Etusivu Tutki Apua
Kirjaudu sisään
cbocovic
/
slitheen
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: b68313ff89
Branchit Tagit
slitheen
/
server
/
crypto.c

crypto.c 26 KB
Historia Raaka

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058 
  1. #include <openssl/evp.h>
    2. 

  2. #include <openssl/dh.h>
    3. 

  3. #include <openssl/bn.h>
    4. 

  4. #include <openssl/err.h>
    5. 

  5. #include <openssl/rand.h>
    6. 

  6. #include <openssl/ssl.h>
    7. 

  7. #include "rserv.h"
    8. 

  8. #include "crypto.h"
    9. 

  9. #include "flow.h"
    10. 

  10. #include "slitheen.h"
    11. 

  11. 

  12. #define NID_sect163k1           721
    13. 

  13. #define NID_sect163r1           722
    14. 

  14. #define NID_sect163r2           723
    15. 

  15. #define NID_sect193r1           724
    16. 

  16. #define NID_sect193r2           725
    17. 

  17. #define NID_sect233k1           726
    18. 

  18. #define NID_sect233r1           727
    19. 

  19. #define NID_sect239k1           728
    20. 

  20. #define NID_sect283k1           729
    21. 

  21. #define NID_sect283r1           730
    22. 

  22. #define NID_sect409k1           731
    23. 

  23. #define NID_sect409r1           732
    24. 

  24. #define NID_sect571k1           733
    25. 

  25. #define NID_sect571r1           734
    26. 

  26. #define NID_secp160k1           708
    27. 

  27. #define NID_secp160r1           709
    28. 

  28. #define NID_secp160r2           710
    29. 

  29. #define NID_secp192k1           711
    30. 

  30. #define NID_X9_62_prime192v1            409
    31. 

  31. #define NID_secp224k1           712
    32. 

  32. #define NID_secp224r1           713
    33. 

  33. #define NID_secp256k1           714
    34. 

  34. #define NID_X9_62_prime256v1            415
    35. 

  35. #define NID_secp384r1           715
    36. 

  36. #define NID_secp521r1           716
    37. 

  37. #define NID_brainpoolP256r1             927
    38. 

  38. #define NID_brainpoolP384r1             931
    39. 

  39. #define NID_brainpoolP512r1             933
    40. 

  40. 

  41. static int nid_list[] = {
    42. 

  42.     NID_sect163k1,              /* sect163k1 (1) */
    43. 

  43.     NID_sect163r1,              /* sect163r1 (2) */
    44. 

  44.     NID_sect163r2,              /* sect163r2 (3) */
    45. 

  45.     NID_sect193r1,              /* sect193r1 (4) */
    46. 

  46.     NID_sect193r2,              /* sect193r2 (5) */
    47. 

  47.     NID_sect233k1,              /* sect233k1 (6) */
    48. 

  48.     NID_sect233r1,              /* sect233r1 (7) */
    49. 

  49.     NID_sect239k1,              /* sect239k1 (8) */
    50. 

  50.     NID_sect283k1,              /* sect283k1 (9) */
    51. 

  51.     NID_sect283r1,              /* sect283r1 (10) */
    52. 

  52.     NID_sect409k1,              /* sect409k1 (11) */
    53. 

  53.     NID_sect409r1,              /* sect409r1 (12) */
    54. 

  54.     NID_sect571k1,              /* sect571k1 (13) */
    55. 

  55.     NID_sect571r1,              /* sect571r1 (14) */
    56. 

  56.     NID_secp160k1,              /* secp160k1 (15) */
    57. 

  57.     NID_secp160r1,              /* secp160r1 (16) */
    58. 

  58.     NID_secp160r2,              /* secp160r2 (17) */
    59. 

  59.     NID_secp192k1,              /* secp192k1 (18) */
    60. 

  60.     NID_X9_62_prime192v1,       /* secp192r1 (19) */
    61. 

  61.     NID_secp224k1,              /* secp224k1 (20) */
    62. 

  62.     NID_secp224r1,              /* secp224r1 (21) */
    63. 

  63.     NID_secp256k1,              /* secp256k1 (22) */
    64. 

  64.     NID_X9_62_prime256v1,       /* secp256r1 (23) */
    65. 

  65.     NID_secp384r1,              /* secp384r1 (24) */
    66. 

  66.     NID_secp521r1,              /* secp521r1 (25) */
    67. 

  67.     NID_brainpoolP256r1,        /* brainpoolP256r1 (26) */
    68. 

  68.     NID_brainpoolP384r1,        /* brainpoolP384r1 (27) */
    69. 

  69.     NID_brainpoolP512r1         /* brainpool512r1 (28) */
    70. 

  70. };
    71. 

  71. 

  72. /** Updates the hash of all TLS handshake messages upon the
    73. 

  73.  *  receipt of a new message. This hash is eventually used
    74. 

  74.  *  to verify the TLS Finished message
    75. 

  75.  *
    76. 

  76.  *  Inputs:
    77. 

  77.  *  	f: the tagged flow
    78. 

  78.  *  	hs: A pointer to the start of the handshake message
    79. 

  79.  *
    80. 

  80.  *  Output:
    81. 

  81.  *  	0 on success, 1 on failure
    82. 

  82.  */
    83. 

  83. int update_finish_hash(flow *f, uint8_t *hs){
    84. 

  84. 	//find handshake length
    85. 

  85. 	const struct handshake_header *hs_hdr;
    86. 

  86. 	uint8_t *p = hs;
    87. 

  87. 	hs_hdr = (struct handshake_header*) p;
    88. 

  88. 	uint32_t hs_len = HANDSHAKE_MESSAGE_LEN(hs_hdr);
    89. 

  89. 	
    90. 

  90. 	EVP_DigestUpdate(f->finish_md_ctx, hs, hs_len+4);
    91. 

  91. 

  92. 	return 0;
    93. 

  93. }
    94. 

  94. 

  95. /** Extracts the server parameters from the server key
    96. 

  96.  *  exchange message
    97. 

  97.  *
    98. 

  98.  *  Inputs:
    99. 

  99.  *  	f: the tagged flow
    100. 

  100.  *  	hs: the beginning of the server key exchange
    101. 

  101.  *  		handshake message
    102. 

  102.  *
    103. 

  103.  *  Output:
    104. 

  104.  *  	0 on success, 1 on failure
    105. 

  105.  */
    106. 

  106. int extract_parameters(flow *f, uint8_t *hs){
    107. 

  107. 	uint8_t *p;
    108. 

  108. 	long i;
    109. 

  109. 

  110. 	int ok=1;
    111. 

  111. 

  112. 	p = hs + HANDSHAKE_HEADER_LEN;
    113. 

  113. 

  114. 	if(f->keyex_alg == 1){
    115. 

  115. 		DH *dh;
    116. 

  116. 

  117. 		if((dh = DH_new()) == NULL){
    118. 

  118. 			return 1;
    119. 

  119. 		}
    120. 

  120. 

