crypto.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681
  1. #include <openssl/evp.h>
  2. #include <openssl/dh.h>
  3. #include <openssl/bn.h>
  4. #include <openssl/err.h>
  5. #include <openssl/rand.h>
  6. #include <openssl/ssl.h>
  7. #include "rserv.h"
  8. #include "crypto.h"
  9. #include "flow.h"
  10. #include "slitheen.h"
  11. /** Updates the hash of all TLS handshake messages upon the
  12. * receipt of a new message. This hash is eventually used
  13. * to verify the TLS Finished message
  14. *
  15. * Inputs:
  16. * f: the tagged flow
  17. * hs: A pointer to the start of the handshake message
  18. *
  19. * Output:
  20. * 0 on success, 1 on failure
  21. */
  22. int update_finish_hash(flow *f, uint8_t *hs){
  23. //find handshake length
  24. const struct handshake_header *hs_hdr;
  25. uint8_t *p = hs;
  26. hs_hdr = (struct handshake_header*) p;
  27. uint32_t hs_len = HANDSHAKE_MESSAGE_LEN(hs_hdr);
  28. EVP_DigestUpdate(f->finish_md_ctx, hs, hs_len+4);
  29. return 0;
  30. }
  31. /** Extracts the server parameters from the server key
  32. * exchange message
  33. *
  34. * Inputs:
  35. * f: the tagged flow
  36. * hs: the beginning of the server key exchange
  37. * handshake message
  38. *
  39. * Output:
  40. * 0 on success, 1 on failure
  41. */
  42. int extract_parameters(flow *f, uint8_t *hs){
  43. DH *dh;
  44. uint8_t *p;
  45. long i;
  46. p = hs + HANDSHAKE_HEADER_LEN;
  47. if((dh = DH_new()) == NULL){
  48. return 1;
  49. }
  50. /* Extract prime modulus */
  51. n2s(p,i);
  52. if(!(dh->p = BN_bin2bn(p,i,NULL))){
  53. return 1;
  54. }
  55. p += i;
  56. /* Extract generator */
  57. n2s(p,i);
  58. if(!(dh->g = BN_bin2bn(p,i,NULL))){
  59. return 1;
  60. }
  61. p += i;
  62. /* Extract server public value */
  63. n2s(p,i);
  64. if(!(dh->pub_key = BN_bin2bn(p,i,NULL))){
  65. return 1;
  66. }
  67. f->dh = dh;
  68. return 0;
  69. }
  70. /** MAC a message
  71. * TODO: look at tls1_mac in t1_enc.c
  72. * For now, only goes one way (macs message to be written)
  73. *
  74. int32_t mac(flow *f, uint8_t *input, uint8_t *output, int32_t len, int32_t incoming, int32_t type, int32_t enc){
  75. uint8_t header[13];
  76. int32_t md_size;
  77. header[8] = type;
  78. header[9] = 0x03;//TODO: update for different versions
  79. header[10] = 0x03;
  80. header[11] = (len) >> 8;
  81. header[12] = (len) & 0xff;
  82. EVP_DigestSignUpdate(f->read_mac_ctx, header, sizeof(header));
  83. EVP_DigestSignUpdate(f->read_mac_ctx, input, len);
  84. EVP_DigestSignFinal(f->read_mac_ctx, output, &md_size);
  85. return md_size;
  86. }*/
  87. /* Encrypt/Decrypt a TLS record
  88. *
  89. * Inputs:
  90. * f: the tagged flow
  91. * input: a pointer to the data that is to be encrypted/
  92. * decrypted
  93. * output: a pointer to where the data should be written
  94. * after it is encrypted or decrypted
  95. * len: the length of the data
  96. * incoming: the direction of the record
  97. * type: the type of the TLS record
  98. * enc: 1 for encryption, 0 for decryption
  99. *
  100. * Output:
  101. * length of the output data
  102. */
  103. int encrypt(flow *f, uint8_t *input, uint8_t *output, int32_t len, int32_t incoming, int32_t type, int32_t enc){
  104. uint8_t *p = input;
  105. EVP_CIPHER_CTX *ds = (incoming) ? ((enc) ? f->srvr_write_ctx : f->clnt_read_ctx) : ((enc) ? f->clnt_write_ctx : f->srvr_read_ctx) ;
  106. if(ds == NULL){
