tls: can download kernels now :)

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2017-01-24 18:08:07 +01:00
parent 1500b3a50d
commit 89193f985b
2 changed files with 122 additions and 54 deletions

View File

@ -721,7 +721,7 @@ typedef struct tls_state {
int ofd;
int ifd;
int min_encrypted_len_on_read;
unsigned min_encrypted_len_on_read;
uint16_t cipher_id;
uint8_t encrypt_on_write;
unsigned MAC_size;

View File

@ -53,15 +53,14 @@
// ok: openssl s_client -connect cdn.kernel.org:443 -debug -tls1_2 -no_tls1 -no_tls1_1 -cipher AES128-SHA
// (TLS_RSA_WITH_AES_128_CBC_SHA - in TLS 1.2 it's mandated to be always supported)
#define CIPHER_ID1 TLS_RSA_WITH_AES_256_CBC_SHA256 // no SERVER_KEY_EXCHANGE from peer
// Does not work yet:
//#define CIPHER_ID2 TLS_RSA_WITH_AES_128_CBC_SHA
#define CIPHER_ID2 0
// Works with "wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.5.tar.xz"
#define CIPHER_ID2 TLS_RSA_WITH_AES_128_CBC_SHA
#define TLS_DEBUG 1
#define TLS_DEBUG_HASH 1
#define TLS_DEBUG_DER 1
#define TLS_DEBUG_FIXED_SECRETS 1
#define TLS_DEBUG 0
#define TLS_DEBUG_HASH 0
#define TLS_DEBUG_DER 0
#define TLS_DEBUG_FIXED_SECRETS 0
#if 0
# define dump_raw_out(...) dump_hex(__VA_ARGS__)
#else
@ -340,51 +339,48 @@ static void hash_handshake(tls_state_t *tls, const char *fmt, const void *buffer
// if we often need HMAC hmac with the same key.
//
// text is often given in disjoint pieces.
static unsigned hmac_sha_precomputed_v(uint8_t *out,
md5sha_ctx_t *hashed_key_xor_ipad,
md5sha_ctx_t *hashed_key_xor_opad,
typedef struct hmac_precomputed {
md5sha_ctx_t hashed_key_xor_ipad;
md5sha_ctx_t hashed_key_xor_opad;
} hmac_precomputed_t;
static unsigned hmac_sha_precomputed_v(
hmac_precomputed_t *pre,
uint8_t *out,
va_list va)
{
uint8_t *text;
unsigned len;
/* hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
/* hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
/* pre->hashed_key_xor_ipad contains unclosed "H((key XOR ipad) +" state */
/* pre->hashed_key_xor_opad contains unclosed "H((key XOR opad) +" state */
/* calculate out = H((key XOR ipad) + text) */
while ((text = va_arg(va, uint8_t*)) != NULL) {
unsigned text_size = va_arg(va, unsigned);
md5sha_hash(hashed_key_xor_ipad, text, text_size);
md5sha_hash(&pre->hashed_key_xor_ipad, text, text_size);
}
len = sha_end(hashed_key_xor_ipad, out);
len = sha_end(&pre->hashed_key_xor_ipad, out);
/* out = H((key XOR opad) + out) */
md5sha_hash(hashed_key_xor_opad, out, len);
return sha_end(hashed_key_xor_opad, out);
md5sha_hash(&pre->hashed_key_xor_opad, out, len);
return sha_end(&pre->hashed_key_xor_opad, out);
}
static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
static void hmac_sha256_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size)
{
md5sha_ctx_t hashed_key_xor_ipad;
md5sha_ctx_t hashed_key_xor_opad;
uint8_t key_xor_ipad[SHA_INSIZE];
uint8_t key_xor_opad[SHA_INSIZE];
uint8_t tempkey[SHA256_OUTSIZE];
va_list va;
unsigned i;
va_start(va, key_size);
// "The authentication key can be of any length up to INSIZE, the
// block length of the hash function. Applications that use keys longer
// than INSIZE bytes will first hash the key using H and then use the
// resultant OUTSIZE byte string as the actual key to HMAC."
if (key_size > SHA_INSIZE) {
md5sha_ctx_t ctx;
if (tls->MAC_size == SHA256_OUTSIZE)
sha256_begin(&ctx);
else
sha1_begin(&ctx);
sha256_begin(&ctx);
md5sha_hash(&ctx, key, key_size);
key_size = sha_end(&ctx, tempkey);
}
@ -398,19 +394,77 @@ static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_
key_xor_opad[i] = 0x5c;
}
if (tls->MAC_size == SHA256_OUTSIZE) {
sha256_begin(&hashed_key_xor_ipad);
sha256_begin(&hashed_key_xor_opad);
} else {
sha1_begin(&hashed_key_xor_ipad);
sha1_begin(&hashed_key_xor_opad);
}
md5sha_hash(&hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