  121. 		/* Extract prime modulus */
    122. 

  122. 		n2s(p,i);
    123. 

  123. 

  124. 		if(!(dh->p = BN_bin2bn(p,i,NULL))){
    125. 

  125. 			return 1;
    126. 

  126. 		}
    127. 

  127. 		p += i;
    128. 

  128. 

  129. 		/* Extract generator */
    130. 

  130. 		n2s(p,i);
    131. 

  131. 

  132. 		if(!(dh->g = BN_bin2bn(p,i,NULL))){
    133. 

  133. 			return 1;
    134. 

  134. 		}
    135. 

  135. 		p += i;
    136. 

  136. 

  137. 		/* Extract server public value */
    138. 

  138. 		n2s(p,i);
    139. 

  139. 

  140. 		if(!(dh->pub_key = BN_bin2bn(p,i,NULL))){
    141. 

  141. 			return 1;
    142. 

  142. 		}
    143. 

  143. 

  144. 		f->dh = dh;
    145. 

  145. 	} else if (f->keyex_alg == 2){
    146. 

  146. 		EC_KEY *ecdh;
    147. 

  147. 		EC_GROUP *ngroup;
    148. 

  148. 		const EC_GROUP *group;
    149. 

  149. 

  150. 		BN_CTX *bn_ctx = NULL;
    151. 

  151. 		EC_POINT *srvr_ecpoint = NULL;
    152. 

  152. 		int curve_nid = 0;
    153. 

  153. 		int encoded_pt_len = 0;
    154. 

  154. 

  155. 		if((ecdh = EC_KEY_new()) == NULL) {
    156. 

  156. 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
    157. 

  157. 			printf("HERE1\n");
    158. 

  158. 			fflush(stdout);
    159. 

  159. 			goto err;
    160. 

  160. 		}
    161. 

  161. 

  162. 

  163. 		if(p[0] != 0x03){//not a named curve
    164. 

  164. 			printf("HERE2\n");
    165. 

  165. 			fflush(stdout);
    166. 

  166. 			goto err;
    167. 

  167. 		}
    168. 

  168. 

  169. 		//int curve_id = (p[1] << 8) + p[2];
    170. 

  170. 		int curve_id = *(p+2);
    171. 

  171. 		if((curve_id < 0) || ((unsigned int)curve_id >
    172. 

  172. 						            sizeof(nid_list) / sizeof(nid_list[0]))){
    173. 

  173. 			printf("HERE3\n");
    174. 

  174. 			fflush(stdout);
    175. 

  175. 			goto err;
    176. 

  176. 		}
    177. 

  177. 			
    178. 

  178. 		curve_nid = nid_list[curve_id-1];
    179. 

  179. 	
    180. 

  180. 		/* Extract curve 
    181. 

  181. 		if(!tls1_check_curve(s, p, 3)) {
    182. 

  182. 			goto err;
    183. 

  183. 

  184. 		}
    185. 

  185. 

  186. 		if((*(p+2) < 1) || ((unsigned int) (*(p+2)) > sizeof(nid_list) / sizeof(nid_list[0]))){
    187. 

  187. 

  188. 			goto err;
    189. 

  189. 		}
    190. 

  190. 		curve_nid = nid_list[*(p+2)];
    191. 

  191. 		*/
    192. 

  192. 

  193. 		ngroup = EC_GROUP_new_by_curve_name(curve_nid);
    194. 

  194. 

  195. 		if(ngroup == NULL){
    196. 

  196. 			printf("HERE4\n");
    197. 

  197. 			fflush(stdout);
    198. 

  198. 			goto err;
    199. 

  199. 		}
    200. 

  200. 		if(EC_KEY_set_group(ecdh, ngroup) == 0){
    201. 

  201. 			printf("HERE5\n");
    202. 

  202. 			fflush(stdout);
    203. 

  203. 			goto err;
    204. 

  204. 		}
    205. 

  205. 		EC_GROUP_free(ngroup);
    206. 

  206. 

  207. 		group = EC_KEY_get0_group(ecdh);
    208. 

  208. 		printf("Curve name is %d\n", EC_GROUP_get_curve_name(group));
    209. 

  209. 

  210. 		p += 3;
    211. 

  211. 

  212. 		/* Get EC point */
    213. 

  213. 		if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 
    214. 

  214. 				((bn_ctx = BN_CTX_new()) == NULL)) {
    215. 

  215. 			printf("HERE6\n");
    216. 

  216. 			fflush(stdout);
    217. 

  217. 			goto err;
    218. 

  218. 		}
    219. 

  219. 

  220. 		encoded_pt_len = *p;
    221. 

  221. 		p += 1;
    222. 

  222. 

  223. 		printf("point len: %d, message len: %x %x %x\n",encoded_pt_len, hs[1], hs[2], hs[3]);
    224. 

  224. 

  225. 		if(EC_POINT_oct2point(group, srvr_ecpoint, p, encoded_pt_len, 
    226. 

  226. 					bn_ctx) == 0){
    227. 

  227. 			printf("HERE7\n");
    228. 

  228. 			fflush(stdout);
    229. 

  229. 			goto err;
    230. 

  230. 		}
    231. 

  231. 

  232. 		p += encoded_pt_len;
    233. 

  233. 

  234. 		EC_KEY_set_public_key(ecdh, srvr_ecpoint);
    235. 

  235. 

  236. 		f->ecdh = ecdh;
    237. 

  237. 		ecdh = NULL;
    238. 

  238. 		BN_CTX_free(bn_ctx);
    239. 

  239. 		bn_ctx = NULL;
    240. 

  240. 		EC_POINT_free(srvr_ecpoint);
    241. 

  241. 		srvr_ecpoint = NULL;
    242. 

  242. 		ok=0;
    243. 

  243. 		
    244. 

  244. err:
    245. 

  245. 		if(bn_ctx != NULL){
    246. 

  246. 			BN_CTX_free(bn_ctx);
    247. 

  247. 		}
    248. 

  248. 		if(srvr_ecpoint != NULL){
    249. 

  249. 			EC_POINT_free(srvr_ecpoint);
    250. 

  250. 		}
    251. 

  251. 		if(ecdh != NULL){
    252. 

  252. 			EC_KEY_free(ecdh);
    253. 

  253. 		}
    254. 

  254. 

  255. 	}
    256. 

  256. 	return ok;
    257. 

  257. }
    258. 

  258. 

  259. /** MAC a message
    260. 

  260.  * TODO: look at tls1_mac in t1_enc.c
    261. 

  261.  * For now, only goes one way (macs message to be written)
    262. 

  262.  *
    263. 

  263. int32_t mac(flow *f, uint8_t *input, uint8_t *output, int32_t len, int32_t incoming, int32_t type, int32_t enc){
    264. 

  264. 	uint8_t header[13];
    265. 

  265. 	int32_t md_size;
    266. 

  266. 

  267.     header[8] = type;
    268. 

  268.     header[9] = 0x03;//TODO: update for different versions
    269. 

  269.     header[10] = 0x03;
    270. 