  107. printf("FAIL\n");
  108. return 1;
  109. }
  110. //TODO: wrap my mind around this, might need 2 more
  111. uint8_t *seq;
  112. seq = (incoming) ? f->read_seq : f->write_seq;
  113. if(f->application && (ds->iv[EVP_GCM_TLS_FIXED_IV_LEN] == 0)){
  114. //fill in rest of iv
  115. for(int i = EVP_GCM_TLS_FIXED_IV_LEN; i< ds->cipher->iv_len; i++){
  116. ds->iv[i] = p[i- EVP_GCM_TLS_FIXED_IV_LEN];
  117. }
  118. }
  119. #ifdef DEBUG
  120. printf("\t\tiv: ");
  121. for(int i=0; i<ds->cipher->iv_len; i++){
  122. printf("%02X ", ds->iv[i]);
  123. }
  124. printf("\n");
  125. #endif
  126. uint8_t buf[13];
  127. memcpy(buf, seq, 8);
  128. for(int i=7; i>=0; i--){
  129. ++seq[i];
  130. if(seq[i] != 0)
  131. break;
  132. }
  133. buf[8] = type;
  134. buf[9] = 0x03;
  135. buf[10] = 0x03;
  136. buf[11] = len >> 8; //len >> 8;
  137. buf[12] = len & 0xff;//len *0xff;
  138. int32_t pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
  139. 13, buf); // = int32_t pad?
  140. if(enc)
  141. len += pad;
  142. int32_t n = EVP_Cipher(ds, p, p, len); //decrypt in place
  143. if(n<0) return 0;
  144. if(!enc)
  145. p[EVP_GCM_TLS_EXPLICIT_IV_LEN+n] = '\0';
  146. return n;
  147. }
  148. /** Verifies the hash in a TLS finished message
  149. *
  150. * Inputs:
  151. * f: the tagged flow
  152. * p: a pointer to the TLS Finished handshake message
  153. * incoming: the direction of the flow
  154. *
  155. * Output:
  156. * 0 on success, 1 on failure
  157. */
  158. int verify_finish_hash(flow *f, uint8_t *p, int32_t incoming){
  159. EVP_MD_CTX ctx;
  160. uint8_t hash[EVP_MAX_MD_SIZE];
  161. uint32_t hash_len;
  162. EVP_MD_CTX_init(&ctx);
  163. //get header length
  164. struct handshake_header *hs_hdr;
  165. hs_hdr = (struct handshake_header*) p;
  166. uint32_t fin_length = HANDSHAKE_MESSAGE_LEN(hs_hdr);
  167. p += HANDSHAKE_HEADER_LEN;
  168. //finalize hash of handshake msgs
  169. EVP_MD_CTX_copy_ex(&ctx, f->finish_md_ctx);
  170. EVP_DigestFinal_ex(&ctx, hash, &hash_len);
  171. //now use pseudorandom function
  172. uint8_t *output = calloc(1, fin_length);
  173. if(incoming){
  174. PRF(f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
  175. } else {
  176. PRF(f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
  177. }
  178. //now compare
  179. if(CRYPTO_memcmp(p, output, fin_length) != 0){
  180. // printf("VERIFY FAILED\n");
  181. return 1;
  182. } else {
  183. printf("VERIFY PASSED\n");
  184. }
  185. return 0;
  186. }
  187. /** Computes the TLS master secret from the decoy server's
  188. * public key parameters and the leaked secret from the
  189. * extracted Slitheen tag
  190. *
  191. * Input:
  192. * f: the tagged flow
  193. *
  194. * Output:
  195. * 0 on success, 1 on failure
  196. */
  197. int compute_master_secret(flow *f){
  198. DH *dh_srvr = NULL;
  199. DH *dh_clnt = NULL;
  200. BN_CTX *ctx;
  201. BN_MONT_CTX *mont = NULL;
  202. BIGNUM *pub_key = NULL, *priv_key = NULL;
  203. ctx = BN_CTX_new();
  204. dh_srvr = f->dh;
  205. dh_clnt = DHparams_dup(dh_srvr);
  206. uint32_t l = dh_clnt->length ? dh_clnt->length : BN_num_bits(dh_clnt->p) - 1;
  207. int32_t bytes = (l+7) / 8;
  208. uint8_t *buf = (uint8_t *)OPENSSL_malloc(bytes);
  209. if (buf == NULL){
  210. BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE);
  211. return 1;
  212. }
  213. pub_key = BN_new();
  214. priv_key = BN_new();