md5sha_hash(&hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
sha256_begin(&pre->hashed_key_xor_ipad);
sha256_begin(&pre->hashed_key_xor_opad);
md5sha_hash(&pre->hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
md5sha_hash(&pre->hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
}
// TODO: ^^^ vvv merge?
static void hmac_sha1_begin(hmac_precomputed_t *pre, uint8_t *key, unsigned key_size)
{
uint8_t key_xor_ipad[SHA_INSIZE];
uint8_t key_xor_opad[SHA_INSIZE];
uint8_t tempkey[SHA1_OUTSIZE];
unsigned i;
// "The authentication key can be of any length up to INSIZE, the
// block length of the hash function. Applications that use keys longer
// than INSIZE bytes will first hash the key using H and then use the
// resultant OUTSIZE byte string as the actual key to HMAC."
if (key_size > SHA_INSIZE) {
md5sha_ctx_t ctx;
sha1_begin(&ctx);
md5sha_hash(&ctx, key, key_size);
key_size = sha_end(&ctx, tempkey);
}
for (i = 0; i < key_size; i++) {
key_xor_ipad[i] = key[i] ^ 0x36;
key_xor_opad[i] = key[i] ^ 0x5c;
}
for (; i < SHA_INSIZE; i++) {
key_xor_ipad[i] = 0x36;
key_xor_opad[i] = 0x5c;
}
sha1_begin(&pre->hashed_key_xor_ipad);
sha1_begin(&pre->hashed_key_xor_opad);
md5sha_hash(&pre->hashed_key_xor_ipad, key_xor_ipad, SHA_INSIZE);
md5sha_hash(&pre->hashed_key_xor_opad, key_xor_opad, SHA_INSIZE);
}
static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_size, ...)
{
hmac_precomputed_t pre;
va_list va;
unsigned len;
va_start(va, key_size);
if (tls->MAC_size == SHA256_OUTSIZE)
hmac_sha256_begin(&pre, key, key_size);
else
hmac_sha1_begin(&pre, key, key_size);
len = hmac_sha_precomputed_v(&pre, out, va);
i = hmac_sha_precomputed_v(out, &hashed_key_xor_ipad, &hashed_key_xor_opad, va);
va_end(va);
return i;
return len;
}
static unsigned hmac_sha256(/*tls_state_t *tls,*/ uint8_t *out, uint8_t *key, unsigned key_size, ...)
{
hmac_precomputed_t pre;
va_list va;
unsigned len;
va_start(va, key_size);
hmac_sha256_begin(&pre, key, key_size);
len = hmac_sha_precomputed_v(&pre, out, va);
va_end(va);
return len;
}
// RFC 5246:
@ -420,6 +474,9 @@ static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_
// SHA-256 hash function is used for all cipher suites defined in this
// document and in TLS documents published prior to this document when
// TLS 1.2 is negotiated.
// ^^^^^^^^^^^^^ IMPORTANT!
// PRF uses sha256 regardless of cipher (at least for all ciphers
// defined by RFC5246). It's not sha1 for AES_128_CBC_SHA!
//...
// P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
// HMAC_hash(secret, A(2) + seed) +
@ -441,7 +498,7 @@ static unsigned hmac(tls_state_t *tls, uint8_t *out, uint8_t *key, unsigned key_
// PRF(secret, label, seed) = P_<hash>(secret, label + seed)
//
// The label is an ASCII string.
static void prf_hmac(tls_state_t *tls,
static void prf_hmac_sha256(/*tls_state_t *tls,*/
uint8_t *outbuf, unsigned outbuf_size,
uint8_t *secret, unsigned secret_size,
const char *label,
@ -450,7 +507,7 @@ static void prf_hmac(tls_state_t *tls,
uint8_t a[TLS_MAX_MAC_SIZE];
uint8_t *out_p = outbuf;
unsigned label_size = strlen(label);
unsigned MAC_size = tls->MAC_size;
unsigned MAC_size = SHA256_OUTSIZE;///tls->MAC_size;
/* In P_hash() calculation, "seed" is "label + seed": */
#define SEED label, label_size, seed, seed_size
@ -458,7 +515,7 @@ static void prf_hmac(tls_state_t *tls,
#define A a, MAC_size
/* A(1) = HMAC_hash(secret, seed) */
hmac(tls, a, SECRET, SEED, NULL);
hmac_sha256(/*tls,*/ a, SECRET, SEED, NULL);
//TODO: convert hmac to precomputed
for(;;) {
@ -466,16 +523,16 @@ static void prf_hmac(tls_state_t *tls,
if (outbuf_size <= MAC_size) {
/* Last, possibly incomplete, block */
/* (use a[] as temp buffer) */
hmac(tls, a, SECRET, A, SEED, NULL);
hmac_sha256(/*tls,*/ a, SECRET, A, SEED, NULL);