  270.     header[11] = (len) >> 8;
    271. 

  271.     header[12] = (len) & 0xff;
    272. 

  272. 

  273. 	EVP_DigestSignUpdate(f->read_mac_ctx, header, sizeof(header));
    274. 

  274. 	EVP_DigestSignUpdate(f->read_mac_ctx, input, len);
    275. 

  275. 	EVP_DigestSignFinal(f->read_mac_ctx, output, &md_size);
    276. 

  276. 

  277. 	return md_size;
    278. 

  278. 

  279. }*/
    280. 

  280. 

  281. /* Encrypt/Decrypt a TLS record
    282. 

  282.  *
    283. 

  283.  *  Inputs:
    284. 

  284.  * 		f: the tagged flow
    285. 

  285.  * 		input: a pointer to the data that is to be encrypted/
    286. 

  286.  * 			   decrypted
    287. 

  287.  * 		output: a pointer to where the data should be written
    288. 

  288.  * 				after it is encrypted or decrypted
    289. 

  289.  * 		len: the length of the data
    290. 

  290.  * 		incoming: the direction of the record
    291. 

  291.  * 		type: the type of the TLS record
    292. 

  292.  * 		enc: 1 for encryption, 0 for decryption
    293. 

  293.  *
    294. 

  294.  * 	Output:
    295. 

  295.  * 		length of the output data
    296. 

  296.  */
    297. 

  297. int encrypt(flow *f, uint8_t *input, uint8_t *output, int32_t len, int32_t incoming, int32_t type, int32_t enc){
    298. 

  298. 	uint8_t *p = input;
    299. 

  299. 	
    300. 

  300. 	EVP_CIPHER_CTX *ds = (incoming) ? ((enc) ? f->srvr_write_ctx : f->clnt_read_ctx) : ((enc) ? f->clnt_write_ctx : f->srvr_read_ctx) ;
    301. 

  301. 	if(ds == NULL){
    302. 

  302. 		printf("FAIL\n");
    303. 

  303. 		return 1;
    304. 

  304. 	}
    305. 

  305. 

  306. 	uint8_t *seq;
    307. 

  307. 	seq = (incoming) ? f->read_seq : f->write_seq;
    308. 

  308. 

  309. 	if(f->application && (ds->iv[EVP_GCM_TLS_FIXED_IV_LEN] == 0)){
    310. 

  310. 		//fill in rest of iv
    311. 

  311. 		for(int i = EVP_GCM_TLS_FIXED_IV_LEN; i< ds->cipher->iv_len; i++){
    312. 

  312. 			ds->iv[i] = p[i- EVP_GCM_TLS_FIXED_IV_LEN];
    313. 

  313. 		}
    314. 

  314. 	}
    315. 

  315. 

  316. #ifdef DEBUG
    317. 

  317. 	printf("\t\tiv: ");
    318. 

  318. 	for(int i=0; i<ds->cipher->iv_len; i++){
    319. 

  319. 		printf("%02X ", ds->iv[i]);
    320. 

  320. 	}
    321. 

  321. 	printf("\n");
    322. 

  322. #endif
    323. 

  323. 

  324. 	uint8_t buf[13];
    325. 

  325. 	memcpy(buf, seq, 8);
    326. 

  326. 

  327. 	for(int i=7; i>=0; i--){
    328. 

  328. 		++seq[i];
    329. 

  329. 		if(seq[i] != 0)
    330. 

  330. 			break;
    331. 

  331. 	}
    332. 

  332. 	
    333. 

  333. 	buf[8] = type;
    334. 

  334. 	buf[9] = 0x03;
    335. 

  335. 	buf[10] = 0x03;
    336. 

  336. 	buf[11] = len >> 8; //len >> 8;
    337. 

  337. 	buf[12] = len & 0xff;//len *0xff;
    338. 

  338. 	int32_t pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
    339. 

  339. 			13, buf); // = int32_t pad?
    340. 

  340. 	printf("pad: %d\n", pad);
    341. 

  341. 

  342. 	if(enc)
    343. 

  343. 		len += pad;
    344. 

  344. 

  345. 	int32_t n = EVP_Cipher(ds, p, p, len); //decrypt in place
    346. 

  346. 	if(n<0) return 0;
    347. 

  347. 

  348. #ifdef DEBUG
    349. 

  349. 	printf("decrypted data:\n");
    350. 

  350. 	for(int i=0; i< len; i++){
    351. 

  351. 		printf("%02x ", p[EVP_GCM_TLS_EXPLICIT_IV_LEN+i]);
    352. 

  352. 	}
    353. 

  353. 	printf("\n");
    354. 

  354. #endif
    355. 

  355. 

  356. 	if(!enc)
    357. 

  357. 		p[EVP_GCM_TLS_EXPLICIT_IV_LEN+n] = '\0';
    358. 

  358. 

  359. 	return n;
    360. 

  360. }
    361. 

  361. 

  362. /** Verifies the hash in a TLS finished message
    363. 

  363.  *
    364. 

  364.  * 	Inputs:
    365. 

  365.  * 		f: the tagged flow
    366. 

  366.  * 		p: a pointer to the TLS Finished handshake message
    367. 

  367.  * 		incoming: the direction of the flow
    368. 

  368.  *
    369. 

  369.  * 	Output:
    370. 

  370.  * 		0 on success, 1 on failure
    371. 

  371.  */
    372. 

  372. int verify_finish_hash(flow *f, uint8_t *p, int32_t incoming){
    373. 

  373. 	EVP_MD_CTX ctx;
    374. 

  374. 	uint8_t hash[EVP_MAX_MD_SIZE];
    375. 

  375. 	uint32_t hash_len;
    376. 

  376. 

  377. 	EVP_MD_CTX_init(&ctx);
    378. 

  378. 	
    379. 

  379. 	//get header length
    380. 

  380. 	struct handshake_header *hs_hdr;
    381. 

  381. 	hs_hdr = (struct handshake_header*) p;
    382. 

  382. 	uint32_t fin_length = HANDSHAKE_MESSAGE_LEN(hs_hdr);
    383. 

  383. 	p += HANDSHAKE_HEADER_LEN;
    384. 

  384. 

  385. 	//finalize hash of handshake msgs
    386. 

  386. 	EVP_MD_CTX_copy_ex(&ctx, f->finish_md_ctx);
    387. 

  387. 	EVP_DigestFinal_ex(&ctx, hash, &hash_len);
    388. 

  388. 

  389. 	//now use pseudorandom function
    390. 

  390. 	uint8_t *output = calloc(1, fin_length);
    391. 

  391. 	if(incoming){
    392. 

  392. 		PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
    393. 

  393. 	} else {
    394. 

  394. 		PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
    395. 

  395. 	}
    396. 

  396. 

  397. 	//now compare
    398. 

  398. 	if(CRYPTO_memcmp(p, output, fin_length) != 0){
    399. 

  399. 	//	printf("VERIFY FAILED\n");
    400. 

  400. 		free(output);
    401. 

