/* * Copyright (c) 2020, Ali Mohammad Pur * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, this * list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include namespace TLS { bool TLSv12::expand_key() { u8 key[192]; // soooooooo many constants auto key_buffer = ByteBuffer::wrap(key, 192); if (m_context.master_key.size() == 0) { dbg() << "expand_key() with empty master key"; return false; } auto key_size = key_length(); auto mac_size = mac_length(); auto iv_size = iv_length(); pseudorandom_function( key_buffer, m_context.master_key, (const u8*)"key expansion", 13, ByteBuffer::wrap(m_context.remote_random, 32), ByteBuffer::wrap(m_context.local_random, 32)); size_t offset = 0; memcpy(m_context.crypto.local_mac, key + offset, mac_size); offset += mac_size; memcpy(m_context.crypto.remote_mac, key + offset, mac_size); offset += mac_size; auto client_key = key + offset; offset += key_size; auto server_key = key + offset; offset += key_size; auto client_iv = key + offset; offset += iv_size; auto server_iv = key + offset; offset += iv_size; #ifdef TLS_DEBUG dbg() << "client key"; print_buffer(client_key, key_size); dbg() << "server key"; print_buffer(server_key, key_size); dbg() << "client iv"; print_buffer(client_iv, iv_size); dbg() << "server iv"; print_buffer(server_iv, iv_size); dbg() << "client mac key"; print_buffer(m_context.crypto.local_mac, mac_size); dbg() << "server mac key"; print_buffer(m_context.crypto.remote_mac, mac_size); #endif memcpy(m_context.crypto.local_iv, client_iv, iv_size); memcpy(m_context.crypto.remote_iv, server_iv, iv_size); m_aes_local = make(ByteBuffer::wrap(client_key, key_size), key_size * 8, Crypto::Cipher::Intent::Encryption, Crypto::Cipher::PaddingMode::RFC5246); m_aes_remote = make(ByteBuffer::wrap(server_key, key_size), key_size * 8, Crypto::Cipher::Intent::Decryption, Crypto::Cipher::PaddingMode::RFC5246); m_context.crypto.created = 1; return true; } void TLSv12::pseudorandom_function(ByteBuffer& output, const ByteBuffer& secret, const u8* label, size_t label_length, const ByteBuffer& seed, const ByteBuffer& seed_b) { if (!secret.size()) { dbg() << "null secret"; return; } // RFC 5246: "In this section, we define one PRF, based on HMAC. This PRF with the // SHA-256 hash function is used for all cipher suites defined in this // document and in TLS documents published prior to this document when // TLS 1.2 is negotiated." // Apparently this PRF _always_ uses SHA256 Crypto::Authentication::HMAC hmac(secret); auto l_seed_size = label_length + seed.size() + seed_b.size(); u8 l_seed[l_seed_size]; auto label_seed_buffer = ByteBuffer::wrap(l_seed, l_seed_size); label_seed_buffer.overwrite(0, label, label_length); label_seed_buffer.overwrite(label_length, seed.data(), seed.size()); label_seed_buffer.overwrite(label_length + seed.size(), seed_b.data(), seed_b.size()); auto digest_size = hmac.digest_size(); u8 digest[digest_size]; auto digest_0 = ByteBuffer::wrap(digest, digest_size); digest_0.overwrite(0, hmac.process(label_seed_buffer).immutable_data(), digest_size); size_t index = 0; while (index < output.size()) { hmac.update(digest_0); hmac.update(label_seed_buffer); auto digest_1 = hmac.digest(); auto copy_size = min(digest_size, output.size() - index); output.overwrite(index, digest_1.immutable_data(), copy_size); index += copy_size; digest_0.overwrite(0, hmac.process(digest_0).immutable_data(), digest_size); } } bool TLSv12::compute_master_secret(size_t length) { if (m_context.premaster_key.size() == 0 || length < 48) { dbg() << "there's no way I can make a master secret like this"; dbg() << "I'd like to talk to your manager about this length of " << length; return false; } m_context.master_key.clear(); m_context.master_key.grow(length); pseudorandom_function( m_context.master_key, m_context.premaster_key, (const u8*)"master secret", 13, ByteBuffer::wrap(m_context.local_random, 32), ByteBuffer::wrap(m_context.remote_random, 32)); m_context.premaster_key.clear(); #ifdef TLS_DEBUG dbg() << "master key:"; print_buffer(m_context.master_key); #endif expand_key(); return true; } ByteBuffer TLSv12::build_certificate() { PacketBuilder builder { MessageType::Handshake, m_context.version }; Vector certificates; Vector* local_certificates = nullptr; if (m_context.is_server) { dbg() << "Unsupported: Server mode"; ASSERT_NOT_REACHED(); } else { local_certificates = &m_context.client_certificates; } constexpr size_t der_length_delta = 3; constexpr size_t certificate_vector_header_size = 3; size_t total_certificate_size = 0; for (size_t i = 0; i < local_certificates->size(); ++i) { auto& certificate = local_certificates->at(i); if (!certificate.der.is_empty()) { total_certificate_size += certificate.der.size() + der_length_delta; // FIXME: Check for and respond with only the requested certificate types. if (true) { certificates.append(&certificate); } } } builder.append((u8)HandshakeType::CertificateMessage); if (!total_certificate_size) { #ifdef TLS_DEBUG dbg() << "No certificates, sending empty certificate message"; #endif builder.append_u24(certificate_vector_header_size); builder.append_u24(total_certificate_size); } else { builder.append_u24(total_certificate_size + certificate_vector_header_size); // 3 bytes for header builder.append_u24(total_certificate_size); for (auto& certificate : certificates) { if (!certificate->der.is_empty()) { builder.append_u24(certificate->der.size()); builder.append(certificate->der); } } } auto packet = builder.build(); update_packet(packet); return packet; } ByteBuffer TLSv12::build_change_cipher_spec() { PacketBuilder builder { MessageType::ChangeCipher, m_context.version, 64 }; builder.append((u8)1); auto packet = builder.build(); update_packet(packet); m_context.local_sequence_number = 0; return packet; } ByteBuffer TLSv12::build_server_key_exchange() { dbg() << "FIXME: build_server_key_exchange"; return {}; } ByteBuffer TLSv12::build_client_key_exchange() { PacketBuilder builder { MessageType::Handshake, m_context.version }; builder.append((u8)HandshakeType::ClientKeyExchange); build_random(builder); m_context.connection_status = ConnectionStatus::KeyExchange; auto packet = builder.build(); update_packet(packet); return packet; } ssize_t TLSv12::handle_server_key_exchange(const ByteBuffer&) { dbg() << "FIXME: parse_server_key_exchange"; return 0; } ssize_t TLSv12::handle_verify(const ByteBuffer&) { dbg() << "FIXME: parse_verify"; return 0; } }