# # SSL 3.0 protocol # implement SSL3; include "sys.m"; sys : Sys; include "keyring.m"; keyring : Keyring; IPint, DigestState : import keyring; include "security.m"; random : Random; ssl : SSL; include "daytime.m"; daytime : Daytime; include "asn1.m"; asn1 : ASN1; include "pkcs.m"; pkcs : PKCS; DHParams, DHPublicKey, DHPrivateKey, RSAParams, RSAKey, DSSPrivateKey, DSSPublicKey : import PKCS; include "x509.m"; x509 : X509; Signed, Certificate, SubjectPKInfo : import x509; include "sslsession.m"; sslsession : SSLsession; Session : import sslsession; include "ssl3.m"; # # debug mode # SSL_DEBUG : con 0; logfd : ref Sys->FD; # # version {major, minor} # SSL_VERSION_2_0 := array [] of {byte 0, byte 16r02}; SSL_VERSION_3_0 := array [] of {byte 16r03, byte 0}; # SSL Record Protocol SSL_CHANGE_CIPHER_SPEC : con 20; SSL_ALERT : con 21; SSL_HANDSHAKE : con 22; SSL_APPLICATION_DATA : con 23; SSL_V2HANDSHAKE : con 0; # escape to sslv2 # SSL Application Protocol consists of alert protocol, change cipher spec protocol # v2 and v3 handshake protocol and application data protocol. The v2 handshake # protocol is included only for backward compatibility Protocol: adt { pick { pAlert => alert : ref Alert; pChangeCipherSpec => change_cipher_spec : ref ChangeCipherSpec; pHandshake => handshake : ref Handshake; pV2Handshake => handshake : ref V2Handshake; pApplicationData => data : array of byte; } decode: fn(r: ref Record, ctx: ref Context): (ref Protocol, string); encode: fn(p: self ref Protocol, vers: array of byte): (ref Record, string); tostring: fn(p: self ref Protocol): string; }; # # ssl alert protocol # SSL_WARNING : con 1; SSL_FATAL : con 2; SSL_CLOSE_NOTIFY : con 0; SSL_UNEXPECTED_MESSAGE : con 10; SSL_BAD_RECORD_MAC : con 20; SSL_DECOMPRESSION_FAILURE : con 30; SSL_HANDSHAKE_FAILURE : con 40; SSL_NO_CERTIFICATE : con 41; SSL_BAD_CERTIFICATE : con 42; SSL_UNSUPPORTED_CERTIFICATE : con 43; SSL_CERTIFICATE_REVOKED : con 44; SSL_CERTIFICATE_EXPIRED : con 45; SSL_CERTIFICATE_UNKNOWN : con 46; SSL_ILLEGAL_PARAMETER : con 47; Alert: adt { level : int; description : int; tostring: fn(a: self ref Alert): string; }; # # ssl change cipher spec protocol # ChangeCipherSpec: adt { value : int; }; # # ssl handshake protocol # SSL_HANDSHAKE_HELLO_REQUEST : con 0; SSL_HANDSHAKE_CLIENT_HELLO : con 1; SSL_HANDSHAKE_SERVER_HELLO : con 2; SSL_HANDSHAKE_CERTIFICATE : con 11; SSL_HANDSHAKE_SERVER_KEY_EXCHANGE : con 12; SSL_HANDSHAKE_CERTIFICATE_REQUEST : con 13; SSL_HANDSHAKE_SERVER_HELLO_DONE : con 14; SSL_HANDSHAKE_CERTIFICATE_VERIFY : con 15; SSL_HANDSHAKE_CLIENT_KEY_EXCHANGE : con 16; SSL_HANDSHAKE_FINISHED : con 20; Handshake: adt { pick { HelloRequest => ClientHello => version : array of byte; # [2] random : array of byte; # [32] session_id : array of byte; # <0..32> suites : array of byte; # [2] x compressions : array of byte; # [1] x ServerHello => version : array of byte; # [2] random : array of byte; # [32] session_id : array of byte; # <0..32> suite : array of byte; # [2] compression : byte; # [1] Certificate => cert_list : list of array of byte; # X509 cert chain ServerKeyExchange => xkey : array of byte; # exchange_keys CertificateRequest => cert_types : array of byte; dn_list : list of array of byte; # DN list ServerHelloDone => CertificateVerify => signature : array of byte; ClientKeyExchange => xkey : array of byte; Finished => md5_hash : array of byte; # [16] Keyring->MD5dlen sha_hash : array of byte; # [20] Keyring->SHAdlen } decode: fn(buf: array of byte): (ref Handshake, string); encode: fn(hm: self ref Handshake): (array of byte, string); tostring: fn(hm: self ref Handshake): string; }; # cipher suites and cipher specs (default, not all supported) # - key exchange, signature, encrypt and digest algorithms SSL3_Suites := array [] of { NULL_WITH_NULL_NULL => array [] of {byte 0, byte 16r00}, RSA_WITH_NULL_MD5 => array [] of {byte 0, byte 16r01}, RSA_WITH_NULL_SHA => array [] of {byte 0, byte 16r02}, RSA_EXPORT_WITH_RC4_40_MD5 => array [] of {byte 0, byte 16r03}, RSA_WITH_RC4_128_MD5 => array [] of {byte 0, byte 16r04}, RSA_WITH_RC4_128_SHA => array [] of {byte 0, byte 16r05}, RSA_EXPORT_WITH_RC2_CBC_40_MD5 => array [] of {byte 0, byte 16r06}, RSA_WITH_IDEA_CBC_SHA => array [] of {byte 0, byte 16r07}, RSA_EXPORT_WITH_DES40_CBC_SHA => array [] of {byte 0, byte 16r08}, RSA_WITH_DES_CBC_SHA => array [] of {byte 0, byte 16r09}, RSA_WITH_3DES_EDE_CBC_SHA => array [] of {byte 0, byte 16r0A}, DH_DSS_EXPORT_WITH_DES40_CBC_SHA => array [] of {byte 0, byte 16r0B}, DH_DSS_WITH_DES_CBC_SHA => array [] of {byte 0, byte 16r0C}, DH_DSS_WITH_3DES_EDE_CBC_SHA => array [] of {byte 0, byte 16r0D}, DH_RSA_EXPORT_WITH_DES40_CBC_SHA => array [] of {byte 0, byte 16r0E}, DH_RSA_WITH_DES_CBC_SHA => array [] of {byte 0, byte 16r0F}, DH_RSA_WITH_3DES_EDE_CBC_SHA => array [] of {byte 0, byte 16r10}, DHE_DSS_EXPORT_WITH_DES40_CBC_SHA => array [] of {byte 0, byte 16r11}, DHE_DSS_WITH_DES_CBC_SHA => array [] of {byte 0, byte 16r12}, DHE_DSS_WITH_3DES_EDE_CBC_SHA => array [] of {byte 0, byte 16r13}, DHE_RSA_EXPORT_WITH_DES40_CBC_SHA => array [] of {byte 0, byte 16r14}, DHE_RSA_WITH_DES_CBC_SHA => array [] of {byte 0, byte 16r15}, DHE_RSA_WITH_3DES_EDE_CBC_SHA => array [] of {byte 0, byte 16r16}, DH_anon_EXPORT_WITH_RC4_40_MD5 => array [] of {byte 0, byte 16r17}, DH_anon_WITH_RC4_128_MD5 => array [] of {byte 0, byte 16r18}, DH_anon_EXPORT_WITH_DES40_CBC_SHA => array [] of {byte 0, byte 16r19}, DH_anon_WITH_DES_CBC_SHA => array [] of {byte 0, byte 16r1A}, DH_anon_WITH_3DES_EDE_CBC_SHA => array [] of {byte 0, byte 16r1B}, FORTEZZA_KEA_WITH_NULL_SHA => array [] of {byte 0, byte 16r1C}, FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA => array [] of {byte 0, byte 16r1D}, FORTEZZA_KEA_WITH_RC4_128_SHA => array [] of {byte 0, byte 16r1E}, }; # # key exchange algorithms # DHmodlen : con 512; # default length # # certificate types # SSL_RSA_sign : con 1; SSL_DSS_sign : con 2; SSL_RSA_fixed_DH : con 3; SSL_DSS_fixed_DH : con 4; SSL_RSA_emhemeral_DH : con 5; SSL_DSS_empemeral_DH : con 6; SSL_FORTEZZA_MISSI : con 20; # # cipher definitions # SSL_EXPORT_TRUE : con 0; SSL_EXPORT_FALSE : con 1; SSL_NULL_CIPHER, SSL_RC4, SSL_RC2_CBC, SSL_IDEA_CBC, SSL_DES_CBC, SSL_3DES_EDE_CBC, SSL_FORTEZZA_CBC : con iota; SSL_STREAM_CIPHER, SSL_BLOCK_CIPHER : con iota; SSL_NULL_MAC, SSL_MD5, SSL_SHA : con iota; # # MAC paddings # SSL_MAX_MAC_PADDING : con 48; SSL_MAC_PAD1 := array [] of { byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, byte 16r36, }; SSL_MAC_PAD2 := array [] of { byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, byte 16r5c, }; # # finished messages # SSL_CLIENT_SENDER := array [] of { byte 16r43, byte 16r4C, byte 16r4E, byte 16r54}; SSL_SERVER_SENDER := array [] of { byte 16r53, byte 16r52, byte 16r56, byte 16r52}; # # a default distiguished names # RSA_COMMERCIAL_CA_ROOT_SUBJECT_NAME := array [] of { byte 16r30, byte 16r5F, byte 16r31, byte 16r0B, byte 16r30, byte 16r09, byte 16r06, byte 16r03, byte 16r55, byte 16r04, byte 16r06, byte 16r13, byte 16r02, byte 16r55, byte 16r53, byte 16r31, byte 16r20, byte 16r30, byte 16r1E, byte 16r06, byte 16r03, byte 16r55, byte 16r04, byte 16r0A, byte 16r13, byte 16r17, byte 16r52, byte 16r53, byte 16r41, byte 16r20, byte 16r44, byte 16r61, byte 16r74, byte 16r61, byte 16r20, byte 16r53, byte 16r65, byte 16r63, byte 16r75, byte 16r72, byte 16r69, byte 16r74, byte 16r79, byte 16r2C, byte 16r20, byte 16r49, byte 16r6E, byte 16r63, byte 16r2E, byte 16r31, byte 16r2E, byte 16r30, byte 16r2C, byte 16r06, byte 16r03, byte 16r55, byte 16r04, byte 16r0B, byte 16r13, byte 16r25, byte 16r53, byte 16r65, byte 16r63, byte 16r75, byte 16r72, byte 16r65, byte 16r20, byte 16r53, byte 16r65, byte 16r72, byte 16r76, byte 16r65, byte 16r72, byte 16r20, byte 16r43, byte 16r65, byte 16r72, byte 16r74, byte 16r69, byte 16r66, byte 16r69, byte 16r63, byte 16r61, byte 16r74, byte 16r69, byte 16r6F, byte 16r6E, byte 16r20, byte 16r41, byte 16r75, byte 16r74, byte 16r68, byte 16r6F, byte 16r72, byte 16r69, byte 16r74, byte 16r79, }; # SSL internal status USE_DEVSSL, SSL3_RECORD, SSL3_HANDSHAKE, SSL2_HANDSHAKE, CLIENT_SIDE, SESSION_RESUMABLE, CLIENT_AUTH, CERT_REQUEST, CERT_SENT, CERT_RECEIVED, OUT_READY, IN_READY : con 1 << iota; # SSL internal state STATE_EXIT, STATE_CHANGE_CIPHER_SPEC, STATE_HELLO_REQUEST, STATE_CLIENT_HELLO, STATE_SERVER_HELLO, STATE_CLIENT_KEY_EXCHANGE, STATE_SERVER_KEY_EXCHANGE, STATE_SERVER_HELLO_DONE, STATE_CLIENT_CERTIFICATE, STATE_SERVER_CERTIFICATE, STATE_CERTIFICATE_VERIFY, STATE_FINISHED : con iota; # # load necessary modules # init(): string { sys = load Sys Sys->PATH; if(sys == nil) return "ssl3: load sys module failed"; logfd = sys->fildes(1); keyring = load Keyring Keyring->PATH; if(keyring == nil) return "ssl3: load keyring module failed"; random = load Random Random->PATH; if(random == nil) return "ssl3: load random module failed"; daytime = load Daytime Daytime->PATH; if(daytime == nil) return "ssl3: load Daytime module failed"; pkcs = load PKCS PKCS->PATH; if(pkcs == nil) return "ssl3: load pkcs module failed"; pkcs->init(); x509 = load X509 X509->PATH; if(x509 == nil) return "ssl3: load x509 module failed"; x509->init(); ssl = load SSL SSL->PATH; if(ssl == nil) return "ssl3: load SSL module failed"; (n, nil) := sys->stat("/n/ssl/clone"); if(n < 0) { n = sys->bind("#D", "/n/ssl", sys->MREPL); if(n < 0) { if(SSL_DEBUG) log(sys->sprint("ssl3: bind ssl device failed: %r\n")); exit; } } sslsession = load SSLsession SSLsession->PATH; if(sslsession == nil) return "ssl3: load sslsession module failed"; sslsession->init(); return ""; } log(s: string) { a := array of byte (s + "\n"); sys->write(logfd, a, len a); } # # protocol context # Context.new(): ref Context { ctx := ref Context; ctx.c = nil; ctx.session = nil; ctx.local_info = nil; ctx.sha_state = nil; ctx.md5_state = nil; ctx.status = 0; ctx.state = 0; ctx.client_random = array [32] of byte; ctx.server_random = array [32] of byte; ctx.cw_mac = nil; ctx.sw_mac = nil; ctx.cw_key = nil; ctx.sw_key = nil; ctx.cw_IV = nil; ctx.sw_IV = nil; ctx.in_queue = RecordQueue.new(); ctx.in_queue.data = ref Record(0, nil, array [1<<15] of byte) :: nil; ctx.out_queue = RecordQueue.new(); # set session resumable as default ctx.status |= SESSION_RESUMABLE; return ctx; } Context.client(ctx: self ref Context, fd: ref Sys->FD, peername: string, ver: int, info: ref Authinfo) : (string, int) { if ((ckstr := cksuites(info.suites)) != nil) return (ckstr, ver); # the order is important ctx.local_info = info; ctx.state = STATE_HELLO_REQUEST; e := ctx.connect(fd); if(e != "") return (e, ver); ctx.session = sslsession->get_session_byname(peername); # Request to resume an SSL 3.0 session should use an SSL 3.0 client hello if(ctx.session.session_id != nil) { if((ctx.session.version[0] == SSL_VERSION_3_0[0]) && (ctx.session.version[1] == SSL_VERSION_3_0[1])) { ver = 3; ctx.status |= SSL3_HANDSHAKE; ctx.status &= ~SSL2_HANDSHAKE; } } e = ctx.set_version(ver); if(e != "") return (e, ver); reset_client_random(ctx); ctx.status |= CLIENT_SIDE; e = do_protocol(ctx); if(e != nil) return (e, ver); if(ctx.status & SSL3_RECORD) ver = 3; else ver = 2; return (nil, ver); } Context.server(ctx: self ref Context, fd: ref Sys->FD, info: ref Authinfo, client_auth: int) : string { if ((ckstr := cksuites(info.suites)) != nil) return ckstr; ctx.local_info = info; if(client_auth) ctx.status |= CLIENT_AUTH; ctx.state = STATE_CLIENT_HELLO; e := ctx.connect(fd); if(e != "") return e; reset_server_random(ctx); e = ctx.set_version(3); # set ssl device to version 3 if(e != "") return e; ctx.status &= ~CLIENT_SIDE; e = do_protocol(ctx); if(e != nil) return e; return ""; } Context.use_devssl(ctx: self ref Context) { if(!(ctx.status & IN_READY) && !(ctx.status & OUT_READY)) ctx.status |= USE_DEVSSL; } Context.set_version(ctx: self ref Context, vers: int): string { err := ""; if(ctx.c == nil) { err = "no connection provided"; } else { if(SSL_DEBUG) log("ssl3: record version = " + string vers); if(vers == 2) { ctx.status &= ~SSL3_RECORD; ctx.status &= ~SSL3_HANDSHAKE; ctx.status |= SSL2_HANDSHAKE; if (ctx.session != nil) ctx.session.version = SSL_VERSION_2_0; } else if(vers == 3) { # may be sslv2 handshake using ssl3 record ctx.status |= SSL3_RECORD; ctx.status |= SSL3_HANDSHAKE; ctx.status &= ~SSL2_HANDSHAKE; # tmp test only if (ctx.session != nil) ctx.session.version = SSL_VERSION_3_0; } else if(vers == 23) { # may be sslv2 handshake using ssl3 record ctx.status &= ~SSL3_RECORD; ctx.status |= SSL3_HANDSHAKE; ctx.status |= SSL2_HANDSHAKE; vers = 2; } else err = "unsupported ssl device version"; if((err == "") && (ctx.status & USE_DEVSSL)) { if(sys->fprint(ctx.c.cfd, "ver %d", vers) < 0) err = sys->sprint("ssl3: set ssl device version failed: %r"); } } return err; } Context.connect(ctx: self ref Context, fd: ref Sys->FD): string { err := ""; if(ctx.status & USE_DEVSSL) (err, ctx.c) = ssl->connect(fd); else { ctx.c = ref Sys->Connection(fd, nil, ""); ctx.in_queue.sequence_numbers[0] = 0; ctx.out_queue.sequence_numbers[1] = 0; } return err; } Context.read(ctx: self ref Context, a: array of byte, n: int): int { if(ctx.state != STATE_EXIT || !(ctx.status & IN_READY)) return -1; if(ctx.out_queue.data != nil) record_write_queue(ctx); if(ctx.status & USE_DEVSSL) { fd := ctx.c.dfd; if(ctx.status & SSL3_RECORD) { buf := array [n+3] of byte; m := sys->read(fd, buf, n+3); # header + n bytes if(m < 3) { if(SSL_DEBUG) log(sys->sprint("ssl3: read failure: %r")); return -1; } if(buf[1] != SSL_VERSION_3_0[0] || buf[2] != SSL_VERSION_3_0[1]) { if(SSL_DEBUG) log("ssl3: not ssl version 3 data: header = [" + bastr(buf[0:3]) + "]"); return -1; } a[0:] = buf[3:m]; content_type := int buf[0]; case content_type { SSL_APPLICATION_DATA => break; SSL_ALERT => if(SSL_DEBUG) log("ssl3: expect application data, got alert: [" + bastr(buf[3:m]) +"]"); return 0; SSL_HANDSHAKE => if(SSL_DEBUG) log("ssl3: expect application data, got handshake message"); return 0; SSL_CHANGE_CIPHER_SPEC => if(SSL_DEBUG) log("ssl3: dynamic change cipher spec not supported yet"); return 0; } return m-3; } else return sys->read(fd, a, n); } else { q := ctx.in_queue; got := 0; if(q.fragment) { d := (hd q.data).data; m := q.e - q.b; i := q.e - q.fragment; if(q.fragment > n) { a[0:] = d[i:i+n]; q.fragment -= n; got = n; } else { a[0:] = d[i:q.e]; got = q.fragment; q.fragment = 0; } } out: while(got < n) { err := q.read(ctx, ctx.c.dfd); if(err != "") { if(SSL_DEBUG) log("ssl3: read: " + err); break; } r := hd q.data; if(ctx.status & SSL3_RECORD) { case r.content_type { SSL_APPLICATION_DATA => break; SSL_ALERT => if(SSL_DEBUG) log("ssl3: read: got alert\n\t\t" + bastr(r.data)); break out; SSL_CHANGE_CIPHER_SPEC => if(SSL_DEBUG) log("ssl3: read: got change cipher spec\n"); SSL_HANDSHAKE => if(SSL_DEBUG) log("ssl3: read: got handshake data\n"); #do_handshake(ctx, r); # ? * => if(SSL_DEBUG) log("ssl3: read: unknown data\n"); } } if((n - got) <= (q.e - q.b)) { a[got:] = r.data[q.b:q.b+n-got]; q.fragment = q.e - q.b - n + got; got = n; } else { a[got:] = r.data[q.b:q.e]; q.fragment = 0; got += q.e - q.b; } } return got; } } Context.write(ctx: self ref Context, a: array of byte, n: int): int { if(ctx.state != STATE_EXIT || !