  401. 		EVP_MD_CTX_cleanup(&ctx);
    402. 

  402. 		return 1;
    403. 

  403. 	} else {
    404. 

  404. 		printf("VERIFY PASSED\n");
    405. 

  405. 	}
    406. 

  406. 

  407. 	free(output);
    408. 

  408. 	EVP_MD_CTX_cleanup(&ctx);
    409. 

  409. 	return 0;
    410. 

  410. }
    411. 

  411. 

  412. /** Computes the TLS master secret from the decoy server's
    413. 

  413.  *  public key parameters and the leaked secret from the
    414. 

  414.  *  extracted Slitheen tag
    415. 

  415.  *
    416. 

  416.  *  Input:
    417. 

  417.  *  	f: the tagged flow
    418. 

  418.  *
    419. 

  419.  *  Output:
    420. 

  420.  *  	0 on success, 1 on failure
    421. 

  421.  */
    422. 

  422. int compute_master_secret(flow *f){
    423. 

  423. 	printf("Computing master secret (%x:%d -> %x:%d)...\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
    424. 

  424. 

  425. 	DH *dh_srvr = NULL;
    426. 

  426. 	DH *dh_clnt = NULL;
    427. 

  427. 	BN_CTX *ctx = NULL;
    428. 

  428. 	BIGNUM *pub_key = NULL, *priv_key = NULL, *order = NULL;
    429. 

  429. 

  430. 	EC_KEY *clnt_ecdh = NULL;
    431. 

  431. 	EC_POINT *e_pub_key = NULL;
    432. 

  432. 

  433. 	int ok =1;
    434. 

  434. 

  435. 	uint8_t *pre_master_secret = calloc(1, PRE_MASTER_MAX_LEN);//TODO: find right length
    436. 

  436. 	int32_t pre_master_len;
    437. 

  437. 	uint32_t l;
    438. 

  438. 	int32_t bytes;
    439. 

  439. 

  440. 	uint8_t *buf = NULL;
    441. 

  441. 

  442. 	if(f->keyex_alg == 1){
    443. 

  443. 		BN_MONT_CTX *mont = NULL;
    444. 

  444. 

  445. 		ctx = BN_CTX_new();
    446. 

  446. 

  447. 		dh_srvr = f->dh;
    448. 

  448. 		dh_clnt = DHparams_dup(dh_srvr);
    449. 

  449. 

  450. 		l = dh_clnt->length ? dh_clnt->length : BN_num_bits(dh_clnt->p) - 1;
    451. 

  451. 		bytes = (l+7) / 8;
    452. 

  452. 		printf("length of dh param: %d\n", bytes);
    453. 

  453. 

  454. 		buf = (uint8_t *)OPENSSL_malloc(bytes);
    455. 

  455. 		if (buf == NULL){
    456. 

  456. 			BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE);
    457. 

  457. 			goto err;
    458. 

  458. 		}
    459. 

  459. 

  460. 		pub_key = BN_new();
    461. 

  461. 		priv_key = BN_new();
    462. 

  462. 

  463. 		printf("key =");
    464. 

  464. 		for(int i=0; i< 16; i++)
    465. 

  465. 			printf(" %02x", f->key[i]);
    466. 

  466. 		printf("\n");
    467. 

  467. 

  468. 		PRF(f, f->key, 16,
    469. 

  469. 			(uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
    470. 

  470. 			NULL, 0, NULL, 0, NULL, 0,
    471. 

  471. 			buf, bytes);
    472. 

  472. 

  473. 	//#ifdef DEBUG
    474. 

  474. 		printf("Generated the following rand bytes: ");
    475. 

  475. 		for(int i=0; i< bytes; i++){
    476. 

  476. 			printf(" %02x ", buf[i]);
    477. 

  477. 		}
    478. 

  478. 		printf("\n");
    479. 

  479. 	//#endif
    480. 

  480. 

  481. 		if (!BN_bin2bn(buf, bytes, priv_key))
    482. 

  482. 			goto err;
    483. 

  483. 

  484. 		{
    485. 

  485. 			BIGNUM *prk;
    486. 

  486. 

  487. 			prk = priv_key;
    488. 

  488. 

  489. 			if (!dh_clnt->meth->bn_mod_exp(dh_clnt, pub_key, dh_clnt->g, prk, dh_clnt->p, ctx, mont)){
    490. 

  490. 				goto err;
    491. 

  491. 			}
    492. 

  492. 		}
    493. 

  493. 

  494. 		dh_clnt->pub_key = pub_key;
    495. 

  495. 		dh_clnt->priv_key = priv_key;
    496. 

  496. 

  497. 		pre_master_len = DH_compute_key(pre_master_secret, dh_srvr->pub_key, dh_clnt);
    498. 

  498. 		
    499. 

  499. 	} else if(f->keyex_alg == 2){
    500. 

  500. 		const EC_GROUP *srvr_group = NULL;
    501. 

  501. 		const EC_POINT *srvr_ecpoint = NULL;
    502. 

  502. 		EC_KEY *tkey;
    503. 

  503. 

  504. 		tkey = f->ecdh;
    505. 

  505. 		if(tkey == NULL){
    506. 

  506. 			return 1;
    507. 

  507. 		}
    508. 

  508. 

  509. 		srvr_group = EC_KEY_get0_group(tkey);
    510. 

  510. 		srvr_ecpoint = EC_KEY_get0_public_key(tkey);
    511. 

  511. 

  512. 		if((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
    513. 

  513. 			return 1;
    514. 

  514. 		}
    515. 

  515. 

  516. 		if((clnt_ecdh = EC_KEY_new()) == NULL) {
    517. 

  517. 			goto err;
    518. 

  518. 		}
    519. 

  519. 

  520. 		if(!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
    521. 

  521. 			goto err;
    522. 

  522. 		}
    523. 

  523. 

  524. 		/* Now generate key from tag */
    525. 

  525. 		
    526. 

  526. 		if((order = BN_new()) == NULL){
    527. 

  527. 			goto err;
    528. 

  528. 		}
    529. 

  529. 		if((ctx = BN_CTX_new()) == NULL){
    530. 

  530. 			goto err;
    531. 

  531. 		}
    532. 

  532. 

  533. 		if((priv_key = BN_new()) == NULL){
    534. 

  534. 			goto err;
    535. 

  535. 		}
    536. 

  536. 

  537. 		if(!EC_GROUP_get_order(srvr_group, order, ctx)){
    538. 

  538. 			goto err;
    539. 

  539. 		}
    540. 

  540. 

  541. 		l = BN_num_bits(order)-1;
    542. 

  542. 		bytes = (l+7)/8;
    543. 

  543. 

  544. 		buf = (unsigned char *)OPENSSL_malloc(bytes);
    545. 

  545. 		if(buf == NULL){
    546. 

  546. 			goto err;
    547. 

  547. 		}
    548. 

  548. 

  549. 		PRF(f, f->key, 16, (uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
    550. 

  550. 				NULL, 0, NULL, 0, NULL, 0, buf, bytes);
    551. 

  551. 

