		401	/* A(1) = HMAC_hash(secret, seed) */
		402	hmac_sha256(a, SECRET, SEED, NULL);
		403	//TODO: convert hmac_sha256 to precomputed
		404
		405	for(;;) {
		406	/* HMAC_hash(secret, A(1) + seed) */
		407	if (outbuf_size <= SHA256_OUTSIZE) {
		408	/* Last, possibly incomplete, block */
		409	/* (use a[] as temp buffer) */
		410	hmac_sha256(a, SECRET, A, SEED, NULL);
		411	memcpy(out_p, a, outbuf_size);
		412	return;
		413	}
		414	/* Not last block. Store directly to result buffer */
		415	hmac_sha256(out_p, SECRET, A, SEED, NULL);
		416	out_p += SHA256_OUTSIZE;
		417	outbuf_size -= SHA256_OUTSIZE;
		418	/* A(2) = HMAC_hash(secret, A(1)) */
		419	hmac_sha256(a, SECRET, A, NULL);
		420	}
		421	#undef A
		422	#undef SECRET
		423	#undef SEED
		424	}
		425
287	static	426	static
288	tls_state_t *new_tls_state(void)	427	tls_state_t *new_tls_state(void)
289	{	428	{
@@ -293,11 +432,13 @@ tls_state_t *new_tls_state(void)
293	return tls;	432	return tls;
294	}	433	}
295		434
296	static void hmac_sha256(uint8_t out[SHA256_OUTSIZE], uint8_t *key, unsigned key_size, ...);	435	static void tls_error_die(tls_state_t *tls)
297
298	static void xwrite_and_hash(tls_state_t tls, /const/ void buf, unsigned size)
299	{	436	{
300	// rfc5246	437	dump_tls_record(tls->inbuf, tls->insize + tls->tail);
		438	xfunc_die();
		439	}
		440
		441	// RFC 5246
301	// 6.2.3.1. Null or Standard Stream Cipher	442	// 6.2.3.1. Null or Standard Stream Cipher
302	//	443	//
303	// Stream ciphers (including BulkCipherAlgorithm.null; see Appendix A.6)	444	// Stream ciphers (including BulkCipherAlgorithm.null; see Appendix A.6)
@@ -310,18 +451,14 @@ static void xwrite_and_hash(tls_state_t tls, /const/ void buf, unsigned size
310	// } GenericStreamCipher;	451	// } GenericStreamCipher;
311	//	452	//
312	// The MAC is generated as:	453	// The MAC is generated as:
313	//
314	// MAC(MAC_write_key, seq_num +	454	// MAC(MAC_write_key, seq_num +
315	// TLSCompressed.type +	455	// TLSCompressed.type +
316	// TLSCompressed.version +	456	// TLSCompressed.version +
317	// TLSCompressed.length +	457	// TLSCompressed.length +
318	// TLSCompressed.fragment);	458	// TLSCompressed.fragment);
319	//
320	// where "+" denotes concatenation.	459	// where "+" denotes concatenation.
321	//
322	// seq_num	460	// seq_num
323	// The sequence number for this record.	461	// The sequence number for this record.
324	//
325	// MAC	462	// MAC
326	// The MAC algorithm specified by SecurityParameters.mac_algorithm.	463	// The MAC algorithm specified by SecurityParameters.mac_algorithm.