(ctx.status & OUT_READY)) return-1; if(ctx.out_queue.data != nil) record_write_queue(ctx); if(ctx.status & USE_DEVSSL) { if(ctx.status & SSL3_RECORD) { buf := array [n+3] of byte; buf[0] = byte SSL_APPLICATION_DATA; buf[1:] = SSL_VERSION_3_0; buf[3:] = a[0:n]; n = sys->write(ctx.c.dfd, buf, n+3); if(n > 0) n -= 3; } else n = sys->write(ctx.c.dfd, a, n); } else { q := ctx.out_queue; v := SSL_VERSION_2_0; if(ctx.status&SSL3_RECORD) v = SSL_VERSION_3_0; i, m: int = 0; while(n > 0) { m = n; if(m > q.length) m = q.length; r := ref Record(SSL_APPLICATION_DATA, v, a[i:i+m]); record_write(r, ctx); # return error? n -= m; i += m; } } return n; } devssl_read(ctx: ref Context): (ref Record, string) { buf := array [Sys->ATOMICIO] of byte; r: ref Record; c := ctx.c; n := sys->read(c.dfd, buf, 3); if(n < 0) return (nil, sys->sprint("record read: read failure: %r")); # in case of undetermined, do auto record version detection if((ctx.state == SSL2_STATE_SERVER_HELLO) && (ctx.status & SSL2_HANDSHAKE) && (ctx.status & SSL3_HANDSHAKE)) { fstatus := sys->open(ctx.c.dir + "/status", Sys->OREAD); if(fstatus == nil) return (nil, "open status: " + sys->sprint("%r")); status := array [64] of byte; nbyte := sys->read(fstatus, status, len status); if(nbyte != 1) return (nil, "read status: " + sys->sprint("%r")); ver := int status[0]; if(SSL_DEBUG) log("ssl3: auto record version detect as: " + string ver); # assert ctx.status & SSL2_RECORD true ? before reset if(ver == 2) { ctx.status &= ~SSL3_RECORD; ctx.status |= SSL2_HANDSHAKE; ctx.status &= ~SSL3_HANDSHAKE; } else { ctx.status |= SSL3_RECORD; } } if(ctx.status & SSL3_RECORD) { if(n < 3) return (nil, sys->sprint("record read: read failure: %r")); # assert only major version number if(buf[1] != SSL_VERSION_3_0[0]) return (nil, "record read: version mismatch"); case int buf[0] { SSL_ALERT => n = sys->read(c.dfd, buf, 5); # read in header plus rest if(n != 5) return (nil, sys->sprint("read alert failed: %r")); r = ref Record(SSL_ALERT, SSL_VERSION_3_0, buf[3:5]); SSL_CHANGE_CIPHER_SPEC => n = sys->read(c.dfd, buf, 4); # read in header plus rest if(n != 4) return (nil, sys->sprint("read change_cipher_spec failed: %r")); r = ref Record(SSL_CHANGE_CIPHER_SPEC, SSL_VERSION_3_0, buf[3:4]); SSL_HANDSHAKE => n = sys->read(c.dfd, buf, 7); # header + msg length if(n != 7) return (nil, sys->sprint("read handshake header + msg length failed: %r")); m := int_decode(buf[4:7]); if(m < 0) return (nil, "read handshake failed: unexpected length"); data := array [m+4] of byte; data[0:] = buf[3:7]; # msg type + length if(m != 0) { # need exact m bytes (exclude header), otherwise failure remain := m; now := 4; while(remain > 0) { n = sys->read(c.dfd, buf, remain+3); # header + msg if(n < 3 || int buf[0] != SSL_HANDSHAKE) return (nil, sys->sprint("read handshake msg body failed: %r")); sys->print("expect %d, got %d bytes\n", m, n-3); remain -= n - 3; data[now:] = buf[3:n]; now += n - 3; } } r = ref Record(SSL_HANDSHAKE, SSL_VERSION_3_0, data); * => return (nil, "trying to read unknown protocol message"); } if(SSL_DEBUG) log("ssl3: record_read: \n\theader = \n\t\t" + bastr(buf[0:3]) + "\n\tdata = \n\t\t" + bastr(r.data) + "\n"); } # v2 record layer else { # assume the handshake record size less than Sys->ATOMICIO # in most case, this is ok if(n == 3) { n = sys->read(c.dfd, buf[3:], Sys->ATOMICIO - 3); if(n < 0) return (nil, sys->sprint("v2 record read: read failure: %r")); } r = ref Record(SSL_V2HANDSHAKE, SSL_VERSION_2_0, buf[0:n+3]); if(SSL_DEBUG) log("ssl3: v2 record_read: \n\tdata = \n\t\t" + bastr(r.data) + "\n"); } return (r, nil); } record_read(ctx: ref Context): (ref Record, string) { q := ctx.in_queue; if(q.fragment == 0) { err := q.read(ctx, ctx.c.dfd); if(err != "") return (nil, err); q.fragment = q.e - q.b; } r := hd q.data; if(ctx.status & SSL3_RECORD) { # confirm only major version number if(r.version[0] != SSL_VERSION_3_0[0]) return (nil, "record read: not v3 record"); case r.content_type { SSL_ALERT => a := array [2] of byte; n := fetch_data(ctx, a, 2); if(n != 2) return (nil, "read alert failed"); r = ref Record(SSL_ALERT, SSL_VERSION_3_0, a); SSL_CHANGE_CIPHER_SPEC => a := array [1] of byte; n := fetch_data(ctx, a, 1); if(n != 1) return (nil, "read change_cipher_spec failed"); r = ref Record(SSL_CHANGE_CIPHER_SPEC, SSL_VERSION_3_0, a); SSL_HANDSHAKE => a := array [4] of byte; n := fetch_data(ctx, a, 4); if(n != 4) return (nil, "read message length failed"); m := int_decode(a[1:]); if(m < 0) return (nil, "unexpected handshake message length"); b := array [m+4] of byte; b[0:] = a; n = fetch_data(ctx, b[4:], m); if(n != m) return (nil, "read message body failed"); r = ref Record(SSL_HANDSHAKE, SSL_VERSION_3_0, b); * => return (nil, "trying to read unknown protocol message"); } } # v2 record layer else { r = ref Record(SSL_V2HANDSHAKE, SSL_VERSION_2_0, r.data[q.b:q.e]); q.fragment = 0; } return (r, nil); } fetch_data(ctx: ref Context, a: array of byte, n: int): int { q := ctx.in_queue; r := hd q.data; got := 0; cnt := -1; out: while(got < n) { if(q.fragment) { cnt = r.content_type; i := q.e - q.fragment; if(n-got <= q.fragment) { a[got:] = r.data[i:i+n-got]; q.fragment -= n - got; got = n; } else { a[got:] = r.data[i:q.e]; got += q.fragment; q.fragment = 0; } } else { err := q.read(ctx, ctx.c.dfd); if(err != "") break out; if(cnt == -1) cnt = r.content_type; if(ctx.status & SSL3_RECORD) { case r.content_type { SSL_APPLICATION_DATA => break; * => if(cnt != r.content_type) break out; } } else { r.content_type = SSL_V2HANDSHAKE; } } } return got; } record_write(r: ref Record, ctx: ref Context) { if(ctx.status & USE_DEVSSL) { buf: array of byte; n: int; c := ctx.c; if(ctx.status & SSL3_RECORD) { buf = array [3 + len r.data] of byte; buf[0] = byte r.content_type; buf[1:] = r.version; buf[3:] = r.data; n = sys->write(c.dfd, buf, len buf); if(n < 0 || n != len buf) { if(SSL_DEBUG) log(sys->sprint("ssl3: v3 record write error: %d %r", n)); return; # don't terminated until alerts being read } } else { buf = r.data; n = sys->write(c.dfd, buf, len buf); if(n < 0 || n != len buf) { if(SSL_DEBUG) log(sys->sprint("ssl3: v2 record write error: %d %r", n)); return; # don't terminated until alerts being read } } } else ctx.out_queue.write(ctx, ctx.c.dfd, r); # if(SSL_DEBUG) # log("ssl3: record_write: \n\t\t" + bastr(buf) + "\n"); } RecordQueue.new(): ref RecordQueue { q := ref RecordQueue( ref MacState.null(0), ref CipherState.null(1), 1 << 15, array [2] of { * => 0}, nil, 0, 0, # b 0 # e ); return q; } RecordQueue.read(q: self ref RecordQueue, ctx: ref Context, fd: ref Sys->FD): string { r := hd q.data; a := r.data; if(ensure(fd, a, 2) < 0) return "no more data"; # auto record version detection m, h, pad: int = 0; if(int a[0] < 20 || int a[0] > 23) { ctx.status &= ~SSL3_RECORD; if(int a[0] & 16r80) { h = 2; m = ((int a[0] & 16r7f) << 8) | int a[1]; pad = 0; } else { h = 3; m = ((int a[0] & 16r3f) << 8) | int a[1]; if(ensure(fd, a[2:], 1) < 0) return "bad v2 record"; pad = int a[2]; if(pad > m) return "bad v2 pad"; } r.content_type = SSL_V2HANDSHAKE; r.version = SSL_VERSION_2_0; } else { ctx.status |= SSL3_RECORD; h = 5; if(ensure(fd, a[2:], 3) < 0) return "bad v3 record"; m = ((int a[3]) << 8) | int a[4]; r.content_type = int a[0]; r.version = a[1:3]; } if(ensure(fd, a[h:], m) < 0) return "data too short"; if(SSL_DEBUG) { log("ssl3: record read\n\tbefore decrypt\n\t\t" + bastr(a[0:m])); log(sys->sprint("SSL3=%d\n", ctx.status & SSL3_RECORD)); } # decrypt (data, pad, mac) pick dec := q.cipherState { null => rc4 => rc4(dec.es, a[h:], m); if (SSL_DEBUG) log("rc4 1"); descbc => keyring->descbc(dec.es, a[h:], m, 1); if (SSL_DEBUG) log("descbc 1"); ideacbc => keyring->ideacbc(dec.es, a[h:], m, 1); if (SSL_DEBUG) log("ideacbc 1"); * => } # if(SSL_DEBUG) # log("ssl3: record read\n\tafter decrypt\n\t\t" + bastr(a[0:m])); idata, imac, ipad: int = 0; if(ctx.status & SSL3_RECORD) { if(q.cipherState.block_size > 1){ pad = int a[h + m - 1]; if(pad >= q.cipherState.block_size) return "bad v3 pad"; # pad++; ipad = h+m-pad-1; } else ipad = h+m-pad; imac = ipad - q.macState.hash_size; idata = h; } else { imac = h; idata = imac + q.macState.hash_size; ipad = h + m - pad; } if(tagof q.macState != tagof MacState.null) { if (ctx.status & SSL3_RECORD) mac := q.calcmac(ctx, r.content_type, a, idata, imac-idata); else mac = q.calcmac(ctx, r.content_type, a, idata, ipad+pad-idata); if(bytes_cmp(mac, a[imac:imac+len mac]) < 0) return "bad mac"; } q.b = idata; if (ctx.status & SSL3_RECORD) q.e = imac; else q.e = ipad; q.fragment = q.e - q.b; if((++q.sequence_numbers[0] == 0) && (ctx.status&SSL3_RECORD)) ++q.sequence_numbers[1]; return ""; } ensure(fd: ref Sys->FD, a: array of byte, n: int): int { i, m: int = 0; while(i < n) { m = sys->read(fd, a[i:], n - i); if(m <= 0) { return -1; } i += m; } return n; } RecordQueue.write(q: self ref RecordQueue, ctx: ref Context, fd: ref Sys->FD, r: ref Record): string { m := len r.data; h, pad: int = 0; if(ctx.status & SSL3_RECORD) { h = 5; if(q.cipherState.block_size > 1) { pad = (m+q.macState.hash_size+1)%q.cipherState.block_size; if (pad) pad = q.cipherState.block_size - pad; } } else { h = 2; if(q.cipherState.block_size > 1) { pad = m%q.cipherState.block_size; if(pad) { pad = q.cipherState.block_size - pad; h++; } } } m += pad + q.macState.hash_size; if ((ctx.status & SSL3_RECORD) && q.cipherState.block_size > 1) m++; a := array [h+m] of byte; idata, imac, ipad: int = 0; if(ctx.status & SSL3_RECORD) { a[0] = byte r.content_type; a[1:] = r.version; a[3] = byte (m >> 8); #CJL - netscape ssl3 traces do not show top bit set # a[3] = byte ((m >> 8) | 16r80); #CJL # a[3] = byte (m | 16r8000) >> 8; a[4] = byte m; idata = h; imac = idata + len r.data; ipad = imac + q.macState.hash_size; if (q.cipherState.block_size > 1) a[h+m-1] = byte pad; } else { if(pad) { a[0] = byte m >> 8; a[2] = byte pad; } else a[0] = byte ((m >> 8) | 16r80); a[1] = byte m; imac = h; idata = imac + q.macState.hash_size; ipad = idata + len r.data; } a[idata:] = r.data; if(pad) a[ipad:] = array [pad] of { * => byte (pad-1)}; if(tagof q.macState != tagof MacState.null) { if (ctx.status & SSL3_RECORD) a[imac:] = q.calcmac(ctx, r.content_type, a, idata, len r.data); else a[imac:] = q.calcmac(ctx, r.content_type, a, idata, ipad+pad-idata); } if(SSL_DEBUG) { log("ssl3: record write\n\tbefore encrypt\n\t\t" + bastr(a)); log(sys->sprint("SSL3=%d\n", ctx.status & SSL3_RECORD)); } # encrypt (data, pad, mac) pick enc := q.cipherState { null => rc4 => rc4(enc.es, a[h:], m); if (SSL_DEBUG) log("rc4 0"); descbc => keyring->descbc(enc.es, a[h:], m, 0); if (SSL_DEBUG) log(sys->sprint("descbc 0 %d", m)); ideacbc => keyring->ideacbc(enc.es, a[h:], m, 0); if (SSL_DEBUG) log(sys->sprint("ideacbc 0 %d", m)); * => } if(SSL_DEBUG) log("ssl3: record write\n\tafter encrypt\n\t\t" + bastr(a)); if(sys->write(fd, a, h+m) < 0) return sys->sprint("ssl3: record write: %r"); if((++q.sequence_numbers[0] == 0) && (ctx.status&SSL3_RECORD)) ++q.sequence_numbers[1]; return ""; } RecordQueue.calcmac(q: self ref RecordQueue, ctx: ref Context, cntype: int, a: array of byte, ofs, n: int) : array of byte { digest, b: array of byte; if(ctx.status & SSL3_RECORD) { b = array [11] of byte; i := putn(b, 0, q.sequence_numbers[1], 4); i = putn(b, i, q.sequence_numbers[0], 4); b[i++] = byte cntype; putn(b, i, n, 2); } else { b = array [4] of byte; putn(b, 0, q.sequence_numbers[0], 4); } # if(SSL_DEBUG) # log("ssl3: record mac\n\tother =\n\t\t" + bastr(b)); pick ms := q.macState { md5 => digest = array [Keyring->MD5dlen] of byte; ds0 := keyring->cloneDigestState(ms.ds[0]); if(ctx.status & SSL3_RECORD) { keyring->md5(b, len b, nil, ds0); keyring->md5(a[ofs:], n, digest, ds0); ds1 := keyring->cloneDigestState(ms.ds[1]); keyring->md5(digest, len digest, digest, ds1); } else { keyring->md5(a[ofs:], n, nil, ds0); keyring->md5(b, len b, digest, ds0); } sha => digest = array [Keyring->SHAdlen] of byte; ds0 := keyring->cloneDigestState(ms.ds[0]); if(ctx.status & SSL3_RECORD) { keyring->sha(b, len b, nil, ds0); keyring->sha(a[ofs:], n, digest, ds0); ds1 := keyring->cloneDigestState(ms.ds[1]); keyring->sha(digest, len digest, digest, ds1); } else { keyring->sha(a[ofs:], n, nil, ds0); keyring->sha(b, len b, digest, ds0); } } return digest; } set_queues(ctx: ref Context): string { sw: array of byte; if(ctx.sw_key != nil) { sw = array [len ctx.sw_key + len ctx.sw_IV] of byte; sw[0:] = ctx.sw_key; sw[len ctx.sw_key:] = ctx.sw_IV; } cw: array of byte; if(ctx.cw_key != nil) { cw = array [len ctx.cw_key + len ctx.cw_IV] of byte; cw[0:] = ctx.cw_key; cw[len ctx.cw_key:] = ctx.cw_IV; } err := ""; if(ctx.status & USE_DEVSSL) { err = set_secrets(ctx.c, ctx.sw_mac, ctx.cw_mac, sw, cw); if(err == "") err = set_cipher_algs(ctx); } else { err = set_out_queue(ctx); if(err == "") err = set_in_queue(ctx); } return err; } set_in_queue(ctx: ref Context): string { sw: array of byte; if(ctx.sw_key != nil) { sw = array [len ctx.sw_key + len ctx.sw_IV] of byte; sw[0:] = ctx.sw_key; sw[len ctx.sw_key:] = ctx.sw_IV; } err := ""; if(ctx.status & USE_DEVSSL) { err = set_secrets(ctx.c, ctx.sw_mac, nil, sw, nil); if(err == "") err = set_cipher_algs(ctx); } else err = set_queue(ctx, ctx.in_queue, ctx.sw_mac, sw); return err; } set_out_queue(ctx: ref Context): string { cw: array of byte; if(ctx.cw_key != nil) { cw = array [len ctx.cw_key + len ctx.cw_IV] of byte; cw[0:] = ctx.cw_key; cw[len ctx.cw_key:] = ctx.cw_IV; } err := ""; if(ctx.status & USE_DEVSSL) { err = set_secrets(ctx.c, nil, ctx.cw_mac, nil, cw); if(err == "") err = set_cipher_algs(ctx); } else err = set_queue(ctx, ctx.out_queue, ctx.cw_mac, cw); return err; } set_queue(ctx: ref Context, q: ref RecordQueue, mac, key: array of byte): string { e := ""; case ctx.sel_ciph.mac_algorithm { SSL_NULL_MAC => q.macState = ref MacState.null(0); SSL_MD5 => ds: array of ref DigestState; if(ctx.status & SSL3_RECORD) { ds = array [2] of ref DigestState; ds[0] = keyring->md5(mac, len mac, nil, nil); ds[1] = keyring->md5(mac, len mac, nil, nil); ds[0] = keyring->md5(SSL_MAC_PAD1, 48, nil, ds[0]); ds[1] = keyring->md5(SSL_MAC_PAD2, 48, nil, ds[1]); } else { ds = array [1] of ref DigestState; ds[0] = keyring->md5(mac, len mac, nil, nil); } q.macState = ref MacState.md5(Keyring->MD5dlen, ds); SSL_SHA => ds: array of ref DigestState; if(ctx.status & SSL3_RECORD) { ds = array [2] of ref DigestState; ds[0] = keyring->sha(mac, len mac, nil, nil); ds[1] = keyring->sha(mac, len mac, nil, nil); ds[0] = keyring->sha(SSL_MAC_PAD1, 40, nil, ds[0]); ds[1] = keyring->sha(SSL_MAC_PAD2, 40, nil, ds[1]); } else { ds = array [1] of ref DigestState; ds[0] = keyring->sha(mac, len mac, nil, nil); } q.macState = ref MacState.sha(Keyring->SHAdlen, ds); * => e = "ssl3: digest method: unknown"; } case ctx.sel_ciph.bulk_cipher_algorithm { SSL_NULL_CIPHER => q.cipherState = ref CipherState.null(1); SSL_RC4 => if (SSL_DEBUG) log("rc4setup"); rcs := setupRC4state(key, len key); # RC4 should be in keyring really q.cipherState = ref CipherState.rc4(1, rcs); SSL_DES_CBC => dcs : ref keyring->DESstate; if (SSL_DEBUG) log(sys->sprint("dessetup %d", len key)); if (len key >= 16) dcs = keyring->dessetup(key[0:8], key[8:16]); else if (len key >= 8) dcs = keyring->dessetup(key[0:8], nil); else e = "ssl3: bad DES key length"; q.cipherState = ref CipherState.descbc(8, dcs); SSL_IDEA_CBC => ics : ref keyring->IDEAstate; if (SSL_DEBUG) log(sys->sprint("ideasetup %d", len key)); if (len key >= 24) ics = keyring->ideasetup(key[0:16], key[16:24]); else if (len key >= 16) ics = keyring->ideasetup(key[0:16], nil); else e = "ssl3: bad IDEA key length"; q.cipherState = ref CipherState.ideacbc(8, ics); SSL_RC2_CBC or SSL_3DES_EDE_CBC or SSL_FORTEZZA_CBC => e = "ssl3: unsupported cipher"; * => e = "ssl3: unknown cipher"; } if(ctx.status & SSL3_RECORD) { q.length = 1 << 14; if(tagof q.macState != tagof MacState.null) q.length += 2048; } else { if(q.cipherState.block_size > 1) { q.length = (1<<14) - q.macState.hash_size - 1; q.length -= q.length % q.cipherState.block_size; } else q.length = (1<<15) - q.macState.hash_size - 1; } if(ctx.status & SSL3_RECORD) q.sequence_numbers[0] = q.sequence_numbers[1] = 0; return e; } set_cipher_algs(ctx: ref Context) : string { e: string; algspec := "alg"; case enc := ctx.sel_ciph.bulk_cipher_algorithm { SSL_NULL_CIPHER => algspec += " clear"; SSL_RC4 => # stream cipher algspec += " rc4_128"; SSL_DES_CBC => # block cipher algspec += " descbc"; SSL_IDEA_CBC => # block cipher algspec += " ideacbc"; SSL_RC2_CBC or SSL_3DES_EDE_CBC or SSL_FORTEZZA_CBC => e = "ssl3: encrypt method: unsupported"; * => e = "ssl3: encrypt method: unknown"; } case mac := ctx.sel_ciph.mac_algorithm { SSL_NULL_MAC => algspec += " clear"; SSL_MD5 => algspec += " md5"; SSL_SHA => algspec += " sha"; * => e = "ssl3: digest method: unknown"; } e = set_ctl(ctx.c, algspec); if(e != "") { if(SSL_DEBUG) log("failed to set cipher algs: " + e); } return e; } set_ctl(c: ref Sys->Connection, s: string): string { a := array of byte s; if(sys->write(c.cfd, a, len a) < 0) return sys->sprint("error writing sslctl: %r"); if(SSL_DEBUG) log("ssl3: set cipher algorithm:\n\t\t" + s + "\n"); return ""; } set_secrets(c: ref Sys->Connection, min, mout, sin, sout: array of byte) : string { fmin := sys->open(c.dir + "/macin", Sys->OWRITE); fmout := sys->open(c.dir + "/macout", Sys->OWRITE); fsin := sys->open(c.dir + "/secretin", Sys->OWRITE); fsout := sys->open(c.dir + "/secretout", Sys->OWRITE); if(fmin == nil || fmout == nil || fsin == nil || fsout == nil) return sys->sprint("can't open ssl secret files: %r\n"); if(sin != nil) { if(SSL_DEBUG) log("ssl3: set encryption secret and IV\n\tsecretin:\n\t\t" + bastr(sin) + "\n"); if(sys->write(fsin, sin, len sin) < 0) return sys->sprint("error writing secretin: %r"); } if(sout != nil) { if(SSL_DEBUG) log("ssl3: set encryption secret and IV\n\tsecretout:\n\t\t" + bastr(sout) + "\n"); if(sys->write(fsout, sout, len sout) < 0) return sys->sprint("error writing secretout: %r"); } if(min != nil) { if(SSL_DEBUG) log("ssl3: set digest secret\n\tmacin:\n\t\t" + bastr(min) + "\n"); if(sys->write(fmin, min, len min) < 0) return sys->sprint("error writing macin: %r"); } if(mout != nil) { if(SSL_DEBUG) log("ssl3: set digest secret\n\tmacout:\n\t\t" + bastr(mout) + "\n"); if(sys->write(fmout, mout, len mout) < 0) return sys->sprint("error writing macout: %r"); } return ""; } SLEN : con 256; setupRC4state(start : array of byte, n : int): ref RC4state { t : int; s := array[SLEN] of byte; for (i := 0; i < SLEN; i++) s[i] = byte i; j := 0; k := 0; for (i = 0; i < SLEN; i++) { t = int s[i]; k = (int start[j] + t + k)&(SLEN-1); s[i] = s[k]; s[k] = byte t; if(++j == n) j = 0; } return ref RC4state(s, 0, 0); } rc4(key : ref RC4state, a : array of byte, n : int) { tx, ty : int; s := key.state; x := key.x; y := key.y; for (i := 0; i < n; i++) { x = (x+1)&(SLEN-1); tx = int s[x]; y = (tx+y)&(SLEN-1); ty = int s[y]; s[x] = byte ty; s[y] = byte tx; a[i] ^= s[(tx+ty)&(SLEN-1)]; } key.x = x; key.y = y; } # # description must be alert description # fatal(description: int, debug_msg: string, ctx: ref Context) { if(SSL_DEBUG) log("ssl3: " + debug_msg); # TODO: use V2Handshake.Error for v2 alert_enque(ref Alert(SSL_FATAL, description), ctx); # delete session id ctx.session.session_id = nil; ctx.state = STATE_EXIT; } alert_enque(a: ref Alert, ctx: ref Context) { p := ref Protocol.pAlert(a); protocol_write(p, ctx); } # clean up out queue before switch cipher. this is why # change cipher spec differs from handshake message by ssl spec ccs_enque(cs: ref ChangeCipherSpec, ctx: ref Context) { p := ref Protocol.pChangeCipherSpec(cs); protocol_write(p, ctx); record_write_queue(ctx); ctx.out_queue.data = nil; } handshake_enque(h: ref Handshake, ctx: ref Context) { p := ref Protocol.pHandshake(h); protocol_write(p, ctx); } protocol_write(p: ref Protocol, ctx: ref Context) { record_version := SSL_VERSION_2_0; if(ctx.status & SSL3_RECORD) record_version = SSL_VERSION_3_0; (r, e) := p.encode(record_version); if(e != "") { if(SSL_DEBUG) log("ssl3: protocol_write: " + e); exit; } # Note: only for sslv3 if((ctx.status&SSL2_HANDSHAKE) && (ctx.status&SSL3_HANDSHAKE)) { if(ctx.state == STATE_HELLO_REQUEST) { e = update_handshake_hash(ctx, r); if(e != "") { if(SSL_DEBUG) log("ssl3: protocol_write: " + e); exit; } } } if((ctx.status&SSL3_HANDSHAKE) && (r.content_type == SSL_HANDSHAKE)) { e = update_handshake_hash(ctx, r); if(e != "") { if(SSL_DEBUG) log("ssl3: protocol_write: " + e); exit; } } ctx.out_queue.data = r :: ctx.out_queue.data; } #feed_data(ctx: ref Context, a: array of byte, n: int): int #{ # #} # FIFO record_write_queue(ctx: ref Context) { write_queue : list of ref Record; wq := ctx.out_queue.data; while(wq != nil) { write_queue = hd wq :: write_queue; wq = tl wq; } wq = write_queue; while(wq != nil) { record_write(hd wq, ctx); wq = tl wq; } } # Possible combinations are v2 only, v3 only and both (undetermined). The v2 only must be # v2 handshake and v2 record layer. The v3 only must be v3 handshake and v3 record layer. # If both v2 and v3 are supported, it may be v2 handshake and v2 record layer, or v3 # handshake and v3 record layer, or v2 handshake and v3 record layer. In the case of # both, the client should send a v2 client hello message with handshake protocol version v3. do_protocol(ctx: ref Context): string { r: ref Record; in: ref Protocol; e: string = nil; while(ctx.state != STATE_EXIT) { if(SSL_DEBUG) log("ssl3: state = " + state_info(ctx)); # init a new handshake if(ctx.state == STATE_HELLO_REQUEST) { # v2 and v3 if((ctx.status&SSL2_HANDSHAKE) && (ctx.status&SSL3_HANDSHAKE)) { ch := ref V2Handshake.ClientHello( SSL_VERSION_3_0, v3tov2specs(ctx.local_info.suites), ctx.session.session_id, ctx.client_random ); v2handshake_enque(ch, ctx); in = ref Protocol.pV2Handshake(ch); } # v3 only else if(ctx.status&SSL3_HANDSHAKE) { in = ref Protocol.pHandshake(ref Handshake.HelloRequest()); } # v2 only else if(ctx.status&SSL2_HANDSHAKE) { ch := ref V2Handshake.ClientHello( SSL_VERSION_2_0, v3tov2specs(ctx.local_info.suites), ctx.session.session_id, ctx.client_random[32-SSL2_CHALLENGE_LENGTH:32] ); v2handshake_enque(ch, ctx); in = ref Protocol.pV2Handshake(ch); } # unknown version else { e = "unknown ssl device version"; fatal(SSL_CLOSE_NOTIFY, "ssl3: " + e, ctx); continue; } } if(in == nil) { (r, in, e) = protocol_read(ctx); if(e != "") { fatal(SSL_CLOSE_NOTIFY, "ssl3: " + e, ctx); continue; } if(SSL_DEBUG) log("ssl3: protocol_read: ------\n" + in.tostring()); } pick p := in { pAlert => do_alert(p.alert, ctx); pChangeCipherSpec => if(ctx.state != STATE_CHANGE_CIPHER_SPEC) { e += "ChangeCipherSpec"; break; } do_change_cipher_spec(ctx); pHandshake => if(!(ctx.status & SSL3_HANDSHAKE)) { e = "Wrong Handshake"; break; } if((ctx.status & SSL3_RECORD) && (ctx.state == SSL2_STATE_SERVER_HELLO)) { ctx.state = STATE_SERVER_HELLO; ctx.status &= ~SSL2_HANDSHAKE; } e = do_handshake(p.handshake, ctx); pV2Handshake => if(ctx.state != STATE_HELLO_REQUEST) { if(!(ctx.status & SSL2_HANDSHAKE)) { e = "Wrong Handshake"; break; } e = do_v2handshake(p.handshake, ctx); } else ctx.state = SSL2_STATE_SERVER_HELLO; * => e = "unknown protocol message"; } if(e != nil) { e = "do_protocol: wrong protocol side or protocol message: " + e; fatal(SSL_UNEXPECTED_MESSAGE, e, ctx); } in = nil; record_write_queue(ctx); ctx.out_queue.data = nil; } return e; } state_info(ctx: ref Context): string { info: string; if(ctx.status & SSL3_RECORD) info = "\n\tRecord Version 3: "; else info = "\n\tRecord Version 2: "; if(ctx.status & SSL2_HANDSHAKE) { if(ctx.status & SSL3_HANDSHAKE) { info += "\n\tHandshake Version Undetermined: Client Hello"; } else { info += "\n\tHandshake Version 2: "; case ctx.state { SSL2_STATE_CLIENT_HELLO => info += "Client Hello"; SSL2_STATE_SERVER_HELLO => info += "Server Hello"; SSL2_STATE_CLIENT_MASTER_KEY => info += "Client Master Key"; SSL2_STATE_SERVER_VERIFY => info += "Server Verify"; SSL2_STATE_REQUEST_CERTIFICATE => info += "Request Certificate"; SSL2_STATE_CLIENT_CERTIFICATE => info += "Client Certificate"; SSL2_STATE_CLIENT_FINISHED => info += "Client Finished"; SSL2_STATE_SERVER_FINISHED => info += "Server Finished"; SSL2_STATE_ERROR => info += "Error"; } } } else { info = "\n\tHandshake Version 3: "; case ctx.state { STATE_EXIT => info += "Exit"; STATE_CHANGE_CIPHER_SPEC => info += "Change Cipher Spec"; STATE_HELLO_REQUEST => info += "Hello Request"; STATE_CLIENT_HELLO => info += "Client Hello"; STATE_SERVER_HELLO => info += "Server Hello"; STATE_CLIENT_KEY_EXCHANGE => info += "Client Key Exchange"; STATE_SERVER_KEY_EXCHANGE => info += "Server Key Exchange"; STATE_SERVER_HELLO_DONE => info += "Server Hello Done"; STATE_CLIENT_CERTIFICATE => info += "Client Certificate"; STATE_SERVER_CERTIFICATE => info += "Server Certificate"; STATE_CERTIFICATE_VERIFY => info += "Certificate Verify"; STATE_FINISHED => info += "Finished"; } } if(ctx.status & CLIENT_AUTH) info += ": Client Auth"; if(ctx.status & CERT_REQUEST) info += ": Cert Request"; if(ctx.status & CERT_SENT) info += ": Cert Sent"; if(ctx.status & CERT_RECEIVED) info += ": Cert Received"; return info; } reset_client_random(ctx: ref Context) { ctx.client_random[0:] = int_encode(ctx.session.connection_time, 4); ctx.client_random[4:] = random->randombuf(Random->NotQuiteRandom, 28); } reset_server_random(ctx: ref Context) { ctx.server_random[0:] = int_encode(ctx.session.connection_time, 4); ctx.server_random[4:] = random->randombuf(Random->NotQuiteRandom, 28); } update_handshake_hash(ctx: ref Context, r: ref Record): string { err := ""; ctx.sha_state = keyring->sha(r.data, len r.data, nil, ctx.sha_state); ctx.md5_state = keyring->md5(r.data, len r.data, nil, ctx.md5_state); if(ctx.sha_state == nil || ctx.md5_state == nil) err = "update handshake hash failed"; # if(SSL_DEBUG) # log("ssl3: update_handshake_hash\n\tmessage_data =\n\t\t" + bastr(r.data) + "\n"); return err; } # Note: # this depends on the record protocol protocol_read(ctx: ref Context): (ref Record, ref Protocol, string) { p: ref Protocol; r: ref Record; e: string; vers := SSL_VERSION_2_0; if(ctx.status & SSL3_RECORD) vers = SSL_VERSION_3_0; if(ctx.status & USE_DEVSSL) (r, e) = devssl_read(ctx); else (r, e) = record_read(ctx); if(e != "") return (nil, nil, e); (p, e) = Protocol.decode(r, ctx); if(e != "") return (r, nil, e); return (r, p, nil); } # Alert messages with a level of fatal result in the immediate # termination of the connection and zero out session. do_alert(a: ref Alert, ctx: ref Context) { case a.level { SSL_FATAL => case a.description { SSL_UNEXPECTED_MESSAGE => # should never be observed in communication # between proper implementations. break; SSL_HANDSHAKE_FAILURE => # unable to negotiate an acceptable set of security # parameters given the options available. break; * => break; } ctx.session.session_id = nil; ctx.state = STATE_EXIT; SSL_WARNING => case a.description { SSL_CLOSE_NOTIFY => # notifies the recipient that the sender will not # send any more messages on this connection. ctx.state = STATE_EXIT; fatal(SSL_CLOSE_NOTIFY, "ssl3: response close notify", ctx); SSL_NO_CERTIFICATE => # A no_certificate alert message may be sent in # response to a certification request if no # appropriate certificate is available. if(ctx.state == STATE_CLIENT_CERTIFICATE) { hm := ref Handshake.Certificate(ctx.local_info.certs); handshake_enque(hm, ctx); } SSL_BAD_CERTIFICATE or # A certificate was corrupt, contained signatures # that did not verify correctly, etc. SSL_UNSUPPORTED_CERTIFICATE or # A certificate was of an unsupported type. SSL_CERTIFICATE_REVOKED or # A certificate was revoked by its signer. SSL_CERTIFICATE_EXPIRED or # A certificate has expired or is not currently # valid. SSL_CERTIFICATE_UNKNOWN => # Some other (unspecified) issue arose in # processing the certificate, rendering it # unacceptable. break; * => ctx.session.session_id = nil; fatal(SSL_ILLEGAL_PARAMETER, "ssl3: unknown alert description", ctx); } * => ctx.session.session_id = nil; fatal(SSL_ILLEGAL_PARAMETER, "ssl3: unknown alert level received", ctx); } } # notify the receiving party that subsequent records will # be protected under the just-negotiated CipherSpec and keys. do_change_cipher_spec(ctx: ref Context) { # calculate and set new keys if(!(ctx.status & IN_READY)) { e := set_in_queue(ctx); if(e != "") { fatal(SSL_CLOSE_NOTIFY, "do_change_cipher_spec: setup new cipher failed", ctx); return; } ctx.status |= IN_READY; if(SSL_DEBUG) log("ssl3: set in cipher done\n"); } ctx.state = STATE_FINISHED; } # process and advance handshake messages, update internal stack and switch to next # expected state(s). do_handshake(handshake: ref Handshake, ctx: ref Context) : string { e := ""; pick h := handshake { HelloRequest => if(!(ctx.status & CLIENT_SIDE) || ctx.state != STATE_HELLO_REQUEST) { e = "HelloRequest"; break; } do_hello_request(ctx); ClientHello => if((ctx.status & CLIENT_SIDE) || ctx.state != STATE_CLIENT_HELLO) { e = "ClientHello"; break; } do_client_hello(h, ctx); ServerHello => if(!(ctx.status & CLIENT_SIDE) || ctx.state != STATE_SERVER_HELLO) { e = "ServerHello"; break; } do_server_hello(h, ctx); ClientKeyExchange => if((ctx.status & CLIENT_SIDE) || ctx.state != STATE_CLIENT_KEY_EXCHANGE) { e = "ClientKeyExchange"; break; } do_client_keyex(h, ctx); ServerKeyExchange => if(!(ctx.status & CLIENT_SIDE) || (ctx.state != STATE_SERVER_KEY_EXCHANGE && ctx.state != STATE_SERVER_HELLO_DONE)) { e = "ServerKeyExchange"; break; } do_server_keyex(h, ctx); ServerHelloDone => # diff from SSLRef, to support variant impl if(!(ctx.status & CLIENT_SIDE) || (ctx.state != STATE_SERVER_HELLO_DONE && ctx.state != STATE_SERVER_KEY_EXCHANGE)) { e = "ServerHelloDone"; break; } do_server_done(ctx); Certificate => if(ctx.status & CLIENT_SIDE) { if(ctx.state != STATE_SERVER_CERTIFICATE) { e = "ServerCertificate"; break; } do_server_cert(h, ctx); } else { if(ctx.state != STATE_CLIENT_CERTIFICATE) { e = "ClientCertificate"; break; } do_client_cert(h, ctx); # server_side } CertificateRequest => if(!(ctx.status & CLIENT_SIDE) || ctx.state != STATE_SERVER_HELLO_DONE || ctx.state != STATE_SERVER_KEY_EXCHANGE) { e = "CertificateRequest"; break; } do_cert_request(h, ctx); CertificateVerify => if((ctx.status & CLIENT_SIDE) || ctx.state != STATE_CERTIFICATE_VERIFY) { e = "CertificateVerify"; break; } do_cert_verify(h, ctx); Finished => if(ctx.status & CLIENT_SIDE) { if(ctx.state != STATE_FINISHED) { e = "ClientFinished"; break; } do_finished(SSL_CLIENT_SENDER, ctx); } else { if(ctx.state != STATE_FINISHED) { e = "ServerFinished"; break; } do_finished(SSL_SERVER_SENDER, ctx); } * => e = "unknown handshake message"; } if(e != nil) e = "do_handshake: " + e; return e; } # [client side] # The hello request message may be sent by server at any time, but will be ignored by # the client if the handshake protocol is already underway. It is simple notification # that the client should begin the negotiation process anew by sending a client hello # message. do_hello_request(ctx: ref Context) { # start from new handshake digest state ctx.sha_state = ctx.md5_state = nil; # Note: # sending ctx.local_info.suites instead of ctx.session.suite, # if session is resumable by server, ctx.session.suite will be used. handshake_enque( ref Handshake.ClientHello( ctx.session.version, ctx.client_random, ctx.session.session_id, ctx.local_info.suites, ctx.local_info.comprs ), ctx ); ctx.state = STATE_SERVER_HELLO; } # [client side] # Processes the received server hello handshake message and determines if the session # is resumable. (The client sends a client hello using the session id of the session # to be resumed. The server then checks its session cache for a match. If a match is # FOUND, and the server is WILLING to re-establish the connection under the specified # session state, it will send a server hello with the SAME session id value.) If the # session is resumed, at this point both client and server must send change cipher # spec messages. If the session is not resumable, the client and server perform # a full handshake. (On the server side, if a session id match is not found, the # server generates a new session id or if the server is not willing to resume, the # server uses a null session id). do_server_hello(hm: ref Handshake.ServerHello, ctx: ref Context) { # trying to resume if(bytes_cmp(ctx.session.session_id, hm.session_id) == 0) { if(SSL_DEBUG) log("ssl3: session resumed\n"); ctx.status |= SESSION_RESUMABLE; # avoid version attack