  552. 		//#ifdef DEBUG
    553. 

  553. 		printf("Generated the following rand bytes: ");
    554. 

  554. 		for(int i=0; i< bytes; i++){
    555. 

  555. 			printf("%02x ", buf[i]);
    556. 

  556. 		}
    557. 

  557. 		printf("\n");
    558. 

  558. //#endif
    559. 

  559. 		
    560. 

  560. 		if(!BN_bin2bn(buf, bytes, priv_key)){
    561. 

  561. 			goto err;
    562. 

  562. 		}
    563. 

  563. 

  564. 		if(EC_KEY_get0_public_key(clnt_ecdh) == NULL){
    565. 

  565. 			if((e_pub_key = EC_POINT_new(srvr_group)) == NULL){
    566. 

  566. 				goto err;
    567. 

  567. 			}
    568. 

  568. 		} else {
    569. 

  569. 			e_pub_key = EC_KEY_get0_public_key(clnt_ecdh);
    570. 

  570. 		}
    571. 

  571. 

  572. 		if(!EC_POINT_mul(EC_KEY_get0_group(clnt_ecdh), e_pub_key, priv_key, NULL, NULL, ctx)){
    573. 

  573. 			goto err;
    574. 

  574. 		}
    575. 

  575. 

  576. 		EC_KEY_set_private_key(clnt_ecdh, priv_key);
    577. 

  577. 		EC_KEY_set_public_key(clnt_ecdh, e_pub_key);
    578. 

  578. 

  579. 

  580. 		/*Compute the master secret */
    581. 

  581. 		int32_t field_size = EC_GROUP_get_degree(srvr_group);
    582. 

  582. 		if(field_size <= 0){
    583. 

  583. 			goto err;
    584. 

  584. 		}
    585. 

  585. 		pre_master_len = ECDH_compute_key(pre_master_secret, (field_size + 7) / 8,
    586. 

  586. 					srvr_ecpoint, clnt_ecdh, NULL);
    587. 

  587. 		if(pre_master_len <= 0) {
    588. 

  588. 			goto err;
    589. 

  589. 		}
    590. 

  590. 

  591. 	}
    592. 

  592. 

  593. 	/*Generate master secret */
    594. 

  594. 	
    595. 

  595. 	PRF(f, pre_master_secret, pre_master_len, (uint8_t *) TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, f->client_random, SSL3_RANDOM_SIZE, f->server_random, SSL3_RANDOM_SIZE, NULL, 0, f->master_secret, SSL3_MASTER_SECRET_SIZE);
    596. 

  596. 

  597. 	if(f->current_session != NULL){
    598. 

  598. 		memcpy(f->current_session->master_secret, f->master_secret, SSL3_MASTER_SECRET_SIZE);
    599. 

  599. 	}
    600. 

  600. 

  601. #ifdef DEBUG
    602. 

  602. 	fprintf(stdout, "Premaster Secret:\n");
    603. 

  603. 	BIO_dump_fp(stdout, (char *)pre_master_secret, pre_master_len);
    604. 

  604. 	fprintf(stdout, "Client Random:\n");
    605. 

  605. 	BIO_dump_fp(stdout, (char *)f->client_random, SSL3_RANDOM_SIZE);
    606. 

  606. 	fprintf(stdout, "Server Random:\n");
    607. 

  607. 	BIO_dump_fp(stdout, (char *)f->server_random, SSL3_RANDOM_SIZE);
    608. 

  608. 	fprintf(stdout, "Master Secret:\n");
    609. 

  609. 	BIO_dump_fp(stdout, (char *)f->master_secret, SSL3_MASTER_SECRET_SIZE);
    610. 

  610. #endif
    611. 

  611. 

  612. 	//remove pre_master_secret from memory
    613. 

  613. 	memset(pre_master_secret, 0, PRE_MASTER_MAX_LEN);
    614. 

  614. 	ok = 0;
    615. 

  615. 

  616. err:
    617. 

  617. 	if((pub_key != NULL) && (dh_srvr == NULL)){
    618. 

  618. 		BN_free(pub_key);
    619. 

  619. 	}
    620. 

  620. 	if((priv_key != NULL) && (dh_clnt == NULL) && (EC_KEY_get0_private_key(clnt_ecdh) == NULL)){
    621. 

  621. 		BN_free(priv_key);
    622. 

  622. 	}
    623. 

  623. 

  624. 	if(ctx != NULL){
    625. 

  625. 		BN_CTX_free(ctx);
    626. 

  626. 	}
    627. 

  627. 

  628. 	OPENSSL_free(buf);
    629. 

  629. 	free(pre_master_secret);
    630. 

  630. 	if(dh_srvr != NULL){
    631. 

  631. 		DH_free(dh_srvr);
    632. 

  632. 	}
    633. 

  633. 	if(dh_clnt != NULL) {
    634. 

  634. 		DH_free(dh_clnt);
    635. 

  635. 	}
    636. 

  636. 	
    637. 

  637. 	if(order){
    638. 

  638. 		BN_free(order);
    639. 

  639. 	}
    640. 

  640. 	if(clnt_ecdh != NULL){
    641. 

  641. 		EC_KEY_free(clnt_ecdh);
    642. 

  642. 	}
    643. 

  643. 	if(e_pub_key != NULL){
    644. 

  644. 		EC_POINT_free(e_pub_key);
    645. 

  645. 	}
    646. 

  646. 

  647. 

  648. ///???
    649. 

  649. 	if(priv_key != NULL){
    650. 

  650. 		BN_free(priv_key);
    651. 

  651. 	}
    652. 

  652. 

  653. 	return ok;
    654. 

  654. }
    655. 

  655. 

  656. /** Saves the random none from the server hello message
    657. 

  657.  *
    658. 

  658.  *  Inputs:
    659. 

  659.  *  	f: the tagged flow
    660. 

  660.  *  	hs: a pointer to the beginning of the server hello msg
    661. 

  661.  *  
    662. 

  662.  *  Output:
    663. 

  663.  *  	none
    664. 

  664.  */
    665. 

  665. void extract_server_random(flow *f, uint8_t *hs){
    666. 

  666. 

  667. 	uint8_t *p;
    668. 

  668. 

  669. 	p = hs + HANDSHAKE_HEADER_LEN;
    670. 

  670. 

  671. 	p+=2; //skip version
    672. 

  672. 

  673. 	memcpy(f->server_random, p, SSL3_RANDOM_SIZE);
    674. 

  674. 	p += SSL3_RANDOM_SIZE;
    675. 

  675. 

  676. 	//skip session id
    677. 

  677. 	uint8_t id_len = (uint8_t) p[0];
    678. 

  678. 	p ++;
    679. 

  679. 	p += id_len;
    680. 

  680. 

  681. 	//now extract ciphersuite
    682. 

  682. 	printf("Checking cipher\n");
    683. 

  683. 

  684. 	if(((p[0] <<8) + p[1]) == 0x9E){
    685. 

