diff options
author | lloyd <[email protected]> | 2010-04-09 14:03:13 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2010-04-09 14:03:13 +0000 |
commit | 143b5cb297a36b94c9d0e56e2d2145a7c55efde5 (patch) | |
tree | 000b11f87806678649e68e753aaad8ed6ef45803 /src/ssl | |
parent | a1fc16d73b6e8fbb041c5163687bfd37c5705da4 (diff) | |
parent | d7e2e9316a5540e93595b5386f67594135de736d (diff) |
propagate from branch 'net.randombit.botan' (head 75d272c759511a9a99a371ddc74bd17b2c1453b6)
to branch 'net.randombit.botan.c++0x' (head 2ce9ba37cb9287a3d875921240d6682100625b9f)
Diffstat (limited to 'src/ssl')
-rw-r--r-- | src/ssl/c_kex.cpp | 11 | ||||
-rw-r--r-- | src/ssl/cert_ver.cpp | 11 | ||||
-rw-r--r-- | src/ssl/finished.cpp | 2 | ||||
-rw-r--r-- | src/ssl/hello.cpp | 126 | ||||
-rw-r--r-- | src/ssl/info.txt | 39 | ||||
-rw-r--r-- | src/ssl/rec_read.cpp | 120 | ||||
-rw-r--r-- | src/ssl/rec_wri.cpp | 56 | ||||
-rw-r--r-- | src/ssl/s_kex.cpp | 2 | ||||
-rw-r--r-- | src/ssl/socket.h | 7 | ||||
-rw-r--r-- | src/ssl/tls_client.cpp | 32 | ||||
-rw-r--r-- | src/ssl/tls_client.h | 2 | ||||
-rw-r--r-- | src/ssl/tls_magic.h | 11 | ||||
-rw-r--r-- | src/ssl/tls_messages.h | 3 | ||||
-rw-r--r-- | src/ssl/tls_policy.h | 2 | ||||
-rw-r--r-- | src/ssl/tls_reader.h | 140 | ||||
-rw-r--r-- | src/ssl/tls_record.h | 46 | ||||
-rw-r--r-- | src/ssl/tls_server.cpp | 46 | ||||
-rw-r--r-- | src/ssl/tls_server.h | 6 | ||||
-rw-r--r-- | src/ssl/tls_session_key.cpp | 2 | ||||
-rw-r--r-- | src/ssl/unix_socket/unx_sock.cpp | 8 | ||||
-rw-r--r-- | src/ssl/unix_socket/unx_sock.h | 4 |
21 files changed, 488 insertions, 188 deletions
diff --git a/src/ssl/c_kex.cpp b/src/ssl/c_kex.cpp index 9e59beefc..e09e18ce1 100644 --- a/src/ssl/c_kex.cpp +++ b/src/ssl/c_kex.cpp @@ -6,6 +6,7 @@ */ #include <botan/tls_messages.h> +#include <botan/internal/tls_reader.h> #include <botan/pubkey.h> #include <botan/dh.h> #include <botan/rsa.h> @@ -99,14 +100,8 @@ void Client_Key_Exchange::deserialize(const MemoryRegion<byte>& buf) { if(include_length) { - if(buf.size() < 2) - throw Decoding_Error("Client_Key_Exchange: Packet corrupted"); - - u32bit size = make_u16bit(buf[0], buf[1]); - if(size + 2 != buf.size()) - throw Decoding_Error("Client_Key_Exchange: Packet corrupted"); - - key_material.set(buf + 2, size); + TLS_Data_Reader reader(buf); + key_material = reader.get_range<byte>(2, 0, 65535); } else key_material = buf; diff --git a/src/ssl/cert_ver.cpp b/src/ssl/cert_ver.cpp index 0bf6c85be..3edf4266d 100644 --- a/src/ssl/cert_ver.cpp +++ b/src/ssl/cert_ver.cpp @@ -6,6 +6,7 @@ */ #include <botan/tls_messages.h> +#include <botan/internal/tls_reader.h> #include <botan/pubkey.h> #include <botan/rsa.h> #include <botan/dsa.h> @@ -62,14 +63,8 @@ SecureVector<byte> Certificate_Verify::serialize() const */ void Certificate_Verify::deserialize(const MemoryRegion<byte>& buf) { - if(buf.size() < 2) - throw Decoding_Error("Certificate_Verify: Corrupted packet"); - - u32bit sig_len = make_u16bit(buf[0], buf[1]); - if(buf.size() != 2 + sig_len) - throw Decoding_Error("Certificate_Verify: Corrupted packet"); - - signature.set(buf + 2, sig_len); + TLS_Data_Reader reader(buf); + signature = reader.get_range<byte>(2, 0, 65535); } /** diff --git a/src/ssl/finished.cpp b/src/ssl/finished.cpp index edbd4a3fe..b0f6abd25 100644 --- a/src/ssl/finished.cpp +++ b/src/ssl/finished.cpp @@ -72,7 +72,7 @@ SecureVector<byte> Finished::compute_verify(const MemoryRegion<byte>& secret, return hash.final_ssl3(secret); } - else if(version == TLS_V10) + else if(version == TLS_V10 || version == TLS_V11) { const byte TLS_CLIENT_LABEL[] = { 0x63, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20, 0x66, 0x69, 0x6E, 0x69, diff --git a/src/ssl/hello.cpp b/src/ssl/hello.cpp index 53f680fba..a23d51c24 100644 --- a/src/ssl/hello.cpp +++ b/src/ssl/hello.cpp @@ -1,12 +1,12 @@ /** * TLS Hello Messages -* (C) 2004-2006 Jack Lloyd +* (C) 2004-2010 Jack Lloyd * * Released under the terms of the Botan license */ #include <botan/tls_messages.h> -#include <botan/loadstor.h> +#include <botan/internal/tls_reader.h> namespace Botan { @@ -93,15 +93,15 @@ SecureVector<byte> Client_Hello::serialize() const buf.append(get_byte(0, suites_size)); buf.append(get_byte(1, suites_size)); - for(u32bit j = 0; j != suites.size(); j++) + for(u32bit i = 0; i != suites.size(); i++) { - buf.append(get_byte(0, suites[j])); - buf.append(get_byte(1, suites[j])); + buf.append(get_byte(0, suites[i])); + buf.append(get_byte(1, suites[i])); } buf.append(static_cast<byte>(comp_algos.size())); - for(u32bit j = 0; j != comp_algos.size(); j++) - buf.append(comp_algos[j]); + for(u32bit i = 0; i != comp_algos.size(); i++) + buf.append(comp_algos[i]); return buf; } @@ -117,38 +117,61 @@ void Client_Hello::deserialize(const MemoryRegion<byte>& buf) if(buf.size() < 41) throw Decoding_Error("Client_Hello: Packet corrupted"); - c_version = static_cast<Version_Code>(make_u16bit(buf[0], buf[1])); - if(c_version != SSL_V3 && c_version != TLS_V10) - throw TLS_Exception(PROTOCOL_VERSION, "Client_Hello: Bad version code"); + TLS_Data_Reader reader(buf); - c_random.set(buf + 2, 32); + c_version = static_cast<Version_Code>(reader.get_u16bit()); + c_random = reader.get_fixed<byte>(32); - u32bit session_id_len = buf[34]; - if(session_id_len > 32 || session_id_len + 41 > buf.size()) - throw Decoding_Error("Client_Hello: Packet corrupted"); - sess_id.copy(buf + 35, session_id_len); + sess_id = reader.get_range<byte>(1, 0, 32); - u32bit offset = 2+32+1+session_id_len; + suites = reader.get_range_vector<u16bit>(2, 1, 32767); - u16bit suites_size = make_u16bit(buf[offset], buf[offset+1]); - offset += 2; - if(suites_size % 2 == 1 || offset + suites_size + 2 > buf.size()) - throw Decoding_Error("Client_Hello: Packet corrupted"); + comp_algos = reader.get_range_vector<byte>(1, 1, 255); - for(u32bit j = 0; j != suites_size; j += 2) + if(reader.has_remaining()) { - u16bit suite = make_u16bit(buf[offset+j], buf[offset+j+1]); - suites.push_back(suite); + const u16bit all_extn_size = reader.get_u16bit(); + + if(reader.remaining_bytes() != all_extn_size) + throw Decoding_Error("Client_Hello: Bad extension size"); + + while(reader.has_remaining()) + { + const u16bit extension_code = reader.get_u16bit(); + const u16bit extension_size = reader.get_u16bit(); + + if(extension_code == TLSEXT_SERVER_NAME_INDICATION) + { + u16bit name_bytes = reader.get_u16bit(); + + while(name_bytes) + { + byte name_type = reader.get_byte(); + name_bytes--; + + if(name_type == 0) // DNS + { + std::vector<byte> name = + reader.get_range_vector<byte>(2, 1, 65535); + + requested_hostname.assign((const char*)&name[0], + name.size()); + + name_bytes -= (2 + name.size()); + } + else + { + reader.discard_next(name_bytes); + name_bytes = 0; + } + } + } + else + { + reader.discard_next(extension_size); + } + } } - offset += suites_size; - - byte comp_algo_size = buf[offset]; - offset += 1; - if(offset + comp_algo_size > buf.size()) - throw Decoding_Error("Client_Hello: Packet corrupted"); - - for(u32bit j = 0; j != comp_algo_size; j++) - comp_algos.push_back(buf[offset+j]); } /** @@ -156,8 +179,8 @@ void Client_Hello::deserialize(const MemoryRegion<byte>& buf) */ bool Client_Hello::offered_suite(u16bit ciphersuite) const { - for(u32bit j = 0; j != suites.size(); j++) - if(suites[j] == ciphersuite) + for(u32bit i = 0; i != suites.size(); i++) + if(suites[i] == ciphersuite) return true; return false; } @@ -172,11 +195,15 @@ Server_Hello::Server_Hello(RandomNumberGenerator& rng, HandshakeHash& hash) { bool have_rsa = false, have_dsa = false; - for(u32bit j = 0; j != certs.size(); j++) + + for(u32bit i = 0; i != certs.size(); i++) { - Public_Key* key = certs[j].subject_public_key(); - if(key->algo_name() == "RSA") have_rsa = true; - if(key->algo_name() == "DSA") have_dsa = true; + Public_Key* key = certs[i].subject_public_key(); + if(key->algo_name() == "RSA") + have_rsa = true; + + if(key->algo_name() == "DSA") + have_dsa = true; } suite = policy->choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa); @@ -218,23 +245,24 @@ void Server_Hello::deserialize(const MemoryRegion<byte>& buf) if(buf.size() < 38) throw Decoding_Error("Server_Hello: Packet corrupted"); - s_version = static_cast<Version_Code>(make_u16bit(buf[0], buf[1])); - if(s_version != SSL_V3 && s_version != TLS_V10) + TLS_Data_Reader reader(buf); + + s_version = static_cast<Version_Code>(reader.get_u16bit()); + + if(s_version != SSL_V3 && s_version != TLS_V10 && s_version != TLS_V11) + { throw TLS_Exception(PROTOCOL_VERSION, "Server_Hello: Unsupported server version"); + } - s_random.set(buf + 2, 32); + s_random = reader.get_fixed<byte>(32); - u32bit