if(ctx.session.version[0] != hm.version[0] || ctx.session.version[1] != hm.version[1]) { fatal(SSL_CLOSE_NOTIFY, "do_server_hello: version mismatch", ctx); return; } ctx.server_random = hm.random; # uses the retrieved session suite by server (should be same by client) (ciph, keyx, sign, e) := suite_to_spec(hm.suite, SSL3_Suites); if(e != nil) { fatal(SSL_UNEXPECTED_MESSAGE, "server hello: suite not found", ctx); return; } ctx.sel_ciph = ciph; ctx.sel_keyx = keyx; ctx.sel_sign = sign; ctx.sel_cmpr = int ctx.session.compression; # not supported by ssl3 yet # calculate keys (ctx.cw_mac, ctx.sw_mac, ctx.cw_key, ctx.sw_key, ctx.cw_IV, ctx.sw_IV) = calc_keys(ctx.sel_ciph, ctx.session.master_secret, ctx.client_random, ctx.server_random); ctx.state = STATE_CHANGE_CIPHER_SPEC; } else { ctx.status &= ~SESSION_RESUMABLE; # On the server side, if a session id match is not found, the # server generates a new session id or if the server is not willing # to resume, the server uses an empty session id and cannot be # cached by both client and server. ctx.session.session_id = hm.session_id; ctx.session.version = hm.version; ctx.server_random = hm.random; if(SSL_DEBUG) log("ssl3: do_server_hello:\n\tselected cipher suite =\n\t\t" + cipher_suite_info(hm.suite, SSL3_Suites) + "\n"); (ciph, keyx, sign, e) := suite_to_spec(hm.suite, SSL3_Suites); if(e != nil) { fatal(SSL_UNEXPECTED_MESSAGE, "server hello: suite not found", ctx); return; } ctx.sel_ciph = ciph; ctx.sel_keyx = keyx; ctx.sel_sign = sign; ctx.sel_cmpr = int hm.compression; # not supported by ssl3 yet # next state is determined by selected key exchange and signature methods # the ctx.sel_keyx and ctx.sel_sign are completed by the following handshake # Certificate and/or ServerKeyExchange if(tagof ctx.sel_keyx == tagof KeyExAlg.DH && tagof ctx.sel_sign == tagof SigAlg.anon) ctx.state = STATE_SERVER_KEY_EXCHANGE; else ctx.state = STATE_SERVER_CERTIFICATE; } } # [client side] # Processes the received server key exchange message. The server key exchange message # is sent by the server if it has no certificate, has a certificate only used for # signing, or FORTEZZA KEA key exchange is used. do_server_keyex(hm: ref Handshake.ServerKeyExchange, ctx: ref Context) { # install exchange keys sent by server, this may require public key # retrieved from certificate sent by Handshake.Certificate message (err, i) := install_server_xkey(hm.xkey, ctx.sel_keyx); if(err == "") err = verify_server_xkey(ctx.client_random, ctx.server_random, hm.xkey, i, ctx.sel_sign); if(err == "") ctx.state = STATE_SERVER_HELLO_DONE; else fatal(SSL_HANDSHAKE_FAILURE, "do_server_keyex: " + err, ctx); } # [client side] # Processes the received server hello done message by verifying that the server # provided a valid certificate if required and checking that the server hello # parameters are acceptable. do_server_done(ctx: ref Context) { # On client side, optionally send client cert chain if client_auth # is required by the server. The server may drop the connection, # if it does not receive client certificate in the following # Handshake.ClientCertificate message if(ctx.status & CLIENT_AUTH) { if(ctx.local_info.certs != nil) { handshake_enque( ref Handshake.Certificate(ctx.local_info.certs), ctx ); ctx.status |= CERT_SENT; } else { alert_enque( ref Alert(SSL_WARNING, SSL_NO_CERTIFICATE), ctx ); } } # calculate premaster secrect, client exchange keys and update ref KeyExAlg # of the client side (x, pm, e) := calc_client_xkey(ctx.sel_keyx); if(e != "") { fatal(SSL_HANDSHAKE_FAILURE, e, ctx); return; } handshake_enque(ref Handshake.ClientKeyExchange(x), ctx); ms := calc_master_secret(pm, ctx.client_random, ctx.server_random); if(ms == nil) { fatal(SSL_HANDSHAKE_FAILURE, "server hello done: calc master secret failed", ctx); return; } # ctx.premaster_secret = pm; ctx.session.master_secret = ms; # sending certificate verifiy message if the client auth is required # and client certificate has been sent, if(ctx.status & CERT_SENT) { sig : array of byte; (md5_hash, sha_hash) := calc_finished(nil, ctx.session.master_secret, ctx.sha_state, ctx.md5_state); # check type of client cert being sent pick sk := ctx.local_info.sk { RSA => hashes := array [36] of byte; hashes[0:] = md5_hash; hashes[16:] = sha_hash; #(e, sig) = pkcs->rsa_sign(hashes, sk, PKCS->MD5_WithRSAEncryption); DSS => #(e, sig) = pkcs->dss_sign(sha_hash, sk); * => e = "unknown sign"; } if(e != "") { fatal(SSL_HANDSHAKE_FAILURE, "server hello done: sign cert verify failed", ctx); return; } handshake_enque(ref Handshake.CertificateVerify(sig), ctx); } ccs_enque(ref ChangeCipherSpec(1), ctx); (ctx.cw_mac, ctx.sw_mac, ctx.cw_key, ctx.sw_key, ctx.cw_IV, ctx.sw_IV) = calc_keys(ctx.sel_ciph, ctx.session.master_secret, ctx.client_random, ctx.server_random); # set cipher on write channel e = set_out_queue(ctx); if(e != nil) { fatal(SSL_HANDSHAKE_FAILURE, "do_server_done: " + e, ctx); return; } ctx.status |= OUT_READY; if(SSL_DEBUG) log("ssl3: set out cipher done\n"); (mh, sh) := calc_finished(SSL_CLIENT_SENDER, ctx.session.master_secret, ctx.sha_state, ctx.md5_state); # sending out the Finished msg causes MS https servers to hangup #sys->print("RETURNING FROM DO_SERVER_DONE\n"); #return; handshake_enque(ref Handshake.Finished(mh, sh), ctx); ctx.state = STATE_CHANGE_CIPHER_SPEC; } # [client side] # Process the received certificate message. # Note: # according to current US export law, RSA moduli larger than 512 bits # may not be used for key exchange in software exported from US. With # this message, larger RSA keys may be used as signature only # certificates to sign temporary shorter RSA keys for key exchange. do_server_cert(hm: ref Handshake.Certificate, ctx: ref Context) { if(hm.cert_list == nil) { fatal(SSL_UNEXPECTED_MESSAGE, "nil peer certificate", ctx); return; } # server's certificate is the last one in the chain (reverse required) cl := hm.cert_list; ctx.session.peer_certs = nil; while(cl != nil) { ctx.session.peer_certs = hd cl::ctx.session.peer_certs; cl = tl cl; } # TODO: verify certificate chain # check if in the acceptable dnlist # ctx.sel_keyx.peer_pk = x509->verify_chain(ctx.session.peer_certs); if(SSL_DEBUG) log("ssl3: number certificates got: " + string len ctx.session.peer_certs); peer_cert := hd ctx.session.peer_certs; (e, signed) := x509->Signed.decode(peer_cert); if(e != "") { if(SSL_DEBUG) log("ss3: server certificate: " + e); fatal(SSL_HANDSHAKE_FAILURE, "server certificate: " + e, ctx); return; } srv_cert: ref Certificate; (e, srv_cert) = x509->Certificate.decode(signed.tobe_signed); if(e != "") { if(SSL_DEBUG) log("ss3: server certificate: " + e); fatal(SSL_HANDSHAKE_FAILURE, "server certificate: " + e, ctx); return; } if(SSL_DEBUG) log("ssl3: " + srv_cert.tostring()); # extract and determine byte of user certificate id: int; peer_pk: ref X509->PublicKey; (e, id, peer_pk) = srv_cert.subject_pkinfo.getPublicKey(); if(e != "") { if(SSL_DEBUG) log("ss3: server certificate: " + e); fatal(SSL_HANDSHAKE_FAILURE, "server certificate:" + e, ctx); return; } pick key := peer_pk { RSA => # TODO: to allow checking X509v3 KeyUsage extension if((0 && key.pk.modulus.bits() > 512 && ctx.sel_ciph.is_exportable) || id == PKCS->id_pkcs_md2WithRSAEncryption || id == PKCS->id_pkcs_md4WithRSAEncryption || id == PKCS->id_pkcs_md5WithRSAEncryption) { pick sign := ctx.sel_sign { anon => break; RSA => break; * => # error } if(ctx.local_info.sk == nil) ctx.sel_sign = ref SigAlg.RSA(nil, key.pk); else { pick mysk := ctx.local_info.sk { RSA => ctx.sel_sign = ref SigAlg.RSA(mysk.sk, key.pk); * => ctx.sel_sign = ref SigAlg.RSA(nil, key.pk); } } # key exchange may be tmp RSA, emhemeral DH depending on cipher suite ctx.state = STATE_SERVER_KEY_EXCHANGE; } # TODO: allow id == PKCS->id_rsa else if(id == PKCS->id_pkcs_rsaEncryption) { pick sign := ctx.sel_sign { anon => break; * => # error } ctx.sel_sign = ref SigAlg.anon(); pick keyx := ctx.sel_keyx { RSA => keyx.peer_pk = key.pk; * => # error } ctx.state = STATE_SERVER_HELLO_DONE; } else { # error } DSS => pick sign := ctx.sel_sign { DSS => sign.peer_pk = key.pk; break; * => # error } # should be key exchagne such as emhemeral DH ctx.state = STATE_SERVER_KEY_EXCHANGE; DH => # fixed DH signed in certificate either by RSA or DSS??? pick keyx := ctx.sel_keyx { DH => keyx.peer_pk = key.pk; * => # error } ctx.state = STATE_SERVER_KEY_EXCHANGE; } if(e != nil) { fatal(SSL_HANDSHAKE_FAILURE, "do_server_cert: " + e, ctx); return; } } # [client side] # Processes certificate request message. A non-anonymous server can optionally # request a certificate from the client, if appropriate for the selected cipher # suite It is a fatal handshake failure alert for an anonymous server to # request client identification. # TODO: use another module to do x509 certs, lookup and matching rules do_cert_request(hm: ref Handshake.CertificateRequest, ctx: ref Context) { found := 0; for(i := 0; i < len hm.cert_types; i++) { if(ctx.local_info.root_type == int hm.cert_types[i]) { found = 1; break; } } if(!found) { fatal(SSL_HANDSHAKE_FAILURE, "do_cert_request: no required type of cert", ctx); return; } if(dn_cmp(ctx.local_info.dns, hm.dn_list) < 0) { fatal(SSL_HANDSHAKE_FAILURE, "do_cert_request: no required dn", ctx); return; } if(ctx.session.peer_certs == nil) { fatal(SSL_NO_CERTIFICATE, "certificate request: no peer certificates", ctx); return; } ctx.status |= CLIENT_AUTH; } dn_cmp(a, b: list of array of byte): int { return -1; } # [server side] # Process client hello message. do_client_hello(hm: ref Handshake.ClientHello, ctx: ref Context) { sndm : ref Handshake; e : string; if(hm.version[0] != SSL_VERSION_3_0[0] || hm.version[1] != SSL_VERSION_3_0[1]) { fatal(SSL_UNEXPECTED_MESSAGE, "client hello: version mismatch", ctx); return; } # else SSL_VERSION_2_0 if(hm.session_id != nil) { # trying to resume if(ctx.status & SESSION_RESUMABLE) { s := sslsession->get_session_byid(hm.session_id); if(s == nil) { fatal(SSL_UNEXPECTED_MESSAGE, "client hello: retrieve nil session", ctx); return; } if(s.version[0] != hm.version[0] || s.version[1] != hm.version[1]) { # avoid version attack fatal(SSL_UNEXPECTED_MESSAGE, "client hello: protocol mismatch", ctx); return; } reset_server_random(ctx); ctx.client_random = hm.random; sndm = ref Handshake.ServerHello(s.version, ctx.server_random, s.session_id, s.suite, s.compression); handshake_enque(sndm, ctx); ccs_enque(ref ChangeCipherSpec(1), ctx); # use existing master_secret, calc keys (ctx.cw_mac, ctx.sw_mac, ctx.cw_key, ctx.sw_key, ctx.cw_IV, ctx.sw_IV) = calc_keys(ctx.sel_ciph, ctx.session.master_secret, ctx.client_random, ctx.server_random); e = set_out_queue(ctx); if(e != nil) { fatal(SSL_CLOSE_NOTIFY, "client hello: setup new cipher failure", ctx); return; } if(SSL_DEBUG) log("do_client_hello: set out cipher done\n"); (md5_hash, sha_hash) := calc_finished(SSL_SERVER_SENDER, s.master_secret, ctx.sha_state, ctx.md5_state); handshake_enque(ref Handshake.Finished(md5_hash, sha_hash), ctx); ctx.session = s; ctx.state = STATE_CHANGE_CIPHER_SPEC; return; } fatal(SSL_CLOSE_NOTIFY, "client hello: resume session failed", ctx); return; } ctx.session.version = hm.version; if(ctx.session.peer != nil) { ctx.session.session_id = random->randombuf(Random->NotQuiteRandom, 32); if(ctx.session.session_id == nil) { fatal(SSL_CLOSE_NOTIFY, "client hello: generate session id failed", ctx); return; } } suite := find_cipher_suite(hm.suites, ctx.local_info.suites); if(suite != nil) { fatal(SSL_HANDSHAKE_FAILURE, "client hello: find cipher suite failed", ctx); return; } (ctx.sel_ciph, ctx.sel_keyx, ctx.sel_sign, e) = suite_to_spec(suite, SSL3_Suites); if(e != nil) { fatal(SSL_HANDSHAKE_FAILURE, "client hello: find cipher suite failed" + e, ctx); return; } # not supported by ssl3 yet ctx.sel_cmpr = int hm.compressions[0]; ctx.client_random = hm.random; ctx.sha_state = nil; ctx.md5_state = nil; sndm = ref Handshake.ServerHello(ctx.session.version, ctx.server_random, ctx.session.session_id, ctx.session.suite, ctx.session.compression); handshake_enque(sndm, ctx); # set up keys based on algorithms if(tagof ctx.sel_keyx != tagof KeyExAlg.DH) { if(ctx.local_info.certs == nil || ctx.local_info.sk == nil) { fatal(SSL_HANDSHAKE_FAILURE, "client hello: no local cert or key", ctx); return; } sndm = ref Handshake.Certificate(ctx.local_info.certs); handshake_enque(sndm, ctx); } if(tagof ctx.sel_keyx != tagof KeyExAlg.RSA || tagof ctx.sel_sign != tagof SigAlg.anon) { params, signed_params, xkey: array of byte; (params, e) = calc_server_xkey(ctx.sel_keyx); if(e == "") (signed_params, e) = sign_server_xkey(ctx.sel_sign, params, ctx.client_random, ctx.server_random); if(e != "") n := len params + 2 + len signed_params; xkey = array [n] of byte; xkey[0:] = params; xkey[len params:] = int_encode(len signed_params, 2); xkey[len params+2:] = signed_params; handshake_enque(ref Handshake.ServerKeyExchange(xkey), ctx); } if(ctx.status & CLIENT_AUTH) { sndm = ref Handshake.CertificateRequest(ctx.local_info.types, ctx.local_info.dns); handshake_enque(sndm, ctx); ctx.status |= CERT_REQUEST; ctx.state = STATE_CLIENT_CERTIFICATE; } else ctx.state = STATE_CLIENT_KEY_EXCHANGE; handshake_enque(ref Handshake.ServerHelloDone(), ctx); } # [server side] # Process the received client key exchange message. do_client_keyex(hm: ref Handshake.ClientKeyExchange, ctx: ref Context) { (premaster_secret, err) := install_client_xkey(hm.xkey, ctx.sel_keyx); if(err != "") { fatal(SSL_HANDSHAKE_FAILURE, err, ctx); return; } ctx.session.master_secret = calc_master_secret(premaster_secret, ctx.client_random, ctx.server_random); if(ctx.status & CERT_RECEIVED) ctx.state = STATE_CERTIFICATE_VERIFY; else ctx.state = STATE_CHANGE_CIPHER_SPEC; } # [server side] # Process the received certificate message from client. do_client_cert(hm: ref Handshake.Certificate, ctx: ref Context) { ctx.session.peer_certs = hm.cert_list; # verify cert chain and determine the type of cert # ctx.peer_info.sk = x509->verify_chain(ctx.session.peer_certs); # if(ctx.peer_info.key == nil) { # fatal(SSL_HANDSHAKE_FAILURE, "client certificate: cert verify failed", ctx); # return; # } ctx.status |= CERT_RECEIVED; ctx.state = STATE_CLIENT_KEY_EXCHANGE; } # [server side] # Process the received certificate verify message from client. do_cert_verify(hm: ref Handshake.CertificateVerify, ctx: ref Context) { if(ctx.status & CERT_RECEIVED) { # exp : array of byte; (md5_hash, sha_hash) := calc_finished(nil, ctx.session.master_secret, ctx.sha_state, ctx.md5_state); ok := 0; pick upk := ctx.sel_sign { RSA => hashes := array [36] of byte; hashes[0:] = md5_hash; hashes[16:] = sha_hash; ok = pkcs->rsa_verify(hashes, hm.signature, upk.peer_pk, PKCS->MD5_WithRSAEncryption); DSS => ok = pkcs->dss_verify(sha_hash, hm.signature, upk.peer_pk); } if(!ok) { fatal(SSL_HANDSHAKE_FAILURE, "do_cert_verify: client auth failed", ctx); return; } } else { alert_enque(ref Alert(SSL_WARNING, SSL_NO_CERTIFICATE), ctx); return; } ctx.state = STATE_CHANGE_CIPHER_SPEC; } # [client or server side] # Process the received finished message either from client or server. do_finished(sender: array of byte, ctx: ref Context) { # setup write_cipher if not yet if(!