  685. 

  686. 		printf("USING DHE-RSA-AES128-GCM-SHA256\n");
    687. 

  687. 		f->keyex_alg = 1;
    688. 

  688. 		f->cipher = EVP_aes_128_gcm();
    689. 

  689. 		f->message_digest = EVP_sha256();
    690. 

  690. 		fflush(stdout);
    691. 

  691. 

  692. 	} else if(((p[0] <<8) + p[1]) == 0x9F){
    693. 

  693. 		printf("USING DHE-RSA-AES256-GCM-SHA384\n");
    694. 

  694. 		fflush(stdout);
    695. 

  695. 		f->keyex_alg = 1;
    696. 

  696. 		f->cipher = EVP_aes_256_gcm();
    697. 

  697. 		f->message_digest = EVP_sha384();
    698. 

  698. 

  699. 	} else if(((p[0] <<8) + p[1]) == 0xC02F){
    700. 

  700. 		printf("USING ECDHE-RSA-AES128-GCM-SHA256\n");
    701. 

  701. 		fflush(stdout);
    702. 

  702. 		f->keyex_alg = 2;
    703. 

  703. 		f->cipher = EVP_aes_128_gcm();
    704. 

  704. 		f->message_digest = EVP_sha256();
    705. 

  705. 

  706. 	} else if(((p[0] <<8) + p[1]) == 0xC030){
    707. 

  707. 		printf("USING ECDHE-RSA-AES256-GCM-SHA384\n");
    708. 

  708. 		fflush(stdout);
    709. 

  709. 		f->keyex_alg = 2;
    710. 

  710. 		f->cipher = EVP_aes_256_gcm();
    711. 

  711. 		f->message_digest = EVP_sha384();
    712. 

  712. 

  713. 	} else {
    714. 

  714. 		printf("%x %x = %x\n", p[0], p[1], ((p[0] <<8) + p[1]));
    715. 

  715. 		printf("Error: unsupported cipher\n");
    716. 

  716. 		fflush(stdout);
    717. 

  717. 	}
    718. 

  718. 

  719. }
    720. 

  720. 

  721. /** PRF using sha384, as defined in RFC 5246
    722. 

  722.  *  
    723. 

  723.  *  Inputs:
    724. 

  724.  *  	secret: the master secret used to sign the hash
    725. 

  725.  *  	secret_len: the length of the master secret
    726. 

  726.  *  	seed{1, ..., 4}: seed values that are virtually
    727. 

  727.  *  		concatenated
    728. 

  728.  *  	seed{1,...4}_len: length of the seeds
    729. 

  729.  *  	output: a pointer to the output of the PRF
    730. 

  730.  *  	output_len: the number of desired bytes
    731. 

  731.  *
    732. 

  732.  *  Output:
    733. 

  733.  *  	0 on success, 1 on failure
    734. 

  734.  */
    735. 

  735. int PRF(flow *f, uint8_t *secret, int32_t secret_len,
    736. 

  736. 		uint8_t *seed1, int32_t seed1_len,
    737. 

  737. 		uint8_t *seed2, int32_t seed2_len,
    738. 

  738. 		uint8_t *seed3, int32_t seed3_len,
    739. 

  739. 		uint8_t *seed4, int32_t seed4_len,
    740. 

  740. 		uint8_t *output, int32_t output_len){
    741. 

  741. 

  742. 	EVP_MD_CTX ctx, ctx_tmp, ctx_init;
    743. 

  743. 	EVP_PKEY *mac_key;
    744. 

  744. 	const EVP_MD *md = f->message_digest;
    745. 

  745. 

  746. 	uint8_t A[EVP_MAX_MD_SIZE];
    747. 

  747. 	size_t len, A_len;
    748. 

  748. 	int chunk = EVP_MD_size(md);
    749. 

  749. 	int remaining = output_len;
    750. 

  750. 

  751. 	uint8_t *out = output;
    752. 

  752. 

  753. 	EVP_MD_CTX_init(&ctx);
    754. 

  754. 	EVP_MD_CTX_init(&ctx_tmp);
    755. 

  755. 	EVP_MD_CTX_init(&ctx_init);
    756. 

  756. 	EVP_MD_CTX_set_flags(&ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    757. 

  757. 

  758. 	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
    759. 

  759. 

  760. 	/* Calculate first A value */
    761. 

  761. 	EVP_DigestSignInit(&ctx_init, NULL, md, NULL, mac_key);
    762. 

  762. 	EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
    763. 

  763. 	if(seed1 != NULL && seed1_len > 0){
    764. 

  764. 		EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
    765. 

  765. 	}
    766. 

  766. 	if(seed2 != NULL && seed2_len > 0){
    767. 

  767. 		EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
    768. 

  768. 	}
    769. 

  769. 	if(seed3 != NULL && seed3_len > 0){
    770. 

  770. 		EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
    771. 

  771. 	}
    772. 

  772. 	if(seed4 != NULL && seed4_len > 0){
    773. 

  773. 		EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
    774. 

  774. 	}
    775. 

  775. 	EVP_DigestSignFinal(&ctx, A, &A_len);
    776. 

  776. 

  777. 	//iterate until desired length is achieved
    778. 

  778. 	while(remaining > 0){
    779. 

  779. 		/* Now compute SHA384(secret, A+seed) */
    780. 

  780. 		EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
    781. 

  781. 		EVP_DigestSignUpdate(&ctx, A, A_len);
    782. 

  782. 		EVP_MD_CTX_copy_ex(&ctx_tmp, &ctx);
    783. 

  783. 		if(seed1 != NULL && seed1_len > 0){
    784. 

  784. 			EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
    785. 

  785. 		}
    786. 

  786. 		if(seed2 != NULL && seed2_len > 0){
    787. 

  787. 			EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
    788. 

  788. 		}
    789. 

  789. 		if(seed3 != NULL && seed3_len > 0){
    790. 

  790. 			EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
    791. 

  791. 		}
    792. 

  792. 		if(seed4 != NULL && seed4_len > 0){
    793. 

  793. 			EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
    794. 

  794. 		}
    795. 

  795. 		
    796. 

  796. 		if(remaining > chunk){
    797. 

  797. 			EVP_DigestSignFinal(&ctx, out, &len);
    798. 

  798. 			out += len;
    799. 

  799. 			remaining -= len;
    800. 

  800. 

  801. 			/* Next A value */
    802. 

  802. 			EVP_DigestSignFinal(&ctx_tmp, A, &A_len);
    803. 

  803. 		} else {
    804. 

  804. 			EVP_DigestSignFinal(&ctx, A, &A_len);
    805. 

  805. 			memcpy(out, A, remaining);
    806. 

  806. 			remaining -= remaining;
    807. 

  807. 		}
    808. 

  808. 	}
    809. 

  809. 