session_id_len = buf[2+32]; - if(session_id_len > 32 || session_id_len + 38 != buf.size()) - throw Decoding_Error("Server_Hello: Packet corrupted"); - sess_id.copy(buf + 2 + 32 + 1, session_id_len); + sess_id = reader.get_range<byte>(1, 0, 32); - suite = make_u16bit(buf[2+32+1+session_id_len], - buf[2+32+1+session_id_len+1]); - comp_algo = buf[2+32+1+session_id_len+2]; - } + suite = reader.get_u16bit(); + comp_algo = reader.get_byte(); + } /** * Create a new Server Hello Done message diff --git a/src/ssl/info.txt b/src/ssl/info.txt index 73e4207d8..1d28cf4f8 100644 --- a/src/ssl/info.txt +++ b/src/ssl/info.txt @@ -1 +1,40 @@ define SSL_TLS + +<header:public> +handshake_hash.h +socket.h +tls_alerts.h +tls_client.h +tls_connection.h +tls_exceptn.h +tls_magic.h +tls_messages.h +tls_policy.h +tls_record.h +tls_server.h +tls_session_key.h +tls_state.h +tls_suites.h +</header:public> + +<header:internal> +tls_reader.h +</header:internal> + +<source> +c_kex.cpp +cert_req.cpp +cert_ver.cpp +finished.cpp +handshake_hash.cpp +handshake_state.cpp +hello.cpp +rec_read.cpp +rec_wri.cpp +s_kex.cpp +tls_client.cpp +tls_policy.cpp +tls_server.cpp +tls_session_key.cpp +tls_suites.cpp +</source> diff --git a/src/ssl/rec_read.cpp b/src/ssl/rec_read.cpp index 95059dbf2..8f8e5dc1e 100644 --- a/src/ssl/rec_read.cpp +++ b/src/ssl/rec_read.cpp @@ -1,6 +1,6 @@ /** -* TLS Record Reading -* (C) 2004-2006 Jack Lloyd +* TLS Record Reading +* (C) 2004-2010 Jack Lloyd * * Released under the terms of the Botan license */ @@ -13,23 +13,15 @@ namespace Botan { /** -* Record_Reader Constructor -*/ -Record_Reader::Record_Reader(Socket& sock) : socket(sock) - { - reset(); - } - -/** * Reset the state */ void Record_Reader::reset() { - compress.reset(); cipher.reset(); mac.reset(); - do_compress = false; - mac_size = pad_amount = 0; + mac_size = 0; + block_size = 0; + iv_size = 0; major = minor = 0; seq_no = 0; } @@ -39,7 +31,7 @@ void Record_Reader::reset() */ void Record_Reader::set_version(Version_Code version) { - if(version != SSL_V3 && version != TLS_V10) + if(version != SSL_V3 && version != TLS_V10 && version != TLS_V11) throw Invalid_Argument("Record_Reader: Invalid protocol version"); major = (version >> 8) & 0xFF; @@ -47,15 +39,6 @@ void Record_Reader::set_version(Version_Code version) } /** -* Set the compression algorithm -*/ -void Record_Reader::set_compressor(Filter* compressor) - { - compress.append(compressor); - do_compress = true; - } - -/** * Set the keys for reading */ void Record_Reader::set_keys(const CipherSuite& suite, const SessionKeys& keys, @@ -89,12 +72,18 @@ void Record_Reader::set_keys(const CipherSuite& suite, const SessionKeys& keys, cipher_algo + "/CBC/NoPadding", cipher_key, iv, DECRYPTION) ); - pad_amount = block_size_of(cipher_algo); + block_size = block_size_of(cipher_algo); + + if(major == 3 && minor >= 2) + iv_size = block_size; + else + iv_size = 0; } else if(have_stream_cipher(cipher_algo)) { cipher.append(get_cipher(cipher_algo, cipher_key, DECRYPTION)); - pad_amount = 0; + block_size = 0; + iv_size = 0; } else throw Invalid_Argument("Record_Reader: Unknown cipher " + cipher_algo); @@ -112,75 +101,102 @@ void Record_Reader::set_keys(const CipherSuite& suite, const SessionKeys& keys, throw Invalid_Argument("Record_Reader: Unknown hash " + mac_algo); } +void Record_Reader::add_input(const byte input[], u32bit input_size) + { + input_queue.write(input, input_size); + } + /** * Retrieve the next record */ -SecureVector<byte> Record_Reader::get_record(byte& msg_type) +u32bit Record_Reader::get_record(byte& msg_type, + MemoryRegion<byte>& output) { byte header[5] = { 0 }; - u32bit got = socket.read(header, sizeof(header)); + const u32bit have_in_queue = input_queue.size(); - if(got == 0) - { - msg_type = CONNECTION_CLOSED; - return SecureVector<byte>(); - } - else if(got != sizeof(header)) - throw Decoding_Error("Record_Reader: Record truncated"); + if(have_in_queue < sizeof(header)) + return (sizeof(header) - have_in_queue); - msg_type = header[0]; + /* + * We peek first to make sure we have the full record + */ + input_queue.peek(header, sizeof(header)); - const u16bit version = make_u16bit(header[1], header[2]); + const u16bit version = make_u16bit(header[1], header[2]); + const u16bit record_len = make_u16bit(header[3], header[4]); if(major && (header[1] != major || header[2] != minor)) throw TLS_Exception(PROTOCOL_VERSION, "Record_Reader: Got unexpected version"); - SecureVector<byte> buffer(make_u16bit(header[3], header[4])); - if(socket.read(buffer, buffer.size()) != buffer.size()) - throw Decoding_Error("Record_Reader: Record truncated"); + // If insufficient data, return without doing anything + if(have_in_queue < (sizeof(header) + record_len)) + return (sizeof(header) + record_len - have_in_queue); + + SecureVector<byte> buffer(record_len); + input_queue.read(header, sizeof(header)); // pull off the header + input_queue.read(buffer, buffer.size()); + + /* + * We are handshaking, no crypto to do so return as-is + * TODO: Check msg_type to confirm a handshake? + */ if(mac_size == 0) - return buffer; + { + msg_type = header[0]; + output = buffer; + return 0; // got a full record + } + + // Otherwise, decrypt, check MAC, return plaintext cipher.process_msg(buffer); SecureVector<byte> plaintext = cipher.read_all(Pipe::LAST_MESSAGE); u32bit pad_size = 0; - if(pad_amount) + + if(block_size) { byte pad_value = plaintext[plaintext.size()-1]; pad_size = pad_value + 1; + /* + * Check the padding; if it is wrong, then say we have 0 bytes of + * padding, which should ensure that the MAC check below does not + * suceed. This hides a timing channel. + * + * This particular countermeasure is recommended in the TLS 1.2 + * spec (RFC 5246) in section 6.2.3.2 + */ if(version == SSL_V3) { - if(pad_value > pad_amount) - throw TLS_Exception(BAD_RECORD_MAC, - "Record_Reader: Bad padding"); + if(pad_value > block_size) + pad_size = 0; } else { for(u32bit j = 0; j != pad_size; j++) if(plaintext[plaintext.size()-j-1] != pad_value) - throw TLS_Exception(BAD_RECORD_MAC, - "Record_Reader: Bad padding"); + pad_size = 0; } } - if(plaintext.size() < mac_size + pad_size) + if(plaintext.size() < mac_size + pad_size + iv_size) throw Decoding_Error("Record_Reader: Record truncated"); const u32bit mac_offset = plaintext.size() - (mac_size + pad_size); SecureVector<byte> recieved_mac(plaintext.begin() + mac_offset, mac_size); - const u16bit plain_length = plaintext.size() - (mac_size + pad_size); + const u16bit plain_length = plaintext.size() - (mac_size + pad_size + iv_size); mac.start_msg(); for(u32bit j = 0; j != 8; j++) mac.write(get_byte(j, seq_no)); - mac.write(msg_type); + mac.write(header[0]); // msg_type if(version != SSL_V3) for(u32bit j = 0; j != 2; j++) @@ -188,7 +204,7 @@ SecureVector<byte> Record_Reader::get_record(byte& msg_type) for(u32bit j = 0; j != 2; j++) mac.write(get_byte(j, plain_length)); - mac.write(plaintext, plain_length); + mac.write(&plaintext[iv_size], plain_length); mac.end_msg(); ++seq_no; @@ -198,7 +214,9 @@ SecureVector<byte> Record_Reader::get_record(byte& msg_type) if(recieved_mac != computed_mac) throw TLS_Exception(BAD_RECORD_MAC, "Record_Reader: MAC failure"); - return SecureVector<byte>(plaintext, mac_offset); + msg_type = header[0]; + output.set(&plaintext[iv_size], plain_length); + return 0; } } diff --git a/src/ssl/rec_wri.cpp b/src/ssl/rec_wri.cpp index 842b2698c..f8079c235 100644 --- a/src/ssl/rec_wri.cpp +++ b/src/ssl/rec_wri.cpp @@ -1,6 +1,6 @@ /** -* TLS Record Writing -* (C) 2004-2006 Jack Lloyd +* TLS Record Writing +* (C) 2004-2010 Jack Lloyd * * Released under the terms of the Botan license */ @@ -9,6 +9,7 @@ #include <botan/handshake_hash.h> #include <botan/lookup.h> #include <botan/loadstor.h> +#include <botan/libstate.h> namespace Botan { @@ -26,13 +27,17 @@ Record_Writer::Record_Writer(Socket& sock) : */ void Record_Writer::reset() { - compress.reset(); cipher.reset(); mac.reset(); + buffer.clear(); - do_compress = false; + buf_pos = 0; + major = minor = buf_type = 0; - pad_amount = mac_size = buf_pos = 0; + block_size = 0; + mac_size = 0; + iv_size = 0; + seq_no = 0; } @@ -41,7 +46,7 @@ void Record_Writer::reset() */ void Record_Writer::set_version(Version_Code version) { - if(version != SSL_V3 && version != TLS_V10) + if(version != SSL_V3 && version != TLS_V10 && version != TLS_V11) throw Invalid_Argument("Record_Writer: Invalid protocol version"); major = (version >> 8) & 0xFF; @@ -49,15 +54,6 @@ void Record_Writer::set_version(Version_Code version) } /** -* Set the compression algorithm -*/ -void Record_Writer::set_compressor(Filter* compressor) - { - throw