  215. PRF(f->key, 16,
  216. (uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
  217. NULL, 0, NULL, 0, NULL, 0,
  218. buf, bytes);
  219. #ifdef DEBUG
  220. printf("Generated the following rand bytes: ");
  221. for(int i=0; i< bytes; i++){
  222. printf(" %02x ", buf[i]);
  223. }
  224. printf("\n");
  225. #endif
  226. if (!BN_bin2bn(buf, bytes, priv_key))
  227. return 1;
  228. {
  229. BIGNUM *prk;
  230. prk = priv_key;
  231. if (!dh_clnt->meth->bn_mod_exp(dh_clnt, pub_key, dh_clnt->g, prk, dh_clnt->p, ctx, mont)){
  232. printf("FAIL\n");
  233. return 1;
  234. }
  235. }
  236. dh_clnt->pub_key = pub_key;
  237. dh_clnt->priv_key = priv_key;
  238. // Compute master key
  239. uint8_t *pre_master_secret = calloc(1, 256);//TODO: find right length
  240. DH_compute_key(pre_master_secret, dh_srvr->pub_key, dh_clnt);
  241. PRF(pre_master_secret, PRE_MASTER_LEN, (uint8_t *) TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, f->client_random, SSL3_RANDOM_SIZE, f->server_random, SSL3_RANDOM_SIZE, NULL, 0, f->master_secret, SSL3_MASTER_SECRET_SIZE);
  242. if(f->current_session != NULL)
  243. memcpy(f->current_session, f->master_secret, SSL3_MASTER_SECRET_SIZE);
  244. #ifdef DEBUG
  245. fprintf(stderr, "Premaster Secret:\n");
  246. BIO_dump_fp(stderr, (char *)pre_master_secret, PRE_MASTER_LEN);
  247. fprintf(stderr, "Client Random:\n");
  248. BIO_dump_fp(stderr, (char *)f->client_random, SSL3_RANDOM_SIZE);
  249. fprintf(stderr, "Server Random:\n");
  250. BIO_dump_fp(stderr, (char *)f->server_random, SSL3_RANDOM_SIZE);
  251. fprintf(stderr, "Master Secret:\n");
  252. BIO_dump_fp(stderr, (char *)f->master_secret, SSL3_MASTER_SECRET_SIZE);
  253. #endif
  254. //remove pre_master_secret from memory
  255. memset(pre_master_secret, 0, PRE_MASTER_LEN);
  256. free(pre_master_secret);
  257. DH_free(dh_srvr);
  258. DH_free(dh_clnt);
  259. return 0;
  260. }
  261. /** Saves the random none from the server hello message
  262. *
  263. * Inputs:
  264. * f: the tagged flow
  265. * hs: a pointer to the beginning of the server hello msg
  266. *
  267. * Output:
  268. * none
  269. */
  270. void extract_server_random(flow *f, uint8_t *hs){
  271. uint8_t *p;
  272. p = hs + HANDSHAKE_HEADER_LEN;
  273. p+=2; //skip version
  274. memcpy(f->server_random, p, SSL3_RANDOM_SIZE);
  275. }
  276. /** PRF using sha384, as defined in RFC 5246
  277. *
  278. * Inputs:
  279. * secret: the master secret used to sign the hash
  280. * secret_len: the length of the master secret
  281. * seed{1, ..., 4}: seed values that are virtually
  282. * concatenated
  283. * seed{1,...4}_len: length of the seeds
  284. * output: a pointer to the output of the PRF
  285. * output_len: the number of desired bytes
  286. *
  287. * Output:
  288. * 0 on success, 1 on failure
  289. */
  290. int PRF(uint8_t *secret, int32_t secret_len,
  291. uint8_t *seed1, int32_t seed1_len,
  292. uint8_t *seed2, int32_t seed2_len,
  293. uint8_t *seed3, int32_t seed3_len,
  294. uint8_t *seed4, int32_t seed4_len,
  295. uint8_t *output, int32_t output_len){
  296. EVP_MD_CTX ctx, ctx_tmp, ctx_init;
  297. EVP_PKEY *mac_key;
  298. const EVP_MD *md = EVP_sha384();
  299. uint8_t A[EVP_MAX_MD_SIZE];
  300. size_t len, A_len;
  301. int chunk = EVP_MD_size(md);
  302. int remaining = output_len;
  303. uint8_t *out = output;
  304. EVP_MD_CTX_init(&ctx);
  305. EVP_MD_CTX_init(&ctx_tmp);