327	//	464	//
@@ -345,23 +482,26 @@ static void xwrite_and_hash(tls_state_t tls, /const/ void buf, unsigned size
345	// MD5 HMAC-MD5 16 16	482	// MD5 HMAC-MD5 16 16
346	// SHA HMAC-SHA1 20 20	483	// SHA HMAC-SHA1 20 20
347	// SHA256 HMAC-SHA256 32 32	484	// SHA256 HMAC-SHA256 32 32
348		485	static void xwrite_and_hash(tls_state_t tls, /const/ void buf, unsigned size)
		486	{
349	uint8_t mac_hash[SHA256_OUTSIZE];	487	uint8_t mac_hash[SHA256_OUTSIZE];
350	struct record_hdr *xhdr = buf;	488	struct record_hdr *xhdr = buf;
351		489
352	if (tls->encrypt_on_write) {	490	if (tls->encrypt_on_write) {
		491	//TODO: convert hmac_sha256 to precomputed
353	hmac_sha256(mac_hash,	492	hmac_sha256(mac_hash,
354	tls->client_write_MAC_key, sizeof(tls->client_write_MAC_key),	493	tls->client_write_MAC_key, sizeof(tls->client_write_MAC_key),
355	&tls->write_seq64_be, sizeof(tls->write_seq64_be),	494	&tls->write_seq64_be, sizeof(tls->write_seq64_be),
356	buf, size,	495	buf, size,
357	NULL);	496	NULL);
358	tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));	497	tls->write_seq64_be = SWAP_BE64(1 + SWAP_BE64(tls->write_seq64_be));
		498	/* Temporarily change for writing */
359	xhdr->len16_lo += SHA256_OUTSIZE;	499	xhdr->len16_lo += SHA256_OUTSIZE;
360	//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIXME
361	}	500	}
362		501
363	xwrite(tls->fd, buf, size);	502	xwrite(tls->fd, buf, size);
364	dbg("wrote %u bytes\n", size);	503	dbg("wrote %u bytes\n", size);
		504
365	if (tls->encrypt_on_write) {	505	if (tls->encrypt_on_write) {
366	xwrite(tls->fd, mac_hash, sizeof(mac_hash));	506	xwrite(tls->fd, mac_hash, sizeof(mac_hash));
367	dbg("wrote %u bytes of hash\n", (int)sizeof(mac_hash));	507	dbg("wrote %u bytes of hash\n", (int)sizeof(mac_hash));
@@ -374,12 +514,6 @@ static void xwrite_and_hash(tls_state_t tls, /const/ void buf, unsigned size
374	}	514	}
375	}	515	}
376		516
377	static void tls_error_die(tls_state_t *tls)
378	{
379	dump_tls_record(tls->inbuf, tls->insize + tls->tail);
380	xfunc_die();
381	}
382
383	static int xread_tls_block(tls_state_t *tls)	517	static int xread_tls_block(tls_state_t *tls)
384	{	518	{
385	struct record_hdr *xhdr;	519	struct record_hdr *xhdr;
@@ -417,7 +551,7 @@ static int xread_tls_block(tls_state_t *tls)
417	target -= sizeof(*xhdr);	551	target -= sizeof(*xhdr);
418		552
419	/* RFC 5246 is not saying it explicitly, but sha256 hash	553	/* RFC 5246 is not saying it explicitly, but sha256 hash
420	* in our FINISHED packet must include hashes of incoming packets too!	554	* in our FINISHED record must include data of incoming packets too!
421	*/	555	*/
422	if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE) {	556	if (tls->inbuf[0] == RECORD_TYPE_HANDSHAKE) {
423	sha256_hash_dbg("<< sha256:%s", &tls->handshake_sha256_ctx, tls->inbuf + 5, target);	557	sha256_hash_dbg("<< sha256:%s", &tls->handshake_sha256_ctx, tls->inbuf + 5, target);
@@ -427,23 +561,9 @@ static int xread_tls_block(tls_state_t *tls)
427	return target;	561	return target;
428	}	562	}
429		563
430	static int xread_tls_handshake_block(tls_state_t *tls, int min_len)	564	/*
431	{	565	* DER parsing routines
432	struct record_hdr *xhdr;	566	*/
433	int len = xread_tls_block(tls);
434
435	xhdr = (void*)tls->inbuf;
436	if (len < min_len
437	\|\| xhdr->type != RECORD_TYPE_HANDSHAKE
438	\|\| xhdr->proto_maj != TLS_MAJ
439	\|\| xhdr->proto_min != TLS_MIN
440	) {
441	tls_error_die(tls);
442	}
443	dbg("got HANDSHAKE\n");
444	return len;
445	}
446
447	static unsigned get_der_len(uint8_t *bodyp, uint8_t der, uint8_t *end)	567	static unsigned get_der_len(uint8_t *bodyp, uint8_t der, uint8_t *end)
448	{	568	{
449	unsigned len, len1;	569	unsigned len, len1;
@@ -653,147 +773,26 @@ static void find_key_in_der_cert(tls_state_t tls, uint8_t der, int len)
653	dbg("server_rsa_pub_key.size:%d\n", tls->server_rsa_pub_key.size);	773	dbg("server_rsa_pub_key.size:%d\n", tls->server_rsa_pub_key.size);
654	}	774	}
655		775
656	// RFC 2104: HMAC(key, text) based on a hash H (say, sha256) is:	776	/*
657	// ipad = [0x36 x INSIZE]	777	* TLS Handshake routines
658	// opad = [0x5c x INSIZE]	778	*/
659	// HMAC(key, text) = H((key XOR opad) + H((key XOR ipad) + text))	779	static int xread_tls_handshake_block(tls_state_t *tls, int min_len)
660	//
661	// H(key XOR opad) and H(key XOR ipad) can be precomputed
662	// if we often need HMAC hmac with the same key.