(ctx.status & OUT_READY)) { ccs_enque(ref ChangeCipherSpec(1), ctx); e := set_out_queue(ctx); if(e != nil) { fatal(SSL_CLOSE_NOTIFY, "do_finished: setup new cipher failed", ctx); return; } ctx.status |= OUT_READY; if(SSL_DEBUG) log("ssl3: set out cipher done\n"); (md5_hash, sha_hash) := calc_finished(sender, ctx.session.master_secret, ctx.sha_state, ctx.md5_state); handshake_enque(ref Handshake.Finished(md5_hash, sha_hash), ctx); } ctx.state = STATE_EXIT; # normal # clean read queue ctx.in_queue.fragment = 0; sslsession->add_session(ctx.session); if(SSL_DEBUG) log("ssl3: add session to session database done\n"); } install_client_xkey(a: array of byte, keyx: ref KeyExAlg): (array of byte, string) { pmaster, x : array of byte; err := ""; pick kx := keyx { DH => i := 0; (kx.peer_pk, i) = dh_params_decode(a); if(kx.peer_pk != nil) pmaster = pkcs->computeDHAgreedKey(kx.sk.param, kx.sk.sk, kx.peer_pk.pk); else err = "decode dh params failed"; RSA => (err, x) = pkcs->rsa_decrypt(a, kx.sk, 2); if(err != "" || len x != 48) { err = "impl error"; } else { if(x[0] != SSL_VERSION_3_0[0] && x[1] != SSL_VERSION_3_0[1]) err = "version wrong: possible version attack"; else pmaster = x[2:]; } FORTEZZA_KEA => err = "Fortezza unsupported"; } return (pmaster, err); } install_server_xkey(a: array of byte, keyx: ref KeyExAlg): (string, int) { err := ""; i := 0; pick kx := keyx { DH => (kx.peer_pk, i) = dh_params_decode(a); if(kx.peer_pk != nil) kx.peer_params = kx.peer_pk.param; RSA => peer_tmp: ref RSAParams; (peer_tmp, i, err) = rsa_params_decode(a); if(err == "") { modlen := len peer_tmp.modulus.iptobebytes(); kx.peer_pk = ref RSAKey(peer_tmp.modulus, modlen, peer_tmp.exponent); } FORTEZZA_KEA => return ("Fortezza unsupported", i); } return (err, i); } verify_server_xkey(crand, srand: array of byte, a: array of byte, i : int, sign: ref SigAlg) : string { pick sg := sign { anon => RSA => lb := a[0:i]::crand::srand::nil; (exp, nil, nil) := md5_sha_hash(lb, nil, nil); ok := pkcs->rsa_verify(exp, a[i+2:], sg.peer_pk, PKCS->MD5_WithRSAEncryption); if(!ok) return "RSA sigature verification failed"; DSS => lb := a[0:i]::crand::srand::nil; (exp, nil) := sha_hash(lb, nil); ok := pkcs->dss_verify(exp, a[i+2:], sg.peer_pk); if(!ok) return "DSS sigature verification failed"; } return ""; } calc_client_xkey(keyx: ref KeyExAlg): (array of byte, array of byte, string) { pm, x : array of byte; err := ""; pick kx := keyx { DH => # generate our own DH keys based on DH params of peer side (kx.sk, kx.exch_pk) = pkcs->setupDHAgreement(kx.peer_params); # TODO: need check type of client cert if(!ctx.status & CLIENT_AUTH) # for implicit case (x, err) = dh_exchpub_encode(kx.exch_pk); pm = pkcs->computeDHAgreedKey(kx.sk.param, kx.sk.sk, kx.peer_pk.pk); RSA => pm = array [48] of byte; pm[0:] = SSL_VERSION_3_0; # against version attack pm[2:] = random->randombuf(Random->NotQuiteRandom, 46); (err, x) = pkcs->rsa_encrypt(pm, kx.peer_pk, 2); FORTEZZA_KEA => err = "Fortezza unsupported"; } if(SSL_DEBUG) log("ssl3: calc_client_xkey: " + bastr(x)); return (x, pm, err); } calc_server_xkey(keyx: ref KeyExAlg): (array of byte, string) { params: array of byte; err: string; pick kx := keyx { DH => (kx.sk, kx.exch_pk) = pkcs->setupDHAgreement(kx.params); (params, err) = dh_params_encode(kx.exch_pk); RSA => tmp := ref RSAParams(kx.export_key.modulus, kx.export_key.exponent); (params, err) = rsa_params_encode(tmp); FORTEZZA_KEA => err = "Fortezza unsupported"; } return (params, err); } sign_server_xkey(sign: ref SigAlg, params, cr, sr: array of byte): (array of byte, string) { signed_params: array of byte; err: string; pick sg := sign { anon => RSA => lb := cr::sr::params::nil; (hashes, nil, nil) := md5_sha_hash(lb, nil, nil); (err, signed_params) = pkcs->rsa_sign(hashes, sg.sk, PKCS->MD5_WithRSAEncryption); DSS => lb := cr::sr::params::nil; (hashes, nil) := sha_hash(lb, nil); (err, signed_params) = pkcs->dss_sign(hashes, sg.sk); } return (signed_params, err); } # ssl encoding of DH exchange public key dh_exchpub_encode(dh: ref DHPublicKey): (array of byte, string) { if(dh != nil) { yb := dh.pk.iptobebytes(); if(yb != nil) { n := 2 + len yb; a := array [n] of byte; i := 0; a[i:] = int_encode(len yb, 2); i += 2; a[i:] = yb; return (a, nil); } } return (nil, "nil dh params"); } dh_params_encode(dh: ref DHPublicKey): (array of byte, string) { if(dh != nil && dh.param != nil) { pb := dh.param.prime.iptobebytes(); gb := dh.param.base.iptobebytes(); yb := dh.pk.iptobebytes(); if(pb != nil && gb != nil && yb != nil) { n := 6 + len pb + len gb + len yb; a := array [n] of byte; i := 0; a[i:] = int_encode(len pb, 2); i += 2; a[i:] = pb; i += len pb; a[i:] = int_encode(len gb, 2); i += 2; a[i:] = gb; i += len gb; a[i:] = int_encode(len yb, 2); i += 2; a[i:] = yb; i += len yb; return (a, nil); } } return (nil, "nil dh public key"); } dh_params_decode(a: array of byte): (ref DHPublicKey, int) { i := 0; for(;;) { n := int_decode(a[i:i+2]); i += 2; if(i+n > len a) break; p := a[i:i+n]; i += n; n = int_decode(a[i:i+2]); i += 2; if(i+n > len a) break; g := a[i:i+n]; i += n; n = int_decode(a[i:i+2]); i += 2; if(i+n > len a) break; Ys := a[i:i+n]; i += n; if(SSL_DEBUG) log("ssl3: dh_params_decode:" + "\n\tp =\n\t\t" + bastr(p) + "\n\tg =\n\t\t" + bastr(g) + "\n\tYs =\n\t\t" + bastr(Ys) + "\n"); # don't care privateValueLength param := ref DHParams(IPint.bebytestoip(p), IPint.bebytestoip(g), 0); return (ref DHPublicKey(param, IPint.bebytestoip(Ys)), i); } return (nil, i); } rsa_params_encode(rsa_params: ref RSAParams): (array of byte, string) { if(rsa_params != nil) { mod := rsa_params.modulus.iptobebytes(); exp := rsa_params.exponent.iptobebytes(); if(mod != nil || exp != nil) { n := 4 + len mod + len exp; a := array [n] of byte; i := 0; a[i:] = int_encode(len mod, 2); i += 2; a[i:] = mod; i += len mod; a[i:] = int_encode(len exp, 2); i += 2; a[i:] = exp; i += len exp; return (a, nil); } } return (nil, "nil rsa params"); } rsa_params_decode(a: array of byte): (ref RSAParams, int, string) { i := 0; for(;;) { if(len a < 2) break; n := int_decode(a[i:i+2]); i += 2; if(n < 0 || n + i > len a) break; mod := a[i:i+n]; i += n; n = int_decode(a[i:i+2]); i += 2; if(n < 0 || n + i > len a) break; exp := a[i:i+n]; i += n; m := i; modulus := IPint.bebytestoip(mod); exponent := IPint.bebytestoip(exp); if(SSL_DEBUG) log("ssl3: decode RSA params\n\tmodulus = \n\t\t" + bastr(mod) + "\n\texponent = \n\t\t" + bastr(exp) + "\n"); if(len a < i+2) break; n = int_decode(a[i:i+2]); i += 2; if(len a != i + n) break; return (ref RSAParams(modulus, exponent), m, nil); } return (nil, i, "encoding error"); } # md5_hash MD5(master_secret + pad2 + # MD5(handshake_messages + Sender + # master_secret + pad1)); # sha_hash SHA(master_secret + pad2 + # SHA(handshake_messages + Sender + # master_secret + pad1)); # # handshake_messages All of the data from all handshake messages # up to but not including this message. This # is only data visible at the handshake layer # and does not include record layer headers. # # sender [4], master_secret [48] # pad1 and pad2, 48 bytes for md5, 40 bytes for sha calc_finished(sender, master_secret: array of byte, sha_state, md5_state: ref DigestState) : (array of byte, array of byte) { sha_value := array [Keyring->SHAdlen] of byte; md5_value := array [Keyring->MD5dlen] of byte; sha_inner := array [Keyring->SHAdlen] of byte; md5_inner := array [Keyring->MD5dlen] of byte; lb := master_secret::SSL_MAC_PAD1[0:48]::nil; if(sender != nil) lb = sender::lb; (md5_inner, nil) = md5_hash(lb, md5_state); lb = master_secret::SSL_MAC_PAD1[0:40]::nil; if(sender != nil) lb = sender::lb; (sha_inner, nil) = sha_hash(lb, sha_state); (md5_value, nil) = md5_hash(master_secret::SSL_MAC_PAD2[0:48]::md5_inner::nil, nil); (sha_value, nil) = sha_hash(master_secret::SSL_MAC_PAD2[0:40]::sha_inner::nil, nil); # if(SSL_DEBUG) # log("ssl3: calc_finished:" # + "\n\tmd5_inner = \n\t\t" + bastr(md5_inner) # + "\n\tsha_inner = \n\t\t" + bastr(sha_inner) # + "\n\tmd5_value = \n\t\t" + bastr(md5_value) # + "\n\tsha_value = \n\t\t" + bastr(sha_value) # + "\n"); return (md5_value, sha_value); } # master_secret = # MD5(premaster_secret + SHA('A' + premaster_secret + # ClientHello.random + ServerHello.random)) + # MD5(premaster_secret + SHA('BB' + premaster_secret + # ClientHello.random + ServerHello.random)) + # MD5(premaster_secret + SHA('CCC' + premaster_secret + # ClientHello.random + ServerHello.random)); calc_master_secret(pm, cr, sr: array of byte): array of byte { ms := array [48] of byte; sha_value := array [Keyring->SHAdlen] of byte; leader := array [3] of byte; j := 0; lb := pm::cr::sr::nil; for(i := 1; i <= 3; i++) { leader[0] = leader[1] = leader[2] = byte (16r40 + i); (sha_value, nil) = sha_hash(leader[0:i]::lb, nil); (ms[j:], nil) = md5_hash(pm::sha_value::nil, nil); j += 16; # Keyring->MD5dlen } if(SSL_DEBUG) log("ssl3: calc_master_secret:\n\tmaster_secret = \n\t\t" + bastr(ms) + "\n"); return ms; } # key_block = # MD5(master_secret + SHA(`A' + master_secret + # ServerHello.random + ClientHello.random)) + # MD5(master_secret + SHA(`BB' + master_secret + # ServerHello.random + ClientHello.random)) + # MD5(master_secret + SHA(`CCC' + master_secret + # ServerHello.random + ClientHello.random)) + # [...]; calc_key_material(n: int, ms, cr, sr: array of byte): array of byte { key_block := array [n] of byte; sha_value := array [Keyring->SHAdlen] of byte; # [20] md5_value := array [Keyring->MD5dlen] of byte; # [16] leader := array [10] of byte; if(n > 16*(len leader)) { if(SSL_DEBUG) log(sys->sprint("ssl3: calc key block: key size too long [%d]", n)); return nil; } m := n; i, j, consumed, next : int = 0; lb := ms::sr::cr::nil; for(i = 0; m > 0; i++) { for(j = 0; j <= i; j++) leader[j] = byte (16r41 + i); # 'A', 'BB', 'CCC', etc. (sha_value, nil) = sha_hash(leader[0:i+1]::lb, nil); (md5_value, nil) = md5_hash(ms::sha_value::nil, nil); consumed = Keyring->MD5dlen; if(m < Keyring->MD5dlen) consumed = m; m -= consumed; key_block[next:] = md5_value[0:consumed]; next += consumed; } if(SSL_DEBUG) log("ssl3: calc_key_material:" + "\n\tkey_block = \n\t\t" + bastr(key_block) + "\n"); return key_block; } # Then the key_block is partitioned as follows. # # client_write_MAC_secret[CipherSpec.hash_size] # server_write_MAC_secret[CipherSpec.hash_size] # client_write_key[CipherSpec.key_material] # server_write_key[CipherSpec.key_material] # client_write_IV[CipherSpec.IV_size] /* non-export ciphers */ # server_write_IV[CipherSpec.IV_size] /* non-export ciphers */ # # Any extra key_block material is discarded. # # Exportable encryption algorithms (for which # CipherSpec.is_exportable is true) require additional processing as # follows to derive their final write keys: # # final_client_write_key = MD5(client_write_key + # ClientHello.random + # ServerHello.random); # final_server_write_key = MD5(server_write_key + # ServerHello.random + # ClientHello.random); # # Exportable encryption algorithms derive their IVs from the random # messages: # # client_write_IV = MD5(ClientHello.random + ServerHello.random); # server_write_IV = MD5(ServerHello.random + ClientHello.random); calc_keys(ciph: ref CipherSpec, ms, cr, sr: array of byte) : (array of byte, array of byte, array of byte, array of byte, array of byte, array of byte) { cw_mac, sw_mac, cw_key, sw_key, cw_IV, sw_IV: array of byte; n := ciph.key_material + ciph.hash_size; if(ciph.is_exportable == SSL_EXPORT_FALSE) n += ciph.IV_size; n *= 2; key_block := calc_key_material(n, ms, cr, sr); i := 0; if(ciph.hash_size != 0) { cw_mac = key_block[i:i+ciph.hash_size]; i += ciph.hash_size; sw_mac = key_block[i:i+ciph.hash_size]; i += ciph.hash_size; } if(ciph.is_exportable == SSL_EXPORT_FALSE) { if(ciph.key_material != 0) { cw_key = key_block[i:i+ciph.key_material]; i += ciph.key_material; sw_key = key_block[i:i+ciph.key_material]; i += ciph.key_material; } if(ciph.IV_size != 0) { cw_IV = key_block[i:i+ciph.IV_size]; i += ciph.IV_size; sw_IV = key_block[i:i+ciph.IV_size]; i += ciph.IV_size; } } else { if(ciph.key_material != 0) { cw_key = key_block[i:i+ciph.key_material]; i += ciph.key_material; sw_key = key_block[i:i+ciph.key_material]; i += ciph.key_material; (cw_key, nil) = md5_hash(cw_key::cr::sr::nil, nil); (sw_key, nil) = md5_hash(sw_key::sr::cr::nil, nil); } if(ciph.IV_size != 0) { (cw_IV, nil) = md5_hash(cr::sr::nil, nil); (sw_IV, nil) = md5_hash(sr::cr::nil, nil); } } if(SSL_DEBUG) log("ssl3: calc_keys:" + "\n\tclient_write_mac = \n\t\t" + bastr(cw_mac) + "\n\tserver_write_mac = \n\t\t" + bastr(sw_mac) + "\n\tclient_write_key = \n\t\t" + bastr(cw_key) + "\n\tserver_write_key = \n\t\t" + bastr(sw_key) + "\n\tclient_write_IV = \n\t\t" + bastr(cw_IV) + "\n\tserver_write_IV = \n\t\t" + bastr(sw_IV) + "\n"); return (cw_mac, sw_mac, cw_key, sw_key, cw_IV, sw_IV); } # # decode protocol message # Protocol.decode(r: ref Record, ctx: ref Context): (ref Protocol, string) { p : ref Protocol; case r.content_type { SSL_ALERT => if(len r.data != 2) return (nil, "alert decode failed"); p = ref Protocol.pAlert(ref Alert(int r.data[0], int r.data[1])); SSL_CHANGE_CIPHER_SPEC => if(len r.data != 1 || r.data[0] != byte 1) return (nil, "ChangeCipherSpec decode failed"); p = ref Protocol.pChangeCipherSpec(ref ChangeCipherSpec(1)); SSL_HANDSHAKE => (hm, e) := Handshake.decode(r.data); if(e != nil) return (nil, e); pick h := hm { Finished => exp_sender := SSL_CLIENT_SENDER; if(ctx.status & CLIENT_SIDE) exp_sender = SSL_SERVER_SENDER; (md5_hash, sha_hash) := calc_finished(exp_sender, ctx.session.master_secret, ctx.sha_state, ctx.md5_state); if(SSL_DEBUG) log("ssl3: handshake_decode: finished" + "\n\texpected_md5_hash = \n\t\t" + bastr(md5_hash) + "\n\tgot_md5_hash = \n\t\t" + bastr(h.md5_hash) + "\n\texpected_sha_hash = \n\t\t" + bastr(sha_hash) + "\n\tgot_sha_hash = \n\t\t" + bastr(h.sha_hash) + "\n"); #if(string md5_hash != string h.md5_hash || string sha_hash != string h.sha_hash) if(bytes_cmp(md5_hash, h.md5_hash) < 0 || bytes_cmp(sha_hash, h.sha_hash) < 0) return (nil, "finished: sender mismatch"); e = update_handshake_hash(ctx, r); if(e != nil) return (nil, e); CertificateVerify => e = update_handshake_hash(ctx, r); if(e != nil) return (nil, e); * => e = update_handshake_hash(ctx, r); if(e != nil) return (nil, e); } p = ref Protocol.pHandshake(hm); SSL_V2HANDSHAKE => (hm, e) := V2Handshake.decode(r.data); if(e != "") return (nil, e); p = ref Protocol.pV2Handshake(hm); * => return (nil, "protocol read: unknown protocol"); } return (p, nil); } # encode protocol message and return tuple of data record and error message, # may be v2 or v3 record depending on vers. Protocol.encode(protocol: self ref Protocol, vers: array of byte): (ref Record, string) { r: ref Record; e: string; pick p := protocol { pAlert => r = ref Record( SSL_ALERT, vers, array [] of {byte p.alert.level, byte p.alert.description} ); pChangeCipherSpec => r = ref Record( SSL_CHANGE_CIPHER_SPEC, vers, array [] of {byte p.change_cipher_spec.value} ); pHandshake => data: array of byte; (data, e) = p.handshake.encode(); if(e != "") break; r = ref Record( SSL_HANDSHAKE, vers, data ); pV2Handshake => data: array of byte; (data, e) = p.handshake.encode(); if(e != "") break; r = ref Record( SSL_V2HANDSHAKE, vers, data ); * => e = "unknown protocol"; } if(SSL_DEBUG) log("ssl3: protocol encode\n" + protocol.tostring()); return (r, e); } # # protocol message description # Protocol.tostring(protocol: self ref Protocol): string { info : string; pick p := protocol { pAlert => info = "\tAlert\n" + p.alert.tostring(); pChangeCipherSpec => info = "\tChangeCipherSpec\n"; pHandshake => info = "\tHandshake\n" + p.handshake.tostring(); pV2Handshake => info = "\tV2Handshake\n" + p.handshake.tostring(); pApplicationData => info = "\tApplicationData\n"; * => info = "\tUnknownProtocolType\n"; } return "ssl3: Protocol:\n" + info; } Handshake.decode(buf: array of byte): (ref Handshake, string) { m : ref Handshake; e : string; a := buf[4:]; # ignore msg length i := 0; case int buf[0] { SSL_HANDSHAKE_HELLO_REQUEST => m = ref Handshake.HelloRequest(); SSL_HANDSHAKE_CLIENT_HELLO => if(len a < 38) { e = "client hello: unexpected message"; break; } cv := a[i:i+2]; i += 2; rd := a[i:i+32]; i += 32; lsi := int a[i++]; if(len a < 38 + lsi) { e = "client hello: unexpected message"; break; } sid: array of byte; if(lsi != 0) { sid = a[i:i+lsi]; i += lsi; } else sid = nil; lcs := int_decode(a[i:i+2]); i += 2; if((lcs & 1) || lcs < 2 || len a < 40 + lsi + lcs) { e = "client hello: unexpected message"; break; } cs := array [lcs/2] of byte; cs = a[i:i+lcs]; i += lcs; lcm := int a[i++]; cr := a[i:i+lcm]; i += lcm; # In the interest of forward compatibility, it is # permitted for