  306. EVP_MD_CTX_init(&ctx_init);
  307. EVP_MD_CTX_set_flags(&ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  308. mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
  309. /* Calculate first A value */
  310. EVP_DigestSignInit(&ctx_init, NULL, md, NULL, mac_key);
  311. EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
  312. if(seed1 != NULL && seed1_len > 0){
  313. EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
  314. }
  315. if(seed2 != NULL && seed2_len > 0){
  316. EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
  317. }
  318. if(seed3 != NULL && seed3_len > 0){
  319. EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
  320. }
  321. if(seed4 != NULL && seed4_len > 0){
  322. EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
  323. }
  324. EVP_DigestSignFinal(&ctx, A, &A_len);
  325. //iterate until desired length is achieved
  326. while(remaining > 0){
  327. /* Now compute SHA384(secret, A+seed) */
  328. EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
  329. EVP_DigestSignUpdate(&ctx, A, A_len);
  330. EVP_MD_CTX_copy_ex(&ctx_tmp, &ctx);
  331. if(seed1 != NULL && seed1_len > 0){
  332. EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
  333. }
  334. if(seed2 != NULL && seed2_len > 0){
  335. EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
  336. }
  337. if(seed3 != NULL && seed3_len > 0){
  338. EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
  339. }
  340. if(seed4 != NULL && seed4_len > 0){
  341. EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
  342. }
  343. if(remaining > chunk){
  344. EVP_DigestSignFinal(&ctx, out, &len);
  345. out += len;
  346. remaining -= len;
  347. /* Next A value */
  348. EVP_DigestSignFinal(&ctx_tmp, A, &A_len);
  349. } else {
  350. EVP_DigestSignFinal(&ctx, A, &A_len);
  351. memcpy(out, A, remaining);
  352. remaining -= remaining;
  353. }
  354. }
  355. return 0;
  356. }
  357. /** After receiving change cipher spec, calculate keys from master secret
  358. *
  359. * Input:
  360. * f: the tagged flow
  361. *
  362. * Output:
  363. * 0 on success, 1 on failure
  364. */
  365. int init_ciphers(flow *f){
  366. EVP_CIPHER_CTX *r_ctx;
  367. EVP_CIPHER_CTX *w_ctx;
  368. EVP_CIPHER_CTX *w_ctx_srvr;
  369. EVP_CIPHER_CTX *r_ctx_srvr;
  370. const EVP_CIPHER *c = EVP_aes_256_gcm();
  371. /* Generate Keys */
  372. uint8_t *write_key, *write_iv;
  373. uint8_t *read_key, *read_iv;
  374. int32_t mac_len, key_len, iv_len;
  375. key_len = EVP_CIPHER_key_length(c);
  376. iv_len = EVP_CIPHER_iv_length(c); //EVP_GCM_TLS_FIXED_IV_LEN;
  377. mac_len = EVP_MD_size(EVP_sha384());
  378. int32_t total_len = key_len + iv_len + mac_len;
  379. total_len *= 2;
  380. uint8_t *key_block = calloc(1, total_len);
  381. PRF(f->master_secret, SSL3_MASTER_SECRET_SIZE,
  382. (uint8_t *) TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
  383. f->server_random, SSL3_RANDOM_SIZE,
  384. f->client_random, SSL3_RANDOM_SIZE,
  385. NULL, 0,
  386. key_block, total_len);
  387. #ifdef DEBUG
  388. printf("master secret:\n");
  389. for(int i=0; i< SSL3_MASTER_SECRET_SIZE; i++){
  390. printf("%02x ", f->master_secret[i]);
  391. }
  392. printf("\n");
  393. printf("client random:\n");
  394. for(int i=0; i< SSL3_RANDOM_SIZE; i++){
  395. printf("%02x ", f->client_random[i]);
  396. }
  397. printf("\n");
  398. printf("server random:\n");
  399. for(int i=0; i< SSL3_RANDOM_SIZE; i++){