663	//
664	// text is often given in disjoint pieces.
665	static void hmac_sha256_precomputed_v(uint8_t out[SHA256_OUTSIZE],
666	sha256_ctx_t *hashed_key_xor_ipad,
667	sha256_ctx_t *hashed_key_xor_opad,
668	va_list va)
669	{
670	uint8_t *text;
671
672	/* hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
673	/* hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
674
675	/* calculate out = H((key XOR ipad) + text) */
676	while ((text = va_arg(va, uint8_t*)) != NULL) {
677	unsigned text_size = va_arg(va, unsigned);
678	sha256_hash(hashed_key_xor_ipad, text, text_size);
679	}
680	sha256_end(hashed_key_xor_ipad, out);
681
682	/* out = H((key XOR opad) + out) */
683	sha256_hash(hashed_key_xor_opad, out, SHA256_OUTSIZE);
684	sha256_end(hashed_key_xor_opad, out);
685	}
686
687	static void hmac_sha256(uint8_t out[SHA256_OUTSIZE], uint8_t *key, unsigned key_size, ...)
688	{
689	sha256_ctx_t hashed_key_xor_ipad;
690	sha256_ctx_t hashed_key_xor_opad;
691	uint8_t key_xor_ipad[SHA256_INSIZE];
692	uint8_t key_xor_opad[SHA256_INSIZE];
693	uint8_t tempkey[SHA256_OUTSIZE];
694	va_list va;
695	int i;
696
697	va_start(va, key_size);
698
699	// "The authentication key can be of any length up to INSIZE, the
700	// block length of the hash function. Applications that use keys longer
701	// than INSIZE bytes will first hash the key using H and then use the
702	// resultant OUTSIZE byte string as the actual key to HMAC."
703	if (key_size > SHA256_INSIZE) {
704	hash_sha256(tempkey, key, key_size);
705	key = tempkey;
706	key_size = SHA256_OUTSIZE;
707	}
708
709	for (i = 0; i < key_size; i++) {
710	key_xor_ipad[i] = key[i] ^ 0x36;
711	key_xor_opad[i] = key[i] ^ 0x5c;
712	}
713	for (; i < SHA256_INSIZE; i++) {
714	key_xor_ipad[i] = 0x36;
715	key_xor_opad[i] = 0x5c;
716	}
717	sha256_begin(&hashed_key_xor_ipad);
718	sha256_hash(&hashed_key_xor_ipad, key_xor_ipad, SHA256_INSIZE);
719	sha256_begin(&hashed_key_xor_opad);
720	sha256_hash(&hashed_key_xor_opad, key_xor_opad, SHA256_INSIZE);
721
722	hmac_sha256_precomputed_v(out, &hashed_key_xor_ipad, &hashed_key_xor_opad, va);
723	va_end(va);
724	}
725
726	// RFC 5246:
727	// 5. HMAC and the Pseudorandom Function
728	//...
729	// In this section, we define one PRF, based on HMAC. This PRF with the
730	// SHA-256 hash function is used for all cipher suites defined in this
731	// document and in TLS documents published prior to this document when
732	// TLS 1.2 is negotiated.