memcpy(out_p, a, outbuf_size);
return;
}
/* Not last block. Store directly to result buffer */
hmac(tls, out_p, SECRET, A, SEED, NULL);
hmac_sha256(/*tls,*/ out_p, SECRET, A, SEED, NULL);
out_p += MAC_size;
outbuf_size -= MAC_size;
/* A(2) = HMAC_hash(secret, A(1)) */
hmac(tls, a, SECRET, A, NULL);
hmac_sha256(/*tls,*/ a, SECRET, A, NULL);
}
#undef A
#undef SECRET
@ -823,9 +880,10 @@ static int tls_xread_record(tls_state_t *tls)
int padding_len;
if (sz & (AES_BLOCKSIZE-1)
|| sz < tls->min_encrypted_len_on_read
|| sz < (int)tls->min_encrypted_len_on_read
) {
bb_error_msg_and_die("bad encrypted len:%u", sz);
bb_error_msg_and_die("bad encrypted len:%u < %u",
sz, tls->min_encrypted_len_on_read);
}
/* Decrypt content+MAC+padding, moving it over IV in the process */
psAesInit(&ctx, p, /* IV */
@ -1301,13 +1359,17 @@ static void get_server_hello(tls_state_t *tls)
if (cipher == TLS_RSA_WITH_AES_128_CBC_SHA) {
tls->key_size = AES128_KEYSIZE;
tls->MAC_size = SHA1_OUTSIZE;
sha1_begin(&tls->hsd->handshake_hash_ctx);
}
else { /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
tls->key_size = AES256_KEYSIZE;
tls->MAC_size = SHA256_OUTSIZE;
sha256_begin(&tls->hsd->handshake_hash_ctx);
}
/* Handshake hash eventually destined to FINISHED record
* is sha256 regardless of cipher
* (at least for all ciphers defined by RFC5246).
* It's not sha1 for AES_128_CBC_SHA - only MAC is sha1, not this hash.
*/
sha256_begin(&tls->hsd->handshake_hash_ctx);
hash_handshake(tls, ">> client hello hash:%s",
tls->hsd->saved_client_hello, tls->hsd->saved_client_hello_size
);
@ -1389,6 +1451,7 @@ static void send_client_key_exchange(tls_state_t *tls)
// version negotiated for the connection."
rsa_premaster[0] = TLS_MAJ;
rsa_premaster[1] = TLS_MIN;
dump_hex("premaster:%s\n", rsa_premaster, sizeof(rsa_premaster));
len = psRsaEncryptPub(/*pool:*/ NULL,
/* psRsaKey_t* */ &tls->hsd->server_rsa_pub_key,
rsa_premaster, /*inlen:*/ sizeof(rsa_premaster),
@ -1417,7 +1480,7 @@ static void send_client_key_exchange(tls_state_t *tls)
// [0..47];
// The master secret is always exactly 48 bytes in length. The length
// of the premaster secret will vary depending on key exchange method.
prf_hmac(tls,
prf_hmac_sha256(/*tls,*/
tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
rsa_premaster, sizeof(rsa_premaster),
"master secret",
@ -1465,7 +1528,7 @@ static void send_client_key_exchange(tls_state_t *tls)
memcpy(&tmp64[0] , &tls->hsd->client_and_server_rand32[32], 32);
memcpy(&tmp64[32], &tls->hsd->client_and_server_rand32[0] , 32);
prf_hmac(tls,
prf_hmac_sha256(/*tls,*/
tls->client_write_MAC_key, 2 * (tls->MAC_size + tls->key_size),
// also fills:
// server_write_MAC_key[]
@ -1548,7 +1611,7 @@ static void send_client_finished(tls_state_t *tls)
fill_handshake_record_hdr(record, HANDSHAKE_FINISHED, sizeof(*record));
len = get_handshake_hash(tls, handshake_hash);
prf_hmac(tls,
prf_hmac_sha256(/*tls,*/
record->prf_result, sizeof(record->prf_result),
tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
"client finished",
@ -1645,9 +1708,14 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
dbg("<< CHANGE_CIPHER_SPEC\n");
if (tls->cipher_id == TLS_RSA_WITH_NULL_SHA256)
tls->min_encrypted_len_on_read = tls->MAC_size;
else
/* all incoming packets now should be encrypted and have IV + MAC + padding */
tls->min_encrypted_len_on_read = AES_BLOCKSIZE + tls->MAC_size + AES_BLOCKSIZE;
else {
unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCKSIZE-1) / AES_BLOCKSIZE;
/* all incoming packets now should be encrypted and have
* at least IV + (MAC padded to blocksize):
*/
tls->min_encrypted_len_on_read = AES_BLOCKSIZE + (mac_blocks * AES_BLOCKSIZE);
dbg("min_encrypted_len_on_read: %u", tls->min_encrypted_len_on_read);
}
/* Get (encrypted) FINISHED from the server */
len = tls_xread_record(tls);