  400. printf("%02x ", f->server_random[i]);
  401. }
  402. printf("\n");
  403. printf("keyblock:\n");
  404. for(int i=0; i< total_len; i++){
  405. printf("%02x ", key_block[i]);
  406. }
  407. printf("\n");
  408. #endif
  409. iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
  410. write_key = key_block;
  411. read_key = key_block + key_len;
  412. write_iv = key_block + 2*key_len;
  413. read_iv = key_block + 2*key_len + iv_len;
  414. /* Initialize Cipher Contexts */
  415. r_ctx = EVP_CIPHER_CTX_new();
  416. w_ctx = EVP_CIPHER_CTX_new();
  417. EVP_CIPHER_CTX_init(r_ctx);
  418. EVP_CIPHER_CTX_init(w_ctx);
  419. w_ctx_srvr = EVP_CIPHER_CTX_new();
  420. r_ctx_srvr = EVP_CIPHER_CTX_new();
  421. EVP_CIPHER_CTX_init(w_ctx_srvr);
  422. EVP_CIPHER_CTX_init(r_ctx_srvr);
  423. /* Initialize MACs --- not needed for aes_256_gcm
  424. write_mac = key_block + 2*key_len + 2*iv_len;
  425. read_mac = key_block + 2*key_len + 2*iv_len + mac_len;
  426. read_mac_ctx = EVP_MD_CTX_create();
  427. write_mac_ctx = EVP_MD_CTX_create();
  428. read_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, read_mac, mac_len);
  429. write_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, write_mac, mac_len);
  430. EVP_DigestSignInit(read_mac_ctx, NULL, EVP_sha384(), NULL, read_mac_key);
  431. EVP_DigestSignInit(write_mac_ctx, NULL, EVP_sha384(), NULL, write_mac_key);
  432. EVP_PKEY_free(read_mac_key);
  433. EVP_PKEY_free(write_mac_key);*/
  434. #ifdef DEBUG
  435. {
  436. int i;
  437. fprintf(stderr, "EVP_CipherInit_ex(r_ctx,c,key=,iv=,which)\n");
  438. fprintf(stderr, "\tkey= ");
  439. for (i = 0; i < c->key_len; i++)
  440. fprintf(stderr, "%02x", read_key[i]);
  441. fprintf(stderr, "\n");
  442. fprintf(stderr, "\t iv= ");
  443. for (i = 0; i < c->iv_len; i++)
  444. fprintf(stderr, "%02x", read_iv[i]);
  445. fprintf(stderr, "\n");
  446. }
  447. {
  448. int i;
  449. fprintf(stderr, "EVP_CipherInit_ex(w_ctx,c,key=,iv=,which)\n");
  450. fprintf(stderr, "\tkey= ");
  451. for (i = 0; i < c->key_len; i++)
  452. fprintf(stderr, "%02x", write_key[i]);
  453. fprintf(stderr, "\n");
  454. fprintf(stderr, "\t iv= ");
  455. for (i = 0; i < c->iv_len; i++)
  456. fprintf(stderr, "%02x", write_iv[i]);
  457. fprintf(stderr, "\n");
  458. }
  459. #endif
  460. EVP_CipherInit_ex(r_ctx, c, NULL, read_key, NULL, 0);
  461. EVP_CipherInit_ex(w_ctx, c, NULL, write_key, NULL, 1);
  462. EVP_CipherInit_ex(w_ctx_srvr, c, NULL, read_key, NULL, 1);
  463. EVP_CipherInit_ex(r_ctx_srvr, c, NULL, write_key, NULL, 0);
  464. EVP_CIPHER_CTX_ctrl(r_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
  465. EVP_CIPHER_CTX_ctrl(w_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
  466. EVP_CIPHER_CTX_ctrl(w_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
  467. EVP_CIPHER_CTX_ctrl(r_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
  468. f->clnt_read_ctx = r_ctx;
  469. f->clnt_write_ctx = w_ctx;
  470. f->srvr_read_ctx = r_ctx_srvr;
  471. f->srvr_write_ctx = w_ctx_srvr;
  472. return 0;
  473. }
  474. // To avoid warnings about MAC paddings, use this to update contexts
  475. void update_context(flow *f, uint8_t *input, int32_t len, int32_t incoming, int32_t type, int32_t enc){
  476. uint8_t *output = calloc(1, len+16+8);
  477. memcpy(output + EVP_GCM_TLS_EXPLICIT_IV_LEN, input, len);
  478. //If the original message was a decryption, this will be an necryption.