733	//...
734	// P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
735	// HMAC_hash(secret, A(2) + seed) +
736	// HMAC_hash(secret, A(3) + seed) + ...
737	// where + indicates concatenation.
738	// A() is defined as:
739	// A(0) = seed
740	// A(1) = HMAC_hash(secret, A(0)) = HMAC_hash(secret, seed)
741	// A(i) = HMAC_hash(secret, A(i-1))
742	// P_hash can be iterated as many times as necessary to produce the
743	// required quantity of data. For example, if P_SHA256 is being used to
744	// create 80 bytes of data, it will have to be iterated three times
745	// (through A(3)), creating 96 bytes of output data; the last 16 bytes
746	// of the final iteration will then be discarded, leaving 80 bytes of
747	// output data.
748	//
749	// TLS's PRF is created by applying P_hash to the secret as:
750	//
751	// PRF(secret, label, seed) = P_<hash>(secret, label + seed)
752	//
753	// The label is an ASCII string.
754	static void tls_prf_hmac_sha256(
755	uint8_t *outbuf, unsigned outbuf_size,
756	uint8_t *secret, unsigned secret_size,
757	const char *label,
758	uint8_t *seed, unsigned seed_size)
759	{	780	{
760	uint8_t a[SHA256_OUTSIZE];	781	struct record_hdr *xhdr;
761	uint8_t *out_p = outbuf;	782	int len = xread_tls_block(tls);
762	unsigned label_size = strlen(label);
763
764	/* In P_hash() calculation, "seed" is "label + seed": */
765	#define SEED label, label_size, seed, seed_size
766	#define SECRET secret, secret_size
767	#define A a, (int)(sizeof(a))
768
769	/* A(1) = HMAC_hash(secret, seed) */
770	hmac_sha256(a, SECRET, SEED, NULL);
771	//TODO: convert hmac_sha256 to precomputed
772		783
773	for(;;) {	784	xhdr = (void*)tls->inbuf;
774	/* HMAC_hash(secret, A(1) + seed) */	785	if (len < min_len
775	if (outbuf_size <= SHA256_OUTSIZE) {	786	\|\| xhdr->type != RECORD_TYPE_HANDSHAKE
776	/* Last, possibly incomplete, block */	787	\|\| xhdr->proto_maj != TLS_MAJ
777	/* (use a[] as temp buffer) */	788	\|\| xhdr->proto_min != TLS_MIN
778	hmac_sha256(a, SECRET, A, SEED, NULL);	789	) {
779	memcpy(out_p, a, outbuf_size);	790	tls_error_die(tls);
780	return;
781	}
782	/* Not last block. Store directly to result buffer */
783	hmac_sha256(out_p, SECRET, A, SEED, NULL);
784	out_p += SHA256_OUTSIZE;
785	outbuf_size -= SHA256_OUTSIZE;
786	/* A(2) = HMAC_hash(secret, A(1)) */
787	hmac_sha256(a, SECRET, A, NULL);
788	}	791	}
789	#undef A	792	dbg("got HANDSHAKE\n");
790	#undef SECRET	793	return len;
791	#undef SEED
792	}	794	}
793		795
794	/*
795	* TLS Handshake routines
796	*/
797	static void send_client_hello(tls_state_t *tls)	796	static void send_client_hello(tls_state_t *tls)
798	{	797	{
799	struct client_hello {	798	struct client_hello {
@@ -1055,7 +1054,7 @@ static void send_change_cipher_spec(tls_state_t *tls)
1055	dbg(">> CHANGE_CIPHER_SPEC\n");	1054	dbg(">> CHANGE_CIPHER_SPEC\n");
1056	xwrite(tls->fd, rec, sizeof(rec));	1055	xwrite(tls->fd, rec, sizeof(rec));
1057		1056
1058	tls->write_seq64_be = 0;	1057	/* tls->write_seq64_be = 0; - already is */
1059	tls->encrypt_on_write = 1;	1058	tls->encrypt_on_write = 1;
1060	}	1059	}
1061		1060