  810. 	EVP_PKEY_free(mac_key);
    811. 

  811. 	EVP_MD_CTX_cleanup(&ctx);
    812. 

  812. 	EVP_MD_CTX_cleanup(&ctx_tmp);
    813. 

  813. 	EVP_MD_CTX_cleanup(&ctx_init);
    814. 

  814. 	OPENSSL_cleanse(A, sizeof(A));
    815. 

  815. 	return 0;
    816. 

  816. }
    817. 

  817. 

  818. /** After receiving change cipher spec, calculate keys from master secret
    819. 

  819.  *  
    820. 

  820.  *  Input:
    821. 

  821.  *  	f: the tagged flow
    822. 

  822.  *
    823. 

  823.  *  Output:
    824. 

  824.  *  	0 on success, 1 on failure
    825. 

  825.  */
    826. 

  826. int init_ciphers(flow *f){
    827. 

  827. 

  828. 	EVP_CIPHER_CTX *r_ctx;
    829. 

  829. 	EVP_CIPHER_CTX *w_ctx;
    830. 

  830. 	EVP_CIPHER_CTX *w_ctx_srvr;
    831. 

  831. 	EVP_CIPHER_CTX *r_ctx_srvr;
    832. 

  832. 	const EVP_CIPHER *c = f->cipher;
    833. 

  833. 

  834. 	/* Generate Keys */
    835. 

  835. 	uint8_t *write_key, *write_iv;
    836. 

  836. 	uint8_t *read_key, *read_iv;
    837. 

  837. 	int32_t mac_len, key_len, iv_len;
    838. 

  838. 

  839. 	key_len = EVP_CIPHER_key_length(c);
    840. 

  840. 	iv_len = EVP_CIPHER_iv_length(c); //EVP_GCM_TLS_FIXED_IV_LEN;
    841. 

  841. 	mac_len = EVP_MD_size(f->message_digest);
    842. 

  842. 	int32_t total_len = key_len + iv_len + mac_len;
    843. 

  843. 	total_len *= 2;
    844. 

  844. 	uint8_t *key_block = calloc(1, total_len);
    845. 

  845. 

  846. 	PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE,
    847. 

  847. 			(uint8_t *) TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
    848. 

  848. 			f->server_random, SSL3_RANDOM_SIZE,
    849. 

  849. 			f->client_random, SSL3_RANDOM_SIZE,
    850. 

  850. 			NULL, 0,
    851. 

  851. 			key_block, total_len);
    852. 

  852. 

  853. #ifdef DEBUG
    854. 

  854. 	printf("master secret: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
    855. 

  855. 	for(int i=0; i< SSL3_MASTER_SECRET_SIZE; i++){
    856. 

  856. 		printf("%02x ", f->master_secret[i]);
    857. 

  857. 	}
    858. 

  858. 	printf("\n");
    859. 

  859. 

  860. 	printf("client random: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
    861. 

  861. 	for(int i=0; i< SSL3_RANDOM_SIZE; i++){
    862. 

  862. 		printf("%02x ", f->client_random[i]);
    863. 

  863. 	}
    864. 

  864. 	printf("\n");
    865. 

  865. 

  866. 	printf("server random: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
    867. 

  867. 	for(int i=0; i< SSL3_RANDOM_SIZE; i++){
    868. 

  868. 		printf("%02x ", f->server_random[i]);
    869. 

  869. 	}
    870. 

  870. 	printf("\n");
    871. 

  871. 

  872. 	printf("keyblock: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
    873. 

  873. 	for(int i=0; i< total_len; i++){
    874. 

  874. 		printf("%02x ", key_block[i]);
    875. 

  875. 	}
    876. 

  876. 	printf("\n");
    877. 

  877. #endif
    878. 

  878. 

  879. 	iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
    880. 

  880. 	
    881. 

  881. 	write_key = key_block;
    882. 

  882. 	read_key = key_block + key_len;
    883. 

  883. 	write_iv = key_block + 2*key_len;
    884. 

  884. 	read_iv = key_block + 2*key_len + iv_len;
    885. 

  885. 

  886. 	/* Initialize Cipher Contexts */
    887. 

  887. 	r_ctx = EVP_CIPHER_CTX_new();
    888. 

  888. 	w_ctx = EVP_CIPHER_CTX_new();
    889. 

  889. 	EVP_CIPHER_CTX_init(r_ctx);
    890. 

  890. 	EVP_CIPHER_CTX_init(w_ctx);
    891. 

  891. 	w_ctx_srvr = EVP_CIPHER_CTX_new();
    892. 

  892. 	r_ctx_srvr = EVP_CIPHER_CTX_new();
    893. 

  893. 	EVP_CIPHER_CTX_init(w_ctx_srvr);
    894. 

  894. 	EVP_CIPHER_CTX_init(r_ctx_srvr);
    895. 

  895. 	
    896. 

  896. 	/* Initialize MACs --- not needed for aes_256_gcm
    897. 

  897. 	write_mac = key_block + 2*key_len + 2*iv_len;
    898. 

  898. 	read_mac = key_block + 2*key_len + 2*iv_len + mac_len;
    899. 

  899. 	read_mac_ctx = EVP_MD_CTX_create();
    900. 

  900. 	write_mac_ctx = EVP_MD_CTX_create();
    901. 

  901. 	read_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, read_mac, mac_len);
    902. 

  902. 	write_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, write_mac, mac_len);
    903. 

  903. 	EVP_DigestSignInit(read_mac_ctx, NULL, EVP_sha384(), NULL, read_mac_key);
    904. 

  904. 	EVP_DigestSignInit(write_mac_ctx, NULL, EVP_sha384(), NULL, write_mac_key);
    905. 

  905. 	EVP_PKEY_free(read_mac_key);
    906. 

  906. 	EVP_PKEY_free(write_mac_key);*/
    907. 

  907. 

  908. 

  909. #ifdef DEBUG
    910. 

  910.     {
    911. 

  911.         int i;
    912. 

  912.         fprintf(stderr, "EVP_CipherInit_ex(r_ctx,c,key=,iv=,which)\n");
    913. 

  913.         fprintf(stderr, "\tkey= ");
    914. 

  914.         for (i = 0; i < c->key_len; i++)
    915. 

  915.             fprintf(stderr, "%02x", read_key[i]);
    916. 

  916.         fprintf(stderr, "\n");
    917. 

  917.         fprintf(stderr, "\t iv= ");
    918. 

  918.         for (i = 0; i < c->iv_len; i++)
    919. 

  919.             fprintf(stderr, "%02x", read_iv[i]);
    920. 

  920.         fprintf(stderr, "\n");
    921. 

  921.     }
    922. 

  922.     
    923. 

  923. 	{
    924. 

  924.         int i;
    925. 

  925.         fprintf(stderr, "EVP_CipherInit_ex(w_ctx,c,key=,iv=,which)\n");
    926. 

  926.         fprintf(stderr, "\tkey= ");
    927. 

  927.         for (i = 0; i < c->key_len; i++)
    928. 

  928.             fprintf(stderr, "%02x", write_key[i]);
    929. 

  929.         fprintf(stderr, "\n");
    930. 