a client hello message to include # extra data after the compression methods. This # data must be included in the handshake hashes, # but otherwise be ignored. # if(i != len a) { # e = "client hello: unexpected message"; # break; # } m = ref Handshake.ClientHello(cv, rd, sid, cs, cr); SSL_HANDSHAKE_SERVER_HELLO => if(len a < 38) { e = "server hello: unexpected message"; break; } sv := a[i:i+2]; i += 2; rd := a[i:i+32]; i += 32; lsi := int a[i++]; if(len a < 38 + lsi) { e = "server hello: unexpected message"; break; } sid : array of byte; if(lsi != 0) { sid = a[i:i+lsi]; i += lsi; } else sid = nil; cs := a[i:i+2]; i += 2; cr := a[i++]; if(i != len a) { e = "server hello: unexpected message"; break; } m = ref Handshake.ServerHello(sv, rd, sid, cs, cr); SSL_HANDSHAKE_CERTIFICATE => n := int_decode(a[i:i+3]); i += 3; if(len a != n + 3) { e = "certificate: unexpected message"; break; } cl : list of array of byte; k : int; while(i < n) { k = int_decode(a[i:i+3]); i += 3; if(k < 0 || i + k > len a) { e = "certificate: unexpected message"; break; } cl = a[i:i+k] :: cl; i += k; } if(e != nil) break; m = ref Handshake.Certificate(cl); SSL_HANDSHAKE_SERVER_KEY_EXCHANGE => m = ref Handshake.ServerKeyExchange(a[i:]); SSL_HANDSHAKE_CERTIFICATE_REQUEST => ln := int_decode(a[i:i+2]); i += 2; types := a[i:i+ln]; i += ln; ln = int_decode(a[i:i+2]); i += 2; auths : list of array of byte; for(j := 0; j < ln; j++) { ln = int_decode(a[i:i+2]); i += 2; auths = a[i:i+ln]::auths; i += ln; } m = ref Handshake.CertificateRequest(types, auths); SSL_HANDSHAKE_SERVER_HELLO_DONE => if(len a != 0) { e = "server hello done: unexpected message"; break; } m = ref Handshake.ServerHelloDone(); SSL_HANDSHAKE_CERTIFICATE_VERIFY => ln := int_decode(a[i:i+2]); i +=2; sig := a[i:]; i += ln; if(i != len a) { e = "certificate verify: unexpected message"; break; } m = ref Handshake.CertificateVerify(sig); SSL_HANDSHAKE_CLIENT_KEY_EXCHANGE => m = ref Handshake.ClientKeyExchange(a); SSL_HANDSHAKE_FINISHED => if(len a != Keyring->MD5dlen + Keyring->SHAdlen) { # 16+20 e = "finished: unexpected message"; break; } md5_hash := a[i:i+Keyring->MD5dlen]; i += Keyring->MD5dlen; sha_hash := a[i:i+Keyring->SHAdlen]; i += Keyring->SHAdlen; if(i != len a) { e = "finished: unexpected message"; break; } m = ref Handshake.Finished(md5_hash, sha_hash); * => e = "unknown message"; } if(e != nil) return (nil, "Handshake decode: " + e); return (m, nil); } Handshake.encode(hm: self ref Handshake): (array of byte, string) { a : array of byte; n : int; e : string; i := 0; pick m := hm { HelloRequest => a = array [4] of byte; a[i++] = byte SSL_HANDSHAKE_HELLO_REQUEST; a[i:] = int_encode(n, 3); i += 3; if(i != 4) e = "hello request: wrong message length"; ClientHello => lsi := len m.session_id; lcs := len m.suites; if((lcs &1) || lcs < 2) { e = "client hello: cipher suites is not multiple of 2 bytes"; break; } lcm := len m.compressions; n = 38 + lsi + lcs + lcm; # 2+32+1+2+1 a = array[n+4] of byte; a[i++] = byte SSL_HANDSHAKE_CLIENT_HELLO; a[i:] = int_encode(n, 3); i += 3; a[i:] = m.version; i += 2; a[i:] = m.random; i += 32; a[i++] = byte lsi; if(lsi != 0) { a[i:] = m.session_id; i += lsi; } a[i:] = int_encode(lcs, 2); i += 2; a[i:] = m.suites; # not nil i += lcs; a[i++] = byte lcm; a[i:] = m.compressions; # not nil i += lcm; if(i != n+4) e = "client hello: wrong message length"; ServerHello => lsi := len m.session_id; n = 38 + lsi; # 2+32+1+2+1 a = array [n+4] of byte; a[i++] = byte SSL_HANDSHAKE_SERVER_HELLO; a[i:] = int_encode(n, 3); i += 3; a[i:] = m.version; i += 2; a[i:] = m.random; i += 32; a[i++] = byte lsi; if(lsi != 0) { a[i:] = m.session_id; i += lsi; } a[i:] = m.suite; # should be verified, not nil i += 2; a[i++] = m.compression; # should be verified, not nil if(i != n+4) e = "server hello: wrong message length"; Certificate => cl := m.cert_list; while(cl != nil) { n += 3 + len hd cl; cl = tl cl; } a = array [n+7] of byte; a[i++] = byte SSL_HANDSHAKE_CERTIFICATE; a[i:] = int_encode(n+3, 3); # length of record i += 3; a[i:] = int_encode(n, 3); # total length of cert chain i += 3; cl = m.cert_list; while(cl != nil) { a[i:] = int_encode(len hd cl, 3); i += 3; a[i:] = hd cl; i += len hd cl; cl = tl cl; } if(i != n+7) e = "certificate: wrong message length"; ServerKeyExchange => n = len m.xkey; a = array [n+4] of byte; a[i++] = byte SSL_HANDSHAKE_SERVER_KEY_EXCHANGE; a[i:] = int_encode(n, 3); i += 3; a[i:] = m.xkey; i += len m.xkey; if(i != n+4) e = "server key exchange: wrong message length"; CertificateRequest => ntypes := len m.cert_types; nauths := len m.dn_list; n = 1 + ntypes; dl := m.dn_list; while(dl != nil) { n += 2 + len hd dl; dl = tl dl; } n += 2; a = array [n+4] of byte; a[i++] = byte SSL_HANDSHAKE_CERTIFICATE_REQUEST; a[i:] = int_encode(n, 3); i += 3; a[i++] = byte ntypes; a[i:] = m.cert_types; i += ntypes; a[i:] = int_encode(nauths, 2); i += 2; dl = m.dn_list; while(dl != nil) { a[i:] = int_encode(len hd dl, 2); i += 2; a[i:] = hd dl; i += len hd dl; dl = tl dl; } if(i != n+4) e = "certificate request: wrong message length"; ServerHelloDone => n = 0; a = array[n+4] of byte; a[i++] = byte SSL_HANDSHAKE_SERVER_HELLO_DONE; a[i:] = int_encode(0, 3); # message has 0 length i += 3; if(i != n+4) e = "server hello done: wrong message length"; CertificateVerify => n = 2 + len m.signature; a = array [n+4] of byte; a[i++] = byte SSL_HANDSHAKE_CERTIFICATE_VERIFY; a[i:] = int_encode(n, 3); i += 3; a[i:] = int_encode(n-2, 2); i += 2; a[i:] = m.signature; i += n-2; if(i != n+4) e = "certificate verify: wrong message length"; ClientKeyExchange => n = len m.xkey; a = array [n+4] of byte; a[i++] = byte SSL_HANDSHAKE_CLIENT_KEY_EXCHANGE; a[i:] = int_encode(n, 3); i += 3; a[i:] = m.xkey; i += n; if(i != n+4) e = "client key exchange: wrong message length"; Finished => n = len m.md5_hash + len m.sha_hash; a = array [n+4] of byte; a[i++] = byte SSL_HANDSHAKE_FINISHED; a[i:] = int_encode(n, 3); i += 3; a[i:] = m.md5_hash; i += len m.md5_hash; a[i:] = m.sha_hash; i += len m.sha_hash; if(i != n+4) e = "finished: wrong message length"; * => e = "unknown message"; } if(e != nil) return (nil, "Handshake encode: " + e); return (a, e); } Handshake.tostring(handshake: self ref Handshake): string { info: string; pick m := handshake { HelloRequest => info = "\tHelloRequest\n"; ClientHello => info = "\tClientHello\n" + "\tversion = \n\t\t" + bastr(m.version) + "\n" + "\trandom = \n\t\t" + bastr(m.random) + "\n" + "\tsession_id = \n\t\t" + bastr(m.session_id) + "\n" + "\tsuites = \n\t\t" + bastr(m.suites) + "\n" + "\tcomperssion_methods = \n\t\t" + bastr(m.compressions) +"\n"; ServerHello => info = "\tServerHello\n" + "\tversion = \n\t\t" + bastr(m.version) + "\n" + "\trandom = \n\t\t" + bastr(m.random) + "\n" + "\tsession_id = \n\t\t" + bastr(m.session_id) + "\n" + "\tsuite = \n\t\t" + bastr(m.suite) + "\n" + "\tcomperssion_method = \n\t\t" + string m.compression +"\n"; Certificate => info = "\tCertificate\n" + "\tcert_list = \n\t\t" + lbastr(m.cert_list) + "\n"; ServerKeyExchange => info = "\tServerKeyExchange\n" + "\txkey = \n\t\t" + bastr(m.xkey) +"\n"; CertificateRequest => info = "\tCertificateRequest\n" + "\tcert_types = \n\t\t" + bastr(m.cert_types) + "\n" + "\tdn_list = \n\t\t" + lbastr(m.dn_list) + "\n"; ServerHelloDone => info = "\tServerDone\n"; CertificateVerify => info = "\tCertificateVerify\n" + "\tsignature = \n\t\t" + bastr(m.signature) + "\n"; ClientKeyExchange => info = "\tClientKeyExchange\n" + "\txkey = \n\t\t" + bastr(m.xkey) +"\n"; Finished => info = "\tFinished\n" + "\tmd5_hash = \n\t\t" + bastr(m.md5_hash) + "\n" + "\tsha_hash = \n\t\t" + bastr(m.sha_hash) + "\n"; } return info; } Alert.tostring(alert: self ref Alert): string { info: string; case alert.level { SSL_WARNING => info += "\t\twarning: "; SSL_FATAL => info += "\t\tfatal: "; * => info += sys->sprint("unknown alert level[%d]: ", alert.level); } case alert.description { SSL_CLOSE_NOTIFY => info += "close notify"; SSL_NO_CERTIFICATE => info += "no certificate"; SSL_BAD_CERTIFICATE => info += "bad certificate"; SSL_UNSUPPORTED_CERTIFICATE => info += "unsupported certificate"; SSL_CERTIFICATE_REVOKED => info += "certificate revoked"; SSL_CERTIFICATE_EXPIRED => info += "certificate expired"; SSL_CERTIFICATE_UNKNOWN => info += "certificate unknown"; SSL_UNEXPECTED_MESSAGE => info += "unexpected message"; SSL_BAD_RECORD_MAC => info += "bad record mac"; SSL_DECOMPRESSION_FAILURE => info += "decompression failure"; SSL_HANDSHAKE_FAILURE => info += "handshake failure"; SSL_ILLEGAL_PARAMETER => info += "illegal parameter"; * => info += sys->sprint("unknown alert description[%d]", alert.description); } return info; } find_cipher_suite(s, suites: array of byte) : array of byte { i, j : int; a, b : array of byte; n := len s; if((n & 1) || n < 2) return nil; m := len suites; if((m & 1) || m < 2) return nil; for(i = 0; i < n; ) { a = s[i:i+2]; i += 2; for(j = 0; j < m; ) { b = suites[j:j+2]; j += 2; if(a[0] == b[0] && a[1] == b[1]) return b; } } return nil; } # # cipher suites and specs # suite_to_spec(cs: array of byte, cipher_suites: array of array of byte) : (ref CipherSpec, ref KeyExAlg, ref SigAlg, string) { cip : ref CipherSpec; kex : ref KeyExAlg; sig : ref SigAlg; n := len cipher_suites; i : int; found := array [2] of byte; for(i = 0; i < n; i++) { found = cipher_suites[i]; if(found[0]==cs[0] && found[1]==cs[1]) break; } if(i == n) return (nil, nil, nil, "fail to find a matched spec"); case i { NULL_WITH_NULL_NULL => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_NULL_CIPHER, SSL_STREAM_CIPHER, 0, 0, SSL_NULL_MAC, 0); kex = ref KeyExAlg.NULL(); sig = ref SigAlg.anon(); RSA_WITH_NULL_MD5 => # sign only certificate cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_NULL_CIPHER, SSL_STREAM_CIPHER, 0, 0, SSL_MD5, Keyring->MD5dlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_WITH_NULL_SHA => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_NULL_CIPHER, SSL_STREAM_CIPHER, 0, 0, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_EXPORT_WITH_RC4_40_MD5 => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_RC4, SSL_STREAM_CIPHER, 5, 0, SSL_MD5, Keyring->MD5dlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_WITH_RC4_128_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_RC4, SSL_STREAM_CIPHER, 16, 0, SSL_MD5, Keyring->MD5dlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_WITH_RC4_128_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_RC4, SSL_STREAM_CIPHER, 16, 0, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_EXPORT_WITH_RC2_CBC_40_MD5 => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_RC2_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_MD5, Keyring->MD5dlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); RSA_WITH_IDEA_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_IDEA_CBC, SSL_BLOCK_CIPHER, 16, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_EXPORT_WITH_DES40_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); RSA_WITH_DES_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 8, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); RSA_WITH_3DES_EDE_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.anon(); DH_DSS_EXPORT_WITH_DES40_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.DSS(nil, nil); DH_DSS_WITH_DES_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 8, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.DSS(nil, nil); DH_DSS_WITH_3DES_EDE_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.DSS(nil, nil); DH_RSA_EXPORT_WITH_DES40_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); DH_RSA_WITH_DES_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_STREAM_CIPHER, 8, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); DH_RSA_WITH_3DES_EDE_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); DHE_DSS_EXPORT_WITH_DES40_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.DSS(nil, nil); DHE_DSS_WITH_DES_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 8, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.DSS(nil, nil); DHE_DSS_WITH_3DES_EDE_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.DSS(nil, nil); DHE_RSA_EXPORT_WITH_DES40_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); DHE_RSA_WITH_DES_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 8, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); DHE_RSA_WITH_3DES_EDE_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); DH_anon_EXPORT_WITH_RC4_40_MD5 => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_RC4, SSL_STREAM_CIPHER, 5, 0, SSL_MD5, Keyring->MD5dlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.anon(); DH_anon_WITH_RC4_128_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_RC4, SSL_STREAM_CIPHER, 16, 0, SSL_MD5, Keyring->MD5dlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.anon(); DH_anon_EXPORT_WITH_DES40_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.anon(); DH_anon_WITH_DES_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 8, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.anon(); DH_anon_WITH_3DES_EDE_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.DH(nil, nil, nil, nil, nil); sig = ref SigAlg.anon(); FORTEZZA_KEA_WITH_NULL_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_NULL_CIPHER, SSL_STREAM_CIPHER, 0, 0, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.FORTEZZA_KEA(); sig = ref SigAlg.FORTEZZA_KEA(); FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_FORTEZZA_CBC, SSL_BLOCK_CIPHER, 0, 0, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.FORTEZZA_KEA(); sig = ref SigAlg.FORTEZZA_KEA(); FORTEZZA_KEA_WITH_RC4_128_SHA => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_RC4, SSL_STREAM_CIPHER, 16, 0, SSL_SHA, Keyring->SHAdlen); kex = ref KeyExAlg.FORTEZZA_KEA(); sig = ref SigAlg.FORTEZZA_KEA(); } return (cip, kex, sig, nil); } # # use suites as default SSL3_Suites # cipher_suite_info(cs: array of byte, suites: array of array of byte) : string { tag : string; a := array [2] of byte; n := len suites; for(i := 0; i < n; i++) { a = suites[i]; if(a[0]==cs[0] && a[1]==cs[1]) break; } if(i == n) return "unknown cipher suite [" + string cs + "]"; case i { NULL_WITH_NULL_NULL => tag = "NULL_WITH_NULL_NULL"; RSA_WITH_NULL_MD5 => tag = "RSA_WITH_NULL_MD5"; RSA_WITH_NULL_SHA => tag = "RSA_WITH_NULL_SHA"; RSA_EXPORT_WITH_RC4_40_MD5 => tag = "RSA_EXPORT_WITH_RC4_40_MD5"; RSA_WITH_RC4_128_MD5 => tag = "RSA_WITH_RC4_128_MD5"; RSA_WITH_RC4_128_SHA => tag = "RSA_WITH_RC4_128_SHA"; RSA_EXPORT_WITH_RC2_CBC_40_MD5 => tag = "RSA_EXPORT_WITH_RC2_CBC_40_MD5"; RSA_WITH_IDEA_CBC_SHA => tag = "RSA_WITH_IDEA_CBC_SHA"; RSA_EXPORT_WITH_DES40_CBC_SHA => tag ="RSA_EXPORT_WITH_DES40_CBC_SHA"; RSA_WITH_DES_CBC_SHA => tag = "RSA_WITH_DES_CBC_SHA"; RSA_WITH_3DES_EDE_CBC_SHA => tag = "RSA_WITH_3DES_EDE_CBC_SHA"; DH_DSS_EXPORT_WITH_DES40_CBC_SHA => tag = "DH_DSS_EXPORT_WITH_DES40_CBC_SHA"; DH_DSS_WITH_DES_CBC_SHA => tag = "DH_DSS_WITH_DES_CBC_SHA"; DH_DSS_WITH_3DES_EDE_CBC_SHA => tag = "DH_DSS_WITH_3DES_EDE_CBC_SHA"; DH_RSA_EXPORT_WITH_DES40_CBC_SHA => tag = "DH_RSA_EXPORT_WITH_DES40_CBC_SHA"; DH_RSA_WITH_DES_CBC_SHA => tag = "DH_RSA_WITH_DES_CBC_SHA"; DH_RSA_WITH_3DES_EDE_CBC_SHA => tag = "DH_RSA_WITH_3DES_EDE_CBC_SHA"; DHE_DSS_EXPORT_WITH_DES40_CBC_SHA => tag = "DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"; DHE_DSS_WITH_DES_CBC_SHA => tag = "DHE_DSS_WITH_DES_CBC_SHA"; DHE_DSS_WITH_3DES_EDE_CBC_SHA => tag = "DHE_DSS_WITH_3DES_EDE_CBC_SHA"; DHE_RSA_EXPORT_WITH_DES40_CBC_SHA => tag = "DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"; DHE_RSA_WITH_DES_CBC_SHA => tag = "DHE_RSA_WITH_DES_CBC_SHA"; DHE_RSA_WITH_3DES_EDE_CBC_SHA => tag = "DHE_RSA_WITH_3DES_EDE_CBC_SHA"; DH_anon_EXPORT_WITH_RC4_40_MD5 => tag = "DH_anon_EXPORT_WITH_RC4_40_MD5"; DH_anon_WITH_RC4_128_MD5 => tag = "DH_anon_WITH_RC4_128_MD5"; DH_anon_EXPORT_WITH_DES40_CBC_SHA => tag = "DH_anon_EXPORT_WITH_DES40_CBC_SHA"; DH_anon_WITH_DES_CBC_SHA => tag = "DH_anon_WITH_DES_CBC_SHA"; DH_anon_WITH_3DES_EDE_CBC_SHA => tag = "DH_anon_WITH_3DES_EDE_CBC_SHA"; FORTEZZA_KEA_WITH_NULL_SHA => tag = "FORTEZZA_KEA_WITH_NULL_SHA"; FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA => tag = "FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"; FORTEZZA_KEA_WITH_RC4_128_SHA => tag = "FORTEZZA_KEA_WITH_RC4_128_SHA"; } return "cipher suite = [" + tag + "]"; } ################################# ## FOR SSLv2 BACKWARD COMPATIBLE ################################# # Protocol Version Codes SSL2_CLIENT_VERSION := array [] of {byte 0, byte 16r02}; SSL2_SERVER_VERSION := array [] of {byte 0, byte 16r02}; # Protocol Message Codes SSL2_MT_ERROR, SSL2_MT_CLIENT_HELLO, SSL2_MT_CLIENT_MASTER_KEY, SSL2_MT_CLIENT_FINISHED, SSL2_MT_SERVER_HELLO, SSL2_MT_SERVER_VERIFY, SSL2_MT_SERVER_FINISHED, SSL2_MT_REQUEST_CERTIFICATE, SSL2_MT_CLIENT_CERTIFICATE : con iota; # Error Message Codes SSL2_PE_NO_CIPHER := array [] of {byte 0, byte 16r01}; SSL2_PE_NO_CERTIFICATE := array [] of {byte 0, byte 16r02}; SSL2_PE_BAD_CERTIFICATE := array [] of {byte 0, byte 16r04}; SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE := array [] of {byte 0, byte 16r06}; # Cipher Kind Values SSL2_CK_RC4_128_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC2_CBC_128_CBC_WITH_MD5, SSL2_CK_RC2_CBC_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 : con iota; SSL2_Cipher_Kinds := array [] of { SSL2_CK_RC4_128_WITH_MD5 => array [] of {byte 16r01, byte 0, byte 16r80}, SSL2_CK_RC4_128_EXPORT40_WITH_MD5 => array [] of {byte 16r02, byte 0, byte 16r80}, SSL2_CK_RC2_CBC_128_CBC_WITH_MD5 => array [] of {byte 16r03, byte 0, byte 16r80}, SSL2_CK_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 => array [] of {byte 16r04, byte 0, byte 16r80}, SSL2_CK_IDEA_128_CBC_WITH_MD5 => array [] of {byte 16r05, byte 0, byte 16r80}, SSL2_CK_DES_64_CBC_WITH_MD5 => array [] of {byte 16r06, byte 0, byte 16r40}, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 => array [] of {byte 16r07, byte 0, byte 16rC0}, }; # Certificate Type Codes SSL2_CT_X509_CERTIFICATE : con 16r01; # encode as one byte # Authentication Type Codes SSL2_AT_MD5_WITH_RSA_ENCRYPTION : con byte 16r01; # Upper/Lower Bounds SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS : con 256; SSL2_MAX_SESSION_ID_LENGTH_IN_BYTES : con 16; SSL2_MIN_RSA_MODULUS_LENGTH_IN_BYTES : con 64; SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER : con 32767; SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER : con 16383; # Handshake Internal State SSL2_STATE_CLIENT_HELLO, SSL2_STATE_SERVER_HELLO, SSL2_STATE_CLIENT_MASTER_KEY, SSL2_STATE_SERVER_VERIFY, SSL2_STATE_REQUEST_CERTIFICATE, SSL2_STATE_CLIENT_CERTIFICATE, SSL2_STATE_CLIENT_FINISHED, SSL2_STATE_SERVER_FINISHED, SSL2_STATE_ERROR : con iota; # The client's challenge to the server for the server to identify itself is a # (near) arbitary length random. The v3 server will right justify the challenge # data to become the ClientHello.random data (padding with leading zeros, if # necessary). If the length of the challenge is greater than 32 bytes, then only # the last 32 bytes are used. It is legitimate (but not necessary) for a v3 # server to reject a v2 ClientHello that has fewer than 16 bytes of challenge # data. SSL2_CHALLENGE_LENGTH : con 16; V2Handshake: adt { pick { Error => code : array of byte; # [2]; ClientHello => version : array of byte; # [2] cipher_specs : array of byte; # [3] x session_id : array of byte; challenge : array of byte; ServerHello => session_id_hit : int; certificate_type : int; version : array of byte; # [2] certificate : array of byte; # only user certificate cipher_specs : array of byte; # [3] x connection_id : array of byte; ClientMasterKey => cipher_kind : array of byte; # [3] clear_key : array of byte; encrypt_key : array of byte; key_arg : array of byte; ServerVerify => challenge : array of byte; RequestCertificate => authentication_type : int; certificate_challenge : array of byte; ClientCertificate => certificate_type : int; certificate : array of byte; # only user certificate response : array of byte; ClientFinished => connection_id : array of byte; ServerFinished => session_id : array of byte; } encode: fn(hm: self ref V2Handshake): (array of byte, string); decode: fn(a: array of byte): (ref V2Handshake, string); tostring: fn(h: self ref V2Handshake): string; }; V2Handshake.tostring(handshake: self ref V2Handshake): string { info := ""; pick m := handshake { ClientHello => info += "\tClientHello\n" + "\tversion = \n\t\t" + bastr(m.version) + "\n" + "\tcipher_specs = \n\t\t" + bastr(m.cipher_specs) + "\n" + "\tsession_id = \n\t\t" + bastr(m.session_id) + "\n" + "\tchallenge = \n\t\t" + bastr(m.challenge) + "\n"; ServerHello => info += "\tServerHello\n" + "\tsession_id_hit = \n\t\t" + string m.session_id_hit + "\n" + "\tcertificate_type = \n\t\t" + string m.certificate_type + "\n" + "\tversion = \n\t\t" + bastr(m.version) + "\n" + "\tcertificate = \n\t\t" + bastr(m.certificate) + "\n" + "\tcipher_specs = \n\t\t" + bastr(m.cipher_specs) + "\n" + "\tconnection_id = \n\t\t" + bastr(m.connection_id) + "\n"; ClientMasterKey => info += "\tClientMasterKey\n" + "\tcipher_kind = \n\t\t" + bastr(m.cipher_kind) + "\n" + "\tclear_key = \n\t\t" + bastr(m.clear_key) + "\n" + "\tencrypt_key = \n\t\t" + bastr(m.encrypt_key) + "\n" + "\tkey_arg = \n\t\t" + bastr(m.key_arg) + "\n"; ServerVerify => info += "\tServerVerify\n" + "\tchallenge = \n\t\t" + bastr(m.challenge) + "\n"; RequestCertificate => info += "\tRequestCertificate\n" + "\tauthentication_type = \n\t\t" + string m.authentication_type + "\n" + "\tcertificate_challenge = \n\t\t" + bastr(m.certificate_challenge) + "\n"; ClientCertificate => info += "ClientCertificate\n" + "\tcertificate_type = \n\t\t" + string m.certificate_type + "\n" + "\tcertificate = \n\t\t" + bastr(m.certificate) + "\n" + "\tresponse = \n\t\t" + bastr(m.response) + "\n"; ClientFinished => info += "\tClientFinished\n" + "\tconnection_id = \n\t\t" + bastr(m.connection_id) + "\n"; ServerFinished => info += "\tServerFinished\n" + "\tsession_id = \n\t\t" + bastr(m.session_id) + "\n"; } return info; } # v2 handshake protocol - message driven, v2 and v3 sharing the same context stack do_v2handshake(v2hs: ref V2Handshake, ctx: ref Context): string { e: string = nil; pick h := v2hs { Error => do_v2error(h, ctx); ClientHello => if((ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_CLIENT_HELLO) { e = "V2ClientHello"; break; } do_v2client_hello(h, ctx); ServerHello => if(!(ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_SERVER_HELLO) { e = "V2ServerHello"; break; } do_v2server_hello(h, ctx); ClientMasterKey => if((ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_CLIENT_MASTER_KEY) { e = "V2ClientMasterKey"; break; } do_v2client_master_key(h, ctx); ServerVerify => if(!(ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_SERVER_VERIFY) { e = "V2ServerVerify"; break; } do_v2server_verify(h, ctx); RequestCertificate => if(!(ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_SERVER_VERIFY) { e = "V2RequestCertificate"; break; } do_v2req_cert(h, ctx); ClientCertificate => if((ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_CLIENT_CERTIFICATE) { e = "V2ClientCertificate"; break; } do_v2client_certificate(h, ctx); ClientFinished => if((ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_CLIENT_FINISHED) { e = "V2ClientFinished"; break; } do_v2client_finished(h, ctx); ServerFinished => if(!(ctx.status & CLIENT_SIDE) || ctx.state != SSL2_STATE_SERVER_FINISHED) { e = "V2ServerFinished"; break; } do_v2server_finished(h, ctx); } return e; } do_v2error(v2hs: ref V2Handshake.Error, ctx: ref Context) { if(SSL_DEBUG) log("do_v2error: " + string v2hs.code); ctx.state = STATE_EXIT; } # [server side] do_v2client_hello(v2hs: ref V2Handshake.ClientHello, ctx: ref Context) { if(v2hs.version[0] != SSL2_CLIENT_VERSION[0] || v2hs.version[1] != SSL2_CLIENT_VERSION[1]) { # promote this message to v3 handshake protocol ctx.state = STATE_CLIENT_HELLO; return; } # trying to resume s: ref Session; if((v2hs.session_id != nil) && (ctx.status & SESSION_RESUMABLE)) s = sslsession->get_session_byid(v2hs.session_id); if(s != nil) { # found a hit # prepare and send v2 handshake hello message v2handshake_enque( ref V2Handshake.ServerHello( 1, # hit found 0, # no certificate required SSL2_SERVER_VERSION, nil, # no authetication required s.suite, # use hit session cipher kind ctx.server_random # connection_id ), ctx ); # TODO: should in supported cipher_kinds err: string; (ctx.sel_ciph, ctx.sel_keyx, ctx.sel_sign, err) = v2suite_to_spec(ctx.session.suite, SSL2_Cipher_Kinds); if(err != "") { if(SSL_DEBUG) log("do_v2client_hello: " + err); ctx.state = SSL2_STATE_ERROR; return; } ctx.state = SSL2_STATE_SERVER_FINISHED; } else { # find matching cipher kinds n := len v2hs.cipher_specs; matchs := array [n] of byte; j, k: int = 0; while(j < n) { # ignore those not in SSL2_Cipher_Kinds matchs[k:] = v2hs.cipher_specs[j:j+3]; for(i := 0; i < len SSL2_Cipher_Kinds; i++) { ck := SSL2_Cipher_Kinds[i]; if(matchs[k] == ck[0] && matchs[k+1] == ck[1] && matchs[k+2] == ck[2]) k +=3; } j += 3; } if(k == 0) { if(SSL_DEBUG) log("do_v2client_hello: No matching cipher kind"); ctx.state = SSL2_STATE_ERROR; } else { matchs = matchs[0:k]; # Note: # v2 challenge -> v3 client_random # v2 connection_id -> v3 server_random chlen := len v2hs.challenge; if(chlen > 32) chlen = 32; ctx.client_random = array [chlen] of byte; if(chlen > 32) ctx.client_random[0:] = v2hs.challenge[chlen-32:]; else ctx.client_random[0:] = v2hs.challenge; ctx.server_random = random->randombuf(Random->NotQuiteRandom, 16); s.session_id = random->randombuf ( Random->NotQuiteRandom, SSL2_MAX_SESSION_ID_LENGTH_IN_BYTES ); s.suite = matchs; ctx.session = s; v2handshake_enque( ref V2Handshake.ServerHello( 0, # no hit - not resumable SSL2_CT_X509_CERTIFICATE, SSL2_SERVER_VERSION, hd ctx.local_info.certs, # the first is user certificate ctx.session.suite, # matched cipher kinds ctx.server_random # connection_id ), ctx ); ctx.state = SSL2_STATE_CLIENT_MASTER_KEY; } } } # [client side] do_v2server_hello(v2hs: ref V2Handshake.ServerHello, ctx: ref Context) { # must be v2 server hello otherwise it will be v3 server hello # determined by auto record layer version detection if(v2hs.version[0] != SSL2_SERVER_VERSION[0] || v2hs.version[1] != SSL2_SERVER_VERSION[1]) { if(SSL_DEBUG) log("do_v2server_hello: not a v2 version"); ctx.state = SSL2_STATE_ERROR; return; } ctx.session.version = SSL2_SERVER_VERSION; ctx.server_random = v2hs.connection_id; # check if a resumable session is found if(v2hs.session_id_hit != 0) { # resume ok err: string; # TODO: should in supported cipher_kinds (ctx.sel_ciph, nil, nil, err) = v2suite_to_spec(ctx.session.suite, SSL2_Cipher_Kinds); if(err != "") { if(SSL_DEBUG) log("do_v2server_hello: " + err); ctx.state = SSL2_STATE_ERROR; return; } } else { # not resumable session # use the first matched cipher kind; install cipher spec if(len v2hs.cipher_specs < 3) { if(SSL_DEBUG) log("do_v2server_hello: too few bytes"); ctx.state = SSL2_STATE_ERROR; return; } ctx.session.suite = array [3] of byte; ctx.session.suite[0:] = v2hs.cipher_specs[0:3]; err: string; (ctx.sel_ciph, nil, nil, err) = v2suite_to_spec(ctx.session.suite, SSL2_Cipher_Kinds); if(err != "") { if(SSL_DEBUG) log("do_v2server_hello: " + err); return; } # decode x509 certificates, authenticate server and extract # public key from server certificate if(v2hs.certificate_type != int SSL2_CT_X509_CERTIFICATE) { if(SSL_DEBUG) log("do_v2server_hello: not x509 certificate"); ctx.state = SSL2_STATE_ERROR; return; } ctx.session.peer_certs = v2hs.certificate :: nil; # TODO: decode v2hs.certificate as list of certificate # verify the list of certificate (e, signed) := x509->Signed.decode(v2hs.certificate); if(e != "") { if(SSL_DEBUG) log("do_v2server_hello: " + e); ctx.state = SSL2_STATE_ERROR; return; } certificate: ref Certificate; (e, certificate) = x509->Certificate.decode(signed.tobe_signed); if(e != "") { if(SSL_DEBUG) log("do_v2server_hello: " + e); ctx.state = SSL2_STATE_ERROR; return; } id: int; peer_pk: ref X509->PublicKey; (e, id, peer_pk) = certificate.subject_pkinfo.getPublicKey(); if(e != nil) { ctx.state = SSL2_STATE_ERROR; # protocol error return; } pk: ref RSAKey; pick key := peer_pk { RSA => pk = key.pk; * => } # prepare and send client master key message # TODO: change CipherSpec adt for more key info # Temporary solution # mkey (master key), ckey (clear key), skey(secret key) mkey, ckey, skey, keyarg: array of byte; (mkeylen, ckeylen, keyarglen) := v2suite_more(ctx.sel_ciph); mkey = random->randombuf(Random->NotQuiteRandom, mkeylen); if(ckeylen != 0) ckey = mkey[0:ckeylen]; if(mkeylen > ckeylen) skey = mkey[ckeylen:]; if(keyarglen > 0) keyarg = random->randombuf(Random->NotQuiteRandom, keyarglen); ekey: array of byte; (e, ekey) = pkcs->rsa_encrypt(skey, pk, 2); if(e != nil) { if(SSL_DEBUG) log("do_v2server_hello: " + e); ctx.state = SSL2_STATE_ERROR; return; } ctx.session.master_secret = mkey; v2handshake_enque( ref V2Handshake.ClientMasterKey(ctx.session.suite, ckey, ekey, keyarg), ctx ); } # clean up out_queue before switch cipher record_write_queue(ctx); ctx.out_queue.data = nil; # install keys onto ctx that will be pushed on ssl record when ready (ctx.cw_mac, ctx.sw_mac, ctx.cw_key, ctx.sw_key, ctx.cw_IV, ctx.sw_IV) = v2calc_keys(ctx.sel_ciph, ctx.session.master_secret, ctx.client_random, ctx.server_random); e := set_queues(ctx); if(e != "") { if(SSL_DEBUG) log("do_v2server_finished: " + e); ctx.state = SSL2_STATE_ERROR; return; } ctx.status |= IN_READY; ctx.status |= OUT_READY; # prepare and send client finished message v2handshake_enque( ref V2Handshake.ClientFinished(ctx.server_random), # as connection_id ctx ); ctx.state = SSL2_STATE_SERVER_VERIFY; } # [server side] do_v2client_master_key(v2hs: ref V2Handshake.ClientMasterKey, ctx: ref Context) { #if(cmk.cipher == -1 || cipher_info[cmk.cipher].cryptalg == -1) { # # return ("protocol error: bad cipher in masterkey", nullc); # ctx.state = SSL2_STATE_ERROR; # protocol error # return; #} ctx.session.suite = v2hs.cipher_kind; # TODO: # someplace shall be able to install the key # need further encapsulate encrypt and decrypt functions from KeyExAlg adt master_key_length: int; secret_key: array of byte; pick alg := ctx.sel_keyx { RSA => e: string; (e, secret_key) = pkcs->rsa_decrypt(v2hs.encrypt_key, alg.sk, 0); if(e != "") { if(SSL_DEBUG) log("do_v2client_master_key: " + e); ctx.state = SSL2_STATE_ERROR; return; } master_key_length = len v2hs.clear_key + len secret_key; * => if(SSL_DEBUG) log("do_v2client_master_key: unknown public key algorithm"); ctx.state = SSL2_STATE_ERROR; return; } #TODO: do the following lines after modifying the CipherSpec adt #if(master_key_length != ci.keylen) { # ctx.state = SSL2_STATE_ERROR; # protocol error # return; #} ctx.session.master_secret = array [master_key_length] of byte; ctx.session.master_secret[0:] = v2hs.clear_key; ctx.session.master_secret[len v2hs.clear_key:] = secret_key; # install keys onto ctx that will be pushed on ssl record when ready (ctx.cw_mac, ctx.sw_mac, ctx.cw_key, ctx.sw_key, ctx.cw_IV, ctx.sw_IV) = v2calc_keys(ctx.sel_ciph, ctx.session.master_secret, ctx.client_random, ctx.server_random); v2handshake_enque( ref V2Handshake.ServerVerify(ctx.client_random[16:]), ctx ); v2handshake_enque( ref V2Handshake.ServerFinished(ctx.session.session_id), ctx ); ctx.state = SSL2_STATE_CLIENT_FINISHED; } # used by client side do_v2server_verify(v2hs: ref V2Handshake.ServerVerify, ctx: ref Context) { # TODO: # the challenge length may not be 16 bytes if(bytes_cmp(v2hs.challenge, ctx.client_random[32-SSL2_CHALLENGE_LENGTH:]) < 0) { if(SSL_DEBUG) log("do_v2server_verify: challenge mismatch"); ctx.state = SSL2_STATE_ERROR; return; } ctx.state = SSL2_STATE_SERVER_FINISHED; } # [client side] do_v2req_cert(v2hs: ref