TLS_Exception(INTERNAL_ERROR, "Compression not implemented (FIXME)"); - compress.append(compressor); - } - -/** * Set the keys for writing */ void Record_Writer::set_keys(const CipherSuite& suite, const SessionKeys& keys, @@ -91,12 +87,18 @@ void Record_Writer::set_keys(const CipherSuite& suite, const SessionKeys& keys, cipher_algo + "/CBC/NoPadding", cipher_key, iv, ENCRYPTION) ); - pad_amount = block_size_of(cipher_algo); + block_size = block_size_of(cipher_algo); + + if(major == 3 && minor >= 2) + iv_size = block_size; + else + iv_size = 0; } else if(have_stream_cipher(cipher_algo)) { cipher.append(get_cipher(cipher_algo, cipher_key, ENCRYPTION)); - pad_amount = 0; + block_size = 0; + iv_size = 0; } else throw Invalid_Argument("Record_Writer: Unknown cipher " + cipher_algo); @@ -203,15 +205,30 @@ void Record_Writer::send_record(byte type, const byte buf[], u32bit length) mac.write(buf, length); mac.end_msg(); + // TODO: This could all use a single buffer + SecureVector<byte> buf_mac = mac.read_all(Pipe::LAST_MESSAGE); cipher.start_msg(); + + if(iv_size) + { + RandomNumberGenerator& rng = global_state().global_rng(); + + SecureVector<byte> random_iv(iv_size); + + rng.randomize(&random_iv[0], random_iv.size()); + + cipher.write(random_iv); + } + cipher.write(buf, length); cipher.write(buf_mac); - if(pad_amount) + + if(block_size) { u32bit pad_val = - (pad_amount - (1 + length + buf_mac.size())) % pad_amount; + (block_size - (1 + length + buf_mac.size())) % block_size; for(u32bit j = 0; j != pad_val + 1; j++) cipher.write(pad_val); @@ -240,7 +257,6 @@ void Record_Writer::send_record(byte type, byte major, byte minor, for(u32bit j = 0; j != 2; j++) header[j+3] = get_byte<u16bit>(j, length); - // FIXME: tradoff of TCP/syscall overhead vs copy overhead socket.write(header, 5); socket.write(out, length); } diff --git a/src/ssl/s_kex.cpp b/src/ssl/s_kex.cpp index 3223adc5b..9b8a3171d 100644 --- a/src/ssl/s_kex.cpp +++ b/src/ssl/s_kex.cpp @@ -51,7 +51,7 @@ Server_Key_Exchange::Server_Key_Exchange(RandomNumberGenerator& rng, padding = "EMSA3(TLS.Digest.0)"; else if(priv_key->algo_name() == "DSA") { - padding == "EMSA1(SHA-1)"; + padding = "EMSA1(SHA-1)"; format = DER_SEQUENCE; } else diff --git a/src/ssl/socket.h b/src/ssl/socket.h index 3d893ea77..62ceed028 100644 --- a/src/ssl/socket.h +++ b/src/ssl/socket.h @@ -19,11 +19,8 @@ namespace Botan { class BOTAN_DLL Socket { public: - virtual u32bit read(byte[], u32bit) = 0; - virtual void write(const byte[], u32bit) = 0; - - u32bit read(byte& x) { return read(&x, 1); } - void write(byte x) { write(&x, 1); } + virtual size_t read(byte[], size_t) = 0; + virtual void write(const byte[], size_t) = 0; virtual std::string peer_id() const = 0; diff --git a/src/ssl/tls_client.cpp b/src/ssl/tls_client.cpp index ce33573f5..fbad1f838 100644 --- a/src/ssl/tls_client.cpp +++ b/src/ssl/tls_client.cpp @@ -1,6 +1,6 @@ /** -* TLS Client -* (C) 2004-2006 Jack Lloyd +* TLS Client +* (C) 2004-2010 Jack Lloyd * * Released under the terms of the Botan license */ @@ -83,7 +83,7 @@ void client_check_state(Handshake_Type new_msg, Handshake_State* state) */ TLS_Client::TLS_Client(RandomNumberGenerator& r, Socket& sock, const TLS_Policy* pol) : - rng(r), writer(sock), reader(sock), policy(pol ? pol : new TLS_Policy) + rng(r), peer(sock), writer(sock), policy(pol ? pol : new TLS_Policy) { peer_id = sock.peer_id(); @@ -96,7 +96,7 @@ TLS_Client::TLS_Client(RandomNumberGenerator& r, TLS_Client::TLS_Client(RandomNumberGenerator& r, Socket& sock, const X509_Certificate& cert, const Private_Key& key, const TLS_Policy* pol) : - rng(r), writer(sock), reader(sock), policy(pol ? pol : new TLS_Policy) + rng(r), peer(sock), writer(sock), policy(pol ? pol : new TLS_Policy) { peer_id = sock.peer_id(); @@ -243,8 +243,26 @@ void TLS_Client::close(Alert_Level level, Alert_Type alert_code) */ void TLS_Client::state_machine() { - byte rec_type; - SecureVector<byte> record = reader.get_record(rec_type); + byte rec_type = CONNECTION_CLOSED; + SecureVector<byte> record(1024); + + u32bit bytes_needed = reader.get_record(rec_type, record); + + while(bytes_needed) + { + u32bit to_get = std::min<u32bit>(record.size(), bytes_needed); + u32bit got = peer.read(&record[0], to_get); + + if(got == 0) + { + rec_type = CONNECTION_CLOSED; + break; + } + + reader.add_input(&record[0], got); + + bytes_needed = reader.get_record(rec_type, record); + } if(rec_type == CONNECTION_CLOSED) { @@ -562,7 +580,7 @@ void TLS_Client::do_handshake() if(active && !state) break; if(!active && !state) - throw TLS_Exception(HANDSHAKE_FAILURE, "TLS_Client: Handshake failed"); + throw TLS_Exception(HANDSHAKE_FAILURE, "TLS_Client: Handshake failed (do_handshake)"); state_machine(); } diff --git a/src/ssl/tls_client.h b/src/ssl/tls_client.h index 896decdf9..2439a58f0 100644 --- a/src/ssl/tls_client.h +++ b/src/ssl/tls_client.h @@ -60,6 +60,8 @@ class BOTAN_DLL TLS_Client : public TLS_Connection RandomNumberGenerator& rng; + Socket& peer; + Record_Writer writer; Record_Reader reader; const TLS_Policy* policy; diff --git a/src/ssl/tls_magic.h b/src/ssl/tls_magic.h index 41fb756e9..a6ca1f8d6 100644 --- a/src/ssl/tls_magic.h +++ b/src/ssl/tls_magic.h @@ -115,6 +115,17 @@ enum Compression_Algo { NO_COMPRESSION = 0x00 }; +enum TLS_Handshake_Extension_Type { + TLSEXT_SERVER_NAME_INDICATION = 0, + TLSEXT_MAX_FRAGMENT_LENGTH = 1, + TLSEXT_CLIENT_CERT_URL = 2, + TLSEXT_TRUSTED_CA_KEYS = 3, + TLSEXT_TRUNCATED_HMAC = 4, + + TLSEXT_CERTIFICATE_TYPES = 9, + TLSEXT_SESSION_TICKET = 35, +}; + } #endif diff --git a/src/ssl/tls_messages.h b/src/ssl/tls_messages.h index 4b512a963..1f72c05f7 100644 --- a/src/ssl/tls_messages.h +++ b/src/ssl/tls_messages.h @@ -49,6 +49,8 @@ class BOTAN_DLL Client_Hello : public HandshakeMessage SecureVector<byte> random() const { return c_random; } + std::string hostname() const { return requested_hostname; } + bool offered_suite(u16bit) const; Client_Hello(RandomNumberGenerator& rng, @@ -63,6 +65,7 @@ class BOTAN_DLL Client_Hello : public HandshakeMessage SecureVector<byte> sess_id, c_random; std::vector<u16bit> suites; std::vector<byte> comp_algos; + std::string requested_hostname; }; /** diff --git a/src/ssl/tls_policy.h b/src/ssl/tls_policy.h index 98297181c..75d6d7663 100644 --- a/src/ssl/tls_policy.h +++ b/src/ssl/tls_policy.h @@ -40,7 +40,7 @@ class BOTAN_DLL TLS_Policy virtual u32bit rsa_export_keysize() const { return 512; } virtual Version_Code min_version() const { return SSL_V3; } - virtual Version_Code pref_version() const { return TLS_V10; } + virtual Version_Code pref_version() const { return TLS_V11; } virtual bool check_cert(const std::vector<X509_Certificate>&, const std::string&) const; diff --git a/src/ssl/tls_reader.h b/src/ssl/tls_reader.h new file mode 100644 index 000000000..ff3e63ae8 --- /dev/null +++ b/src/ssl/tls_reader.h @@ -0,0 +1,140 @@ +/* +* TLS Data Reader +* (C) 2010 Jack Lloyd +* +* Released under the terms of the Botan license +*/ + +#ifndef BOTAN_TLS_READER_H__ +#define BOTAN_TLS_READER_H__ + +#include <botan/secmem.h> +#include <botan/loadstor.h> + +namespace Botan { + +class TLS_Data_Reader + { + public: + TLS_Data_Reader(const MemoryRegion<byte>& buf_in) : + buf(buf_in), offset(0) {} + + u32bit remaining_bytes() const + { + return buf.size() - offset; + } + + bool has_remaining() const + { + return (remaining_bytes() > 0); + } + + void discard_next(u32bit bytes) + { + assert_at_least(bytes); + offset += bytes; + } + + u16bit get_u16bit() + { + assert_at_least(2); + u16bit result = make_u16bit(buf[offset], buf[offset+1]); + offset += 2; + return result; + } + + byte get_byte() + { + assert_at_least(1); + byte result = buf[offset]; + offset += 1; + return result; + } + + template<typename T, typename Container> + Container get_elem(u32bit num_elems) + { + assert_at_least(num_elems * sizeof(T)); + + Container result(num_elems); + + for(u32bit i = 0; i != num_elems; ++i) + result[i] = load_be<T>(&buf[offset], i); + + offset += num_elems * sizeof(T); + + return result; + } + + template<typename T> + SecureVector<T> get_range(u32bit len_bytes, + u32bit min_elems, + u32bit max_elems) + { + const u32bit num_elems = + get_num_elems(len_bytes, sizeof(T), min_elems, max_elems); + + return get_elem<T, SecureVector<T> >(num_elems); + } + + template<typename T> + std::vector<T> get_range_vector(u32bit len_bytes, + u32bit min_elems, + u32bit max_elems) + { + const u32bit num_elems = + get_num_elems(len_bytes, sizeof(T), min_elems, max_elems); + + return get_elem<T, std::vector<T> >(num_elems); + } + + template<typename T> + SecureVector<T> get_fixed(u32bit size) + { + return get_elem<T, SecureVector<T> >(size); + } + + private: + u32bit get_length_field(u32bit len_bytes) + { + assert_at_least(len_bytes); + + if(len_bytes == 1) + return get_byte(); + else if(len_bytes == 2) + return get_u16bit(); + + throw Decoding_Error("TLS_Data_Reader: Bad length size"); + } + + u32bit get_num_elems(u32bit len_bytes, + u32bit T_size, + u32bit min_elems, + u32bit max_elems) + { + const u32bit byte_length = get_length_field(len_bytes); + + if(byte_length % T_size != 0) + throw Decoding_Error("TLS_Data_Reader: Size isn't multiple of T"); + + const u32bit num_elems = byte_length / T_size; + + if(num_elems < min_elems || num_elems > max_elems) + throw Decoding_Error("TLS_Data_Reader: Range outside paramaters"); + + return num_elems; + } + + void assert_at_least(u32bit n) const + { + if(buf.size() - offset < n) + throw Decoding_Error("TLS_Data_Reader: Corrupt packet"); + } + + const MemoryRegion<byte>& buf; + u32bit offset; + }; + +} + +#endif diff --git a/src/ssl/tls_record.h b/src/ssl/tls_record.h index 3bec2e8ef..2058933d0 100644 --- a/src/ssl/tls_record.h +++ b/src/ssl/tls_record.h @@ -1,6 +1,6 @@ /** -* TLS Record Handling -* (C) 2004-2006 Jack Lloyd +* TLS Record Handling +* (C) 2004-2010 Jack Lloyd * * Released under the terms of the Botan license */ @@ -12,6 +12,7 @@ #include <botan/socket.h> #include <botan/tls_suites.h> #include <botan/pipe.h> +#include <botan/secqueue.h> #include <vector> namespace Botan { @@ -29,24 +30,26 @@ class BOTAN_DLL Record_Writer void alert(Alert_Level, Alert_Type); void set_keys(const CipherSuite&, const SessionKeys&, Connection_Side); - void set_compressor(Filter*); void set_version(Version_Code); void reset(); - Record_Writer(Socket&); + Record_Writer(Socket& socket); + private: void send_record(byte, const byte[], u32bit); void send_record(byte, byte, byte, const byte[], u32bit); Socket& socket; - Pipe compress, cipher, mac; + Pipe cipher, mac; SecureVector<byte> buffer; - u32bit pad_amount, mac_size, buf_pos; + u32bit buf_pos; + + u32bit block_size, mac_size, iv_size; + u64bit seq_no; byte major, minor, buf_type; - bool do_compress; }; /** @@ -55,23 +58,34 @@ class BOTAN_DLL Record_Writer class BOTAN_DLL Record_Reader { public: - SecureVector<byte> get_record(byte&); + void add_input(const byte input[], u32bit input_size); - void set_keys(const CipherSuite&, const SessionKeys&, Connection_Side); - void set_compressor(Filter*); + /** + * @param msg_type (output variable) + * @param buffer (output variable) + * @return Number of bytes still needed (minimum), or 0 if success + */ + u32bit get_record(byte& msg_type, + MemoryRegion<byte>& buffer); - void set_version(Version_Code); + SecureVector<byte> get_record(byte& msg_type); + + void set_keys(const CipherSuite& suite, + const SessionKeys& keys, + Connection_Side side); + + void set_version(Version_Code version); void reset(); - Record_Reader(Socket&); + Record_Reader() { reset(); } private: - Socket& socket; - Pipe compress, cipher, mac; - u32bit pad_amount, mac_size; + SecureQueue input_queue; + + Pipe cipher, mac; + u32bit block_size, mac_size, iv_size; u64bit seq_no; byte major, minor; - bool do_compress; }; } diff --git a/src/ssl/tls_server.cpp b/src/ssl/tls_server.cpp index 37d9dbcd1..47902a71c 100644 --- a/src/ssl/tls_server.cpp +++ b/src/ssl/tls_server.cpp @@ -25,9 +25,9 @@ Version_Code choose_version(Version_Code client, Version_Code minimum) throw TLS_Exception(PROTOCOL_VERSION, "Client version is unacceptable by policy"); - if(client == SSL_V3 || client == TLS_V10) + if(client == SSL_V3 || client == TLS_V10 || client == TLS_V11) return client; - return TLS_V10; + return TLS_V11; } // FIXME: checks are wrong for session reuse (add a flag for that) @@ -88,7 +88,8 @@ void server_check_state(Handshake_Type new_msg, Handshake_State* state) TLS_Server::TLS_Server(RandomNumberGenerator& r, Socket& sock, const X509_Certificate& cert, const Private_Key& key, const TLS_Policy* pol) : - rng(r), writer(sock), reader(sock), policy(pol ? pol : new TLS_Policy) + rng(r), peer(sock), + writer(sock), policy(pol ? pol : new TLS_Policy) { peer_id = sock.peer_id(); @@ -112,7 +113,8 @@ TLS_Server::TLS_Server(RandomNumberGenerator& r, } writer.alert(FATAL, HANDSHAKE_FAILURE); - throw Stream_IO_Error("TLS_Server: Handshake failed"); + throw Stream_IO_Error(std::string("TLS_Server: Handshake failed: ") + + e.what()); } } @@ -207,8 +209,26 @@ void TLS_Server::close(Alert_Level level, Alert_Type alert_code) */ void TLS_Server::state_machine() { - byte rec_type; - SecureVector<byte> record = reader.get_record(rec_type); + byte rec_type = CONNECTION_CLOSED; + SecureVector<byte> record(1024); + + u32bit bytes_needed = reader.get_record(rec_type, record); + + while(bytes_needed) + { + u32bit to_get = std::min<u32bit>(record.size(), bytes_needed); + u32bit got = peer.read(&record[0], to_get); + + if(got == 0) + { + rec_type = CONNECTION_CLOSED; + break; + } + + reader.add_input(&record[0], got); + + bytes_needed = reader.get_record(rec_type, record); + } if(rec_type == CONNECTION_CLOSED) { @@ -250,7 +270,11 @@ void TLS_Server::read_handshake(byte rec_type, const MemoryRegion<byte>& rec_buf) { if(rec_type == HANDSHAKE) + { + if(!state) + state = new Handshake_State; state->queue.write(rec_buf, rec_buf.size()); + } while(true) { @@ -301,14 +325,6 @@ void TLS_Server::read_handshake(byte rec_type, void TLS_Server::process_handshake_msg(Handshake_Type type, const MemoryRegion<byte>& contents) { - if(type == CLIENT_HELLO) - { - if(state == 0) - state = new Handshake_State(); - else - return; - } - if(state == 0) throw Unexpected_Message("Unexpected handshake message"); @@ -327,6 +343,8 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, state->client_hello = new Client_Hello(contents); + client_requested_hostname = state->client_hello->hostname(); + state->version = choose_version(state->client_hello->version(), policy->min_version()); diff --git a/src/ssl/tls_server.h b/src/ssl/tls_server.h index 683c3413a..5cf830a64 100644 --- a/src/ssl/tls_server.h +++ b/src/ssl/tls_server.h @@ -26,6 +26,9 @@ class BOTAN_DLL TLS_Server : public TLS_Connection std::vector<X509_Certificate> peer_cert_chain() const; + std::string requested_hostname() const + { return client_requested_hostname; } + void close(); bool is_closed() const; @@ -49,6 +52,8 @@ class BOTAN_DLL TLS_Server : public TLS_Connection RandomNumberGenerator& rng; + Socket& peer; + Record_Writer writer; Record_Reader reader; const TLS_Policy* policy; @@ -61,6 +66,7 @@ class BOTAN_DLL TLS_Server : public TLS_Connection SecureVector<byte> session_id; SecureQueue read_buf; std::string peer_id; + std::string client_requested_hostname; bool active; }; diff --git a/src/ssl/tls_session_key.cpp b/src/ssl/tls_session_key.cpp index 83c06ba07..13575adac 100644 --- a/src/ssl/tls_session_key.cpp +++ b/src/ssl/tls_session_key.cpp @@ -131,7 +131,7 @@ SessionKeys::SessionKeys(const CipherSuite& suite, Version_Code version, const MemoryRegion<byte>& c_random, const MemoryRegion<byte>& s_random) { - if(version != SSL_V3 && version != TLS_V10) + if(version != SSL_V3 && version != TLS_V10 && version != TLS_V11) throw Invalid_Argument("SessionKeys: Unknown version code"); const u32bit mac_keylen = output_length_of(suite.mac_algo()); diff --git a/src/ssl/unix_socket/unx_sock.cpp b/src/ssl/unix_socket/unx_sock.cpp index 0552a33b6..f9d9629fb 100644 --- a/src/ssl/unix_socket/unx_sock.cpp +++ b/src/ssl/unix_socket/unx_sock.cpp @@ -64,12 +64,12 @@ Unix_Socket::Unix_Socket(int fd, const std::string& peer_id) /** * Read from a Unix socket */ -u32bit Unix_Socket::read(byte buf[], u32bit length) +size_t Unix_Socket::read(byte buf[], size_t length) { if(sockfd == -1) throw Stream_IO_Error("Unix_Socket::read: Socket not connected"); - u32bit got = 0; + size_t got = 0; while(length) { @@ -95,12 +95,12 @@ u32bit Unix_Socket::read(byte buf[], u32bit length) /** * Write to a Unix socket */ -void Unix_Socket::write(const byte buf[], u32bit length) +void Unix_Socket::write(const byte buf[], size_t length) { if(sockfd == -1) throw Stream_IO_Error("Unix_Socket::write: Socket not connected"); - u32bit offset = 0; + size_t offset = 0; while(length) { ssize_t sent = ::send(sockfd, buf + offset, length, MSG_NOSIGNAL); diff --git a/src/ssl/unix_socket/unx_sock.h b/src/ssl/unix_socket/unx_sock.h index c1ff53ae3..58c7ada69 100644 --- a/src/ssl/unix_socket/unx_sock.h +++ b/src/ssl/unix_socket/unx_sock.h @@ -28,8 +28,8 @@ namespace Botan { class BOTAN_DLL Unix_Socket : public Socket { public: - u32bit read(byte[], u32bit); - void write(const byte[], u32bit); + size_t read(byte[], size_t); + void write(const byte[], size_t); std::string peer_id() const; |