  930.         fprintf(stderr, "\t iv= ");
    931. 

  931.         for (i = 0; i < c->iv_len; i++)
    932. 

  932.             fprintf(stderr, "%02x", write_iv[i]);
    933. 

  933.         fprintf(stderr, "\n");
    934. 

  934.     }
    935. 

  935. #endif 
    936. 

  936. 

  937. 	if(!EVP_CipherInit_ex(r_ctx, c, NULL, read_key, NULL, 0)){
    938. 

  938. 		printf("FAIL r_ctx\n");
    939. 

  939. 	}
    940. 

  940. 	if(!EVP_CipherInit_ex(w_ctx, c, NULL, write_key, NULL, 1)){
    941. 

  941. 		printf("FAIL w_ctx\n");
    942. 

  942. 	}
    943. 

  943. 	if(!EVP_CipherInit_ex(w_ctx_srvr, c, NULL, read_key, NULL, 1)){
    944. 

  944. 		printf("FAIL w_ctx_srvr\n");
    945. 

  945. 	}
    946. 

  946. 	if(!EVP_CipherInit_ex(r_ctx_srvr, c, NULL, write_key, NULL, 0)){
    947. 

  947. 		printf("FAIL r_ctx_srvr\n");
    948. 

  948. 	}
    949. 

  949. 	EVP_CIPHER_CTX_ctrl(r_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
    950. 

  950. 	EVP_CIPHER_CTX_ctrl(w_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
    951. 

  951. 	EVP_CIPHER_CTX_ctrl(w_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
    952. 

  952. 	EVP_CIPHER_CTX_ctrl(r_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
    953. 

  953. 

  954. 	f->clnt_read_ctx = r_ctx;
    955. 

  955. 	f->clnt_write_ctx = w_ctx;
    956. 

  956. 	f->srvr_read_ctx = r_ctx_srvr;
    957. 

  957. 	f->srvr_write_ctx = w_ctx_srvr;
    958. 

  958. 

  959. 	free(key_block);
    960. 

  960. 	return 0;
    961. 

  961. }
    962. 

  962. 

  963. // To avoid warnings about MAC paddings, use this to update contexts
    964. 

  964. void update_context(flow *f, uint8_t *input, int32_t len, int32_t incoming, int32_t type, int32_t enc){
    965. 

  965. 

  966. 	uint8_t *output = calloc(1, len+16+8);
    967. 

  967. 	memcpy(output + EVP_GCM_TLS_EXPLICIT_IV_LEN, input, len);
    968. 

  968. 

  969. 	//If the original message was a decryption, this will be an necryption.
    970. 

  970. 	//Incoming field stays the same
    971. 

  971. 	encrypt(f, output, output, len+8, incoming, type, !enc);
    972. 

  972. 

  973. 	//revert the sequence number
    974. 

  974. 	uint8_t *seq = incoming ? f->read_seq : f->write_seq;
    975. 

  975. 	for(int i=7; i>=0; i--){
    976. 

  976. 		--seq[i];
    977. 

  977. 		if(seq[i] >= 0)
    978. 

  978. 			break;
    979. 

  979. 		else
    980. 

  980. 			seq[i] = 0;
    981. 

  981. 	}
    982. 

  982. 

  983. 	free(output);
    984. 

  984. }
    985. 

  985. 

  986. /** Checks a handshake message to see if it is tagged or a
    987. 

  987.  *  recognized flow. If the client random nonce is tagged,
    988. 

  988.  *  adds the flow to the flow table to be tracked.
    989. 

  989.  *
    990. 

  990.  *  Inputs:
    991. 

  991.  *  	info: the processed packet
    992. 

  992.  *  	f: the tagged flow
    993. 

  993.  *
    994. 

  994.  *  Output:
    995. 

  995.  *  	none
    996. 

  996.  */
    997. 

  997. void check_handshake(struct packet_info *info){
    998. 

  998. 

  999. 	FILE *fp;
    1000. 

  1000. 	int res, i, code;
    1001. 

  1001. 	uint8_t *hello_rand;
    1002. 

  1002. 	const struct handshake_header *handshake_hdr;
    1003. 

  1003. 

  1004.     byte privkey[PTWIST_BYTES];
    1005. 

  1005. 	byte key[16];
    1006. 

  1006. 

  1007. 	uint8_t *p = info->app_data + RECORD_HEADER_LEN;
    1008. 

  1008. 	handshake_hdr = (struct handshake_header*) p;
    1009. 

  1009. 

  1010. 	code = handshake_hdr->type;
    1011. 

  1011. 

  1012. 	if (code == 0x01){
    1013. 

  1013. 		p += CLIENT_HELLO_HEADER_LEN;
    1014. 

  1014. 		//now pointing to hello random :D
    1015. 

  1015. 		hello_rand = p;
    1016. 

  1016. 		p += 4; //skipping time bytes
    1017. 

  1017. 		/* Load the private key */
    1018. 

  1018. 		fp = fopen("privkey", "rb");
    1019. 

  1019. 		if (fp == NULL) {
    1020. 

  1020. 			perror("fopen");
    1021. 

  1021. 			exit(1);
    1022. 

  1022. 		}
    1023. 

  1023. 		res = fread(privkey, PTWIST_BYTES, 1, fp);
    1024. 

  1024. 		if (res < 1) {
    1025. 

  1025. 			perror("fread");
    1026. 

  1026. 			exit(1);
    1027. 

  1027. 		}
    1028. 

  1028. 		fclose(fp);
    1029. 

  1029. 

  1030. 		/* check tag*/ 
    1031. 

  1031. 		res = check_tag(key, privkey, p, (const byte *)"context", 7);
    1032. 

  1032. 		if (res) {
    1033. 

  1033. 			printf("Untagged\n");
    1034. 

  1034. 		} else {
    1035. 

  1035. 

  1036. 			printf("Received tagged flow! (key =");
    1037. 

  1037. 			for(i=0; i<16;i++){
    1038. 

  1038. 			    printf(" %02x", key[i]);
    1039. 

  1039. 			}
    1040. 

  1040. 			printf(")\n");
    1041. 

  1041. 

  1042. 			/* Save flow in table */
    1043. 

  1043. 			flow *flow_ptr = add_flow(info);
    1044. 

  1044. 			for(int i=0; i<16; i++){
    1045. 

  1045. 				flow_ptr->key[i] = key[i];
    1046. 

  1046. 			}
    1047. 

  1047. 

  1048. 			memcpy(flow_ptr->client_random, hello_rand, SSL3_RANDOM_SIZE);
    1049. 

  1049. 			for(int i=0; i< SSL3_RANDOM_SIZE; i++){
    1050. 

  1050. 				printf("%02x ", hello_rand[i]);
    1051. 

  1051. 			}
    1052. 

  1052. 			printf("\n");
    1053. 

  1053. 			
    1054. 

  1054. 			printf("Saved new flow\n");
    1055. 

  1055. 

  1056. 		}
    1057. 

  1057. 	}
    1058. 

  1058. }
    1059.