V2Handshake.RequestCertificate, ctx: ref Context) { # not supported until v3 if(SSL_DEBUG) log("do_v2req_cert: authenticate client not supported"); v2hs = nil; ctx.state = SSL2_STATE_ERROR; } # [server side] do_v2client_certificate(v2hs: ref V2Handshake.ClientCertificate, ctx: ref Context) { # not supported until v3 if(SSL_DEBUG) log("do_v2client_certificate: authenticate client not supported"); v2handshake_enque ( ref V2Handshake.Error(SSL2_PE_NO_CERTIFICATE), ctx ); v2hs = nil; ctx.state = SSL2_STATE_ERROR; } # [server side] do_v2client_finished(v2hs: ref V2Handshake.ClientFinished, ctx: ref Context) { if(bytes_cmp(ctx.server_random, v2hs.connection_id) < 0) { ctx.session.session_id = nil; if(SSL_DEBUG) log("do_v2client_finished: connection id mismatch"); ctx.state = SSL2_STATE_ERROR; } # TODO: # the challenge length may not be 16 bytes v2handshake_enque( ref V2Handshake.ServerVerify(ctx.client_random[32-SSL2_CHALLENGE_LENGTH:]), ctx ); if(ctx.session.session_id == nil) ctx.session.session_id = random->randombuf(Random->NotQuiteRandom, 16); v2handshake_enque( ref V2Handshake.ServerFinished(ctx.session.session_id), ctx ); e := set_queues(ctx); if(e != "") { if(SSL_DEBUG) log("do_v2client_finished: " + e); ctx.state = SSL2_STATE_ERROR; return; } ctx.status |= IN_READY; ctx.status |= OUT_READY; sslsession->add_session(ctx.session); ctx.state = STATE_EXIT; } # [client side] do_v2server_finished(v2hs: ref V2Handshake.ServerFinished, ctx: ref Context) { if(ctx.session.session_id == nil) ctx.session.session_id = array [16] of byte; ctx.session.session_id[0:] = v2hs.session_id[0:]; sslsession->add_session(ctx.session); ctx.state = STATE_EXIT; } # Note: # the key partitioning for v2 is different from v3 v2calc_keys(ciph: ref CipherSpec, ms, cr, sr: array of byte) : (array of byte, array of byte, array of byte, array of byte, array of byte, array of byte) { cw_mac, sw_mac, cw_key, sw_key, cw_IV, sw_IV: array of byte; # TODO: check the size of key block if IV exists (mkeylen, ckeylen, keyarglen) := v2suite_more(ciph); kblen := 2*mkeylen; if(kblen%Keyring->MD5dlen != 0) { if(SSL_DEBUG) log("v2calc_keys: key block length is not multiple of MD5 hash length"); } else { key_block := array [kblen] of byte; challenge := cr[32-SSL2_CHALLENGE_LENGTH:32]; # TODO: if challenge length != 16 ? connection_id := sr[0:16]; # TODO: if connection_id length != 16 ? var := array [1] of byte; var[0] = byte 16r30; i := 0; while(i < kblen) { (hash, nil) := md5_hash(ms::var::challenge::connection_id::nil, nil); key_block[i:] = hash; i += Keyring->MD5dlen; ++var[0]; } if(SSL_DEBUG) log("ssl3: calc_keys:" + "\n\tmaster key = \n\t\t" + bastr(ms) + "\n\tchallenge = \n\t\t" + bastr(challenge) + "\n\tconnection id = \n\t\t" + bastr(connection_id) + "\n\tkey block = \n\t\t" + bastr(key_block) + "\n"); i = 0; # server write key == client read key # server write mac == server write key sw_key = array [mkeylen] of byte; sw_key[0:] = key_block[i:mkeylen]; sw_mac = array [mkeylen] of byte; sw_mac[0:] = key_block[i:mkeylen]; # client write key == server read key # client write mac == client write key i += mkeylen; cw_key = array [mkeylen] of byte; cw_key[0:] = key_block[i:i+mkeylen]; cw_mac = array [mkeylen] of byte; cw_mac[0:] = key_block[i:i+mkeylen]; # client IV == server IV # Note: # IV is a part of writing or reading key for ssl device # this is composed again in setctl cw_IV = array [keyarglen] of byte; cw_IV[0:] = ms[mkeylen:mkeylen+keyarglen]; sw_IV = array [keyarglen] of byte; sw_IV[0:] = ms[mkeylen:mkeylen+keyarglen]; } if(SSL_DEBUG) log("ssl3: calc_keys:" + "\n\tclient_write_mac = \n\t\t" + bastr(cw_mac) + "\n\tserver_write_mac = \n\t\t" + bastr(sw_mac) + "\n\tclient_write_key = \n\t\t" + bastr(cw_key) + "\n\tserver_write_key = \n\t\t" + bastr(sw_key) + "\n\tclient_write_IV = \n\t\t" + bastr(cw_IV) + "\n\tserver_write_IV = \n\t\t" + bastr(sw_IV) + "\n"); return (cw_mac, sw_mac, cw_key, sw_key, cw_IV, sw_IV); } v3tov2specs(suites: array of byte): array of byte { # v3 suite codes are 2 bytes each, v2 codes are 3 bytes n := len suites / 2; kinds := array [n*6] of byte; # was n*3 k := 0; for(i := 0; i < n;) { a := suites[i:i+2]; i += 2; m := len SSL3_Suites; for(j := 0; j < m; j++) { a = SSL3_Suites[j]; if(a[0]==suites[0] && a[1]==suites[1]) break; } if(j == m) { if(SSL_DEBUG) log("ssl3: convert v3 suite to v2 kind: unknown cipher"); continue; } ok := 1; case j { RSA_EXPORT_WITH_RC4_40_MD5 => kinds[k:] = SSL2_Cipher_Kinds[SSL2_CK_RC4_128_EXPORT40_WITH_MD5]; k += 3; RSA_WITH_RC4_128_MD5 => kinds[k:] = SSL2_Cipher_Kinds[SSL2_CK_RC4_128_WITH_MD5]; k += 3; RSA_WITH_IDEA_CBC_SHA => kinds[k:] = SSL2_Cipher_Kinds[SSL2_CK_IDEA_128_CBC_WITH_MD5]; k += 3; RSA_WITH_DES_CBC_SHA => ; * => ok = 0; if(SSL_DEBUG) log("ssl3: unable to convert v3 suite to v2 kind"); } if (ok) { # append v3 code in v2-safe manner # (suite[0] == 0) => will be ignored by v2 server, picked up by v3 server kinds[k] = byte 16r00; kinds[k+1:] = SSL3_Suites[j]; k += 3; return kinds[0:k]; } } return kinds[0:k]; } v2suite_to_spec(cs: array of byte, cipher_kinds: array of array of byte) : (ref CipherSpec, ref KeyExAlg, ref SigAlg, string) { cip : ref CipherSpec; kex : ref KeyExAlg; sig : ref SigAlg; n := len cipher_kinds; i : int; found := array [3] of byte; for(i = 0; i < n; i++) { found = cipher_kinds[i]; if(found[0]==cs[0] && found[1]==cs[1] && found[2]==cs[2]) break; } if(i == n) return (nil, nil, nil, "fail to find a matched spec"); case i { SSL2_CK_RC4_128_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_RC4, SSL_STREAM_CIPHER, 16, 0, SSL_MD5, Keyring->MD4dlen); SSL2_CK_RC4_128_EXPORT40_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_RC4, SSL_STREAM_CIPHER, 5, 0, SSL_MD5, Keyring->MD4dlen); SSL2_CK_RC2_CBC_128_CBC_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_RC2_CBC, SSL_BLOCK_CIPHER, 16, 8, SSL_MD5, Keyring->MD4dlen); SSL2_CK_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_TRUE, SSL_RC2_CBC, SSL_BLOCK_CIPHER, 5, 8, SSL_MD5, Keyring->MD4dlen); SSL2_CK_IDEA_128_CBC_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_IDEA_CBC, SSL_BLOCK_CIPHER, 16, 8, SSL_MD5, Keyring->MD4dlen); SSL2_CK_DES_64_CBC_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_DES_CBC, SSL_BLOCK_CIPHER, 8, 8, SSL_MD5, Keyring->MD4dlen); SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 => cip = ref CipherSpec(SSL_EXPORT_FALSE, SSL_3DES_EDE_CBC, SSL_BLOCK_CIPHER, 24, 8, SSL_MD5, Keyring->MD4dlen); } kex = ref KeyExAlg.RSA(nil, nil, nil); sig = ref SigAlg.RSA(nil, nil); return (cip, kex, sig, nil); } v2suite_more(ciph: ref CipherSpec): (int, int, int) { mkeylen, ckeylen, keyarglen: int; case ciph.bulk_cipher_algorithm { SSL_RC4 => mkeylen = 16; if(ciph.key_material == 5) ckeylen = 16 - 5; else ckeylen = 0; keyarglen = 0; SSL_RC2_CBC => mkeylen = 16; if(ciph.key_material == 5) ckeylen = 16 - 5; else ckeylen = 0; keyarglen = 8; SSL_IDEA_CBC => mkeylen = 16; ckeylen = 0; keyarglen = 8; SSL_DES_CBC => mkeylen = 8; if(ciph.key_material == 5) ckeylen = 8 - 5; else ckeylen = 0; keyarglen = 8; SSL_3DES_EDE_CBC => mkeylen = 24; ckeylen = 0; keyarglen = 8; } return (mkeylen, ckeylen, keyarglen); } v2handshake_enque(h: ref V2Handshake, ctx: ref Context) { p := ref Protocol.pV2Handshake(h); protocol_write(p, ctx); } V2Handshake.encode(hm: self ref V2Handshake): (array of byte, string) { a : array of byte; n : int; e : string; i := 0; pick m := hm { Error => n = 3; a = array[n] of byte; a[i++] = byte SSL2_MT_ERROR; a[i:] = m.code; ClientHello => specslen := len m.cipher_specs; sidlen := len m.session_id; challen := len m.challenge; n = 9+specslen + sidlen + challen; a = array[n] of byte; a[i++] = byte SSL2_MT_CLIENT_HELLO; a[i:] = m.version; i += 2; a[i:] = int_encode(specslen, 2); i += 2; a[i:] = int_encode(sidlen, 2); i += 2; a[i:] = int_encode(challen, 2); i += 2; a[i:] = m.cipher_specs; i += specslen; if(sidlen != 0) { a[i:] = m.session_id; i += sidlen; } if(challen != 0) { a[i:] = m.challenge; i += challen; } ServerHello => # use only the user certificate certlen := len m.certificate; # specslen := 3*len m.cipher_specs; specslen := len m.cipher_specs; cidlen := len m.connection_id; n = 11 + certlen + specslen + cidlen; a = array[n] of byte; a[i++] = byte SSL2_MT_SERVER_HELLO; a[i++] = byte m.session_id_hit; a[i++] = byte m.certificate_type; a[i:] = m.version; i += 2; a[i:] = int_encode(certlen, 2); i += 2; a[i:] = int_encode(specslen, 2); i += 2; a[i:] = int_encode(cidlen, 2); i += 2; a[i:] = m.certificate; i += certlen; a[i:] = m.cipher_specs; i += specslen; a[i:] = m.connection_id; i += cidlen; ClientMasterKey => ckeylen := len m.clear_key; ekeylen := len m.encrypt_key; karglen := len m.key_arg; n = 10 + ckeylen + ekeylen + karglen; a = array[n] of byte; a[i++] = byte SSL2_MT_CLIENT_MASTER_KEY; a[i:] = m.cipher_kind; i += 3; a[i:] = int_encode(ckeylen, 2); i += 2; a[i:] = int_encode(ekeylen, 2); i += 2; a[i:] = int_encode(karglen, 2); i += 2; a[i:] = m.clear_key; i += ckeylen; a[i:] = m.encrypt_key; i += ekeylen; a[i:] = m.key_arg; i += karglen; ServerVerify => challen := len m.challenge; n = 1 + challen; a = array[n] of byte; a[i++] = byte SSL2_MT_SERVER_VERIFY; a[i:] = m.challenge; RequestCertificate => cclen := len m.certificate_challenge; n = 2 + cclen; a = array[n] of byte; a[i++] = byte SSL2_MT_REQUEST_CERTIFICATE; a[i++] = byte m.authentication_type; a[i:] = m.certificate_challenge; i += cclen; ClientCertificate => # use only the user certificate certlen := len m.certificate; resplen := len m.response; n = 6 + certlen + resplen; a = array[n] of byte; a[i++] = byte SSL2_MT_CLIENT_CERTIFICATE; a[i++] = byte m.certificate_type; a[i:] = int_encode(certlen, 2); i += 2; a[i:] = int_encode(resplen, 2); i += 2; a[i:] = m.certificate; i += certlen; a[i:] = m.response; i += resplen; ClientFinished => cidlen := len m.connection_id; n = 1 + cidlen; a = array[n] of byte; a[i++] = byte SSL2_MT_CLIENT_FINISHED; a[i:] = m.connection_id; i += cidlen; ServerFinished => sidlen := len m.session_id; n = 1 + sidlen; a = array[n] of byte; a[i++] = byte SSL2_MT_SERVER_FINISHED; a[i:] = m.session_id; i += sidlen; } return (a, e); } V2Handshake.decode(a: array of byte): (ref V2Handshake, string) { m : ref V2Handshake; e : string; n := len a; i := 1; case int a[0] { SSL2_MT_ERROR => if(n != 3) break; code := a[i:i+2]; i += 2; m = ref V2Handshake.Error(code); SSL2_MT_CLIENT_HELLO => if(n < 9) { e = "client hello: message too short"; break; } ver := a[i:i+2]; i += 2; specslen := int_decode(a[i:i+2]); i += 2; sidlen := int_decode(a[i:i+2]); i += 2; challen := int_decode(a[i:i+2]); i += 2; if(n != 9+specslen+sidlen+challen) { e = "client hello: length mismatch"; break; } if(specslen%3 != 0) { e = "client hello: must multiple of 3 bytes"; break; } specs: array of byte; if(specslen != 0) { specs = a[i:i+specslen]; i += specslen; } sid: array of byte; if(sidlen != 0) { sid = a[i:i+sidlen]; i += sidlen; } chal: array of byte; if(challen != 0) { chal = a[i:i+challen]; i += challen; } m = ref V2Handshake.ClientHello(ver, specs, sid, chal); SSL2_MT_CLIENT_MASTER_KEY => if(n < 10) { e = "client master key: message too short"; break; } kind := a[i:i+3]; i += 3; ckeylen := int_decode(a[i:i+2]); i += 2; ekeylen := int_decode(a[i:i+2]); i += 2; karglen := int_decode(a[i:i+2]); i += 2; if(n != 10 + ckeylen + ekeylen + karglen) { e = "client master key: length mismatch"; break; } ckey := a[i:i+ckeylen]; i += ckeylen; ekey := a[i:i+ekeylen]; i += ekeylen; karg := a[i:i+karglen]; i += karglen; m = ref V2Handshake.ClientMasterKey(kind, ckey, ekey, karg); SSL2_MT_CLIENT_FINISHED => cid := a[i:n]; i = n; m = ref V2Handshake.ClientFinished(cid); SSL2_MT_SERVER_HELLO => if(n < 11) { e = "server hello: messsage too short"; break; } sidhit := int a[i++]; certtype := int a[i++]; ver := a[i:i+2]; i += 2; certlen := int_decode(a[i:i+2]); i += 2; specslen := int_decode(a[i:i+2]); i += 2; cidlen := int_decode(a[i:i+2]); i += 2; if(n != 11+certlen+specslen+cidlen) { e = "server hello: length mismatch"; break; } cert := a[i:i+certlen]; i += certlen; if(specslen%3 != 0) { e = "server hello: must be multiple of 3 bytes"; break; } specs := a[i:i+specslen]; i += specslen; if(cidlen < 16 || cidlen > 32) { e = "server hello: connection id length out of range"; break; } cid := a[i:i+cidlen]; i += cidlen; m = ref V2Handshake.ServerHello(sidhit, certtype, ver, cert, specs, cid); SSL2_MT_SERVER_VERIFY => chal := a[i:n]; i = n; m = ref V2Handshake.ServerVerify(chal); SSL2_MT_SERVER_FINISHED => sid := a[i:n]; m = ref V2Handshake.ServerFinished(sid); SSL2_MT_REQUEST_CERTIFICATE => if(n < 2) { e = "request certificate: message too short"; break; } authtype := int a[i++]; certchal := a[i:n]; i = n; m = ref V2Handshake.RequestCertificate(authtype, certchal); SSL2_MT_CLIENT_CERTIFICATE => if(n < 6) { e = "client certificate: message too short"; break; } certtype := int a[i++]; certlen := int_decode(a[i:i+2]); i += 2; resplen := int_decode(a[i:i+2]); i += 2; if(n != 6+certlen+resplen) { e = "client certificate: length mismatch"; break; } cert := a[i:i+certlen]; i += certlen; resp := a[i:i+resplen]; m = ref V2Handshake.ClientCertificate(certtype, cert, resp); * => e = "unknown message [" + string a[0] + "]"; } return (m, e); } # utilities md5_hash(input: list of array of byte, md5_ds: ref DigestState): (array of byte, ref DigestState) { hash_value := array [Keyring->MD5dlen] of byte; ds : ref DigestState; if(md5_ds != nil) ds = keyring->cloneDigestState(md5_ds); lab := input; for(i := 0; i < len input - 1; i++) { ds = keyring->md5(hd lab, len hd lab, nil, ds); lab = tl lab; } ds = keyring->md5(hd lab, len hd lab, hash_value, ds); return (hash_value, ds); } sha_hash(input: list of array of byte, sha_ds: ref DigestState): (array of byte, ref DigestState) { hash_value := array [Keyring->SHAdlen] of byte; ds : ref DigestState; if(sha_ds != nil) ds = keyring->cloneDigestState(sha_ds); lab := input; for(i := 0; i < len input - 1; i++) { ds = keyring->sha(hd lab, len hd lab, nil, ds); lab = tl lab; } ds = keyring->sha(hd lab, len hd lab, hash_value, ds); return (hash_value, ds); } md5_sha_hash(input: list of array of byte, md5_ds, sha_ds: ref DigestState) : (array of byte, ref DigestState, ref DigestState) { buf := array [Keyring->MD5dlen+Keyring->SHAdlen] of byte; (buf[0:], md5_ds) = md5_hash(input, md5_ds); (buf[Keyring->MD5dlen:], sha_ds) = sha_hash(input, sha_ds); return (buf, md5_ds, sha_ds); } int_decode(buf: array of byte): int { val := 0; for(i := 0; i < len buf; i++) val = (val << 8) | (int buf[i]); return val; } int_encode(value, length: int): array of byte { buf := array [length] of byte; while(length--) { buf[length] = byte value; value >>= 8; } return buf; } bastr(a: array of byte) : string { ans : string = ""; for(i := 0; i < len a; i++) { if(i < len a - 1 && i != 0 && i%10 == 0) ans += "\n\t\t"; if(i == len a -1) ans += sys->sprint("%2x", int a[i]); else ans += sys->sprint("%2x ", int a[i]); } return ans; } bbastr(a: array of array of byte) : string { info := ""; for(i := 0; i < len a; i++) info += bastr(a[i]); return info; } lbastr(a: list of array of byte) : string { info := ""; l := a; while(l != nil) { info += bastr(hd l) + "\n\t\t"; l = tl l; } return info; } # need to fix (string a == string b) bytes_cmp(a, b: array of byte): int { if(len a != len b) return -1; n := len a; for(i := 0; i < n; i++) { if(a[i] != b[i]) return -1; } return 0; } putn(a: array of byte, i, value, n: int): int { j := n; while(j--) { a[i+j] = byte value; value >>= 8; } return i+n; } INVALID_SUITE : con "invalid suite list"; ILLEGAL_SUITE : con "illegal suite list"; cksuites(suites : array of byte) : string { m := len suites; if (m == 0 || (m&1)) return INVALID_SUITE; n := len SSL3_Suites; ssl3s := array [2] of byte; for (j := 0; j < m; j += 2) { for( i := 0; i < n; i++) { ssl3s = SSL3_Suites[i]; if(suites[j] == ssl3s[0] && suites[j+1] == ssl3s[1]) break; } if (i == n) return ILLEGAL_SUITE; } return nil; }