  479. //Incoming field stays the same
  480. encrypt(f, output, output, len+8, incoming, type, !enc);
  481. //revert the sequence number
  482. uint8_t *seq = incoming ? f->read_seq : f->write_seq;
  483. for(int i=7; i>=0; i--){
  484. --seq[i];
  485. if(seq[i] >= 0)
  486. break;
  487. else
  488. seq[i] = 0;
  489. }
  490. free(output);
  491. }
  492. /** Checks a handshake message to see if it is tagged or a
  493. * recognized flow. If the client random nonce is tagged,
  494. * adds the flow to the flow table to be tracked.
  495. *
  496. * Inputs:
  497. * info: the processed packet
  498. * f: the tagged flow
  499. *
  500. * Output:
  501. * none
  502. */
  503. void check_handshake(struct packet_info *info, flow f){
  504. FILE *fp;
  505. int res, i, code;
  506. uint8_t *hello_rand;
  507. const struct handshake_header *handshake_hdr;
  508. byte privkey[PTWIST_BYTES];
  509. byte key[16];
  510. uint8_t *p = info->app_data + RECORD_HEADER_LEN;
  511. handshake_hdr = (struct handshake_header*) p;
  512. code = handshake_hdr->type;
  513. if (code == 0x01){
  514. p += CLIENT_HELLO_HEADER_LEN;
  515. //now pointing to hello random :D
  516. hello_rand = p;
  517. p += 4; //skipping time bytes
  518. /* Load the private key */
  519. fp = fopen("privkey", "rb");
  520. if (fp == NULL) {
  521. perror("fopen");
  522. exit(1);
  523. }
  524. res = fread(privkey, PTWIST_BYTES, 1, fp);
  525. if (res < 1) {
  526. perror("fread");
  527. exit(1);
  528. }
  529. fclose(fp);
  530. /* check tag*/
  531. res = check_tag(key, privkey, p, (const byte *)"context", 7);
  532. if (res) {
  533. printf("Untagged\n");
  534. } else {
  535. fp = fopen("tags", "ab");
  536. if (fp == NULL) {
  537. perror("fopen");
  538. exit(1);
  539. }
  540. //Write tag to file
  541. for(i=0; i< 28; i++){
  542. fprintf(fp, "%02x ", p[i]);
  543. }
  544. fprintf(fp, "\n");
  545. fclose(fp);
  546. //Write key to file
  547. fp = fopen("sharedkey", "ab");
  548. if (fp == NULL) {
  549. perror("fopen");
  550. exit(1);
  551. }
  552. for(i=0; i<16;i++){
  553. fprintf(fp, "%02x", key[i]);
  554. }
  555. fprintf(fp, "\n");
  556. fclose(fp);
  557. printf("Received tagged flow! (key =");
  558. for(i=0; i<16;i++){
  559. printf(" %02x", key[i]);
  560. }
  561. printf(")\n");
  562. /* Save flow in table */
  563. flow *flow_ptr = add_flow(f);
  564. for(int i=0; i<16; i++){
  565. flow_ptr->key[i] = key[i];
  566. }
  567. memcpy(flow_ptr->client_random, hello_rand, SSL3_RANDOM_SIZE);
  568. printf("Saved new flow\n");
  569. }
  570. }
  571. }