123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563 |
- /* Name: crypto.c
- * Author: Cecylia Bocovich <cbocovic@uwaterloo.ca>
- *
- * This file contains code for checking tagged flows, processing handshake
- * messages, and computing the master secret for a TLS session.
- *
- * Some code in this document is based on the OpenSSL source files:
- * crypto/ec/ec_key.c
- * crypto/dh/dh_key.c
- * */
- /*
- * Written by Nils Larsch for the OpenSSL project.
- */
- /* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
- /* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * Portions originally developed by SUN MICROSYSTEMS, INC., and
- * contributed to the OpenSSL project.
- */
- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
- #include <stdio.h>
- #include <stdlib.h>
- #include <assert.h>
- #include <string.h>
- #include <openssl/evp.h>
- #include <openssl/dh.h>
- #include <openssl/bn.h>
- #include <openssl/err.h>
- #include <openssl/rand.h>
- #include <openssl/ssl.h>
- #include <openssl/sha.h>
- #include "ptwist.h"
- #include "crypto.h"
- #include "flow.h"
- #include "slitheen.h"
- #include "util.h"
- #include "relay.h"
- #define NID_sect163k1 721
- #define NID_sect163r1 722
- #define NID_sect163r2 723
- #define NID_sect193r1 724
- #define NID_sect193r2 725
- #define NID_sect233k1 726
- #define NID_sect233r1 727
- #define NID_sect239k1 728
- #define NID_sect283k1 729
- #define NID_sect283r1 730
- #define NID_sect409k1 731
- #define NID_sect409r1 732
- #define NID_sect571k1 733
- #define NID_sect571r1 734
- #define NID_secp160k1 708
- #define NID_secp160r1 709
- #define NID_secp160r2 710
- #define NID_secp192k1 711
- #define NID_X9_62_prime192v1 409
- #define NID_secp224k1 712
- #define NID_secp224r1 713
- #define NID_secp256k1 714
- #define NID_X9_62_prime256v1 415
- #define NID_secp384r1 715
- #define NID_secp521r1 716
- #define NID_brainpoolP256r1 927
- #define NID_brainpoolP384r1 931
- #define NID_brainpoolP512r1 933
- static int nid_list[] = {
- NID_sect163k1, /* sect163k1 (1) */
- NID_sect163r1, /* sect163r1 (2) */
- NID_sect163r2, /* sect163r2 (3) */
- NID_sect193r1, /* sect193r1 (4) */
- NID_sect193r2, /* sect193r2 (5) */
- NID_sect233k1, /* sect233k1 (6) */
- NID_sect233r1, /* sect233r1 (7) */
- NID_sect239k1, /* sect239k1 (8) */
- NID_sect283k1, /* sect283k1 (9) */
- NID_sect283r1, /* sect283r1 (10) */
- NID_sect409k1, /* sect409k1 (11) */
- NID_sect409r1, /* sect409r1 (12) */
- NID_sect571k1, /* sect571k1 (13) */
- NID_sect571r1, /* sect571r1 (14) */
- NID_secp160k1, /* secp160k1 (15) */
- NID_secp160r1, /* secp160r1 (16) */
- NID_secp160r2, /* secp160r2 (17) */
- NID_secp192k1, /* secp192k1 (18) */
- NID_X9_62_prime192v1, /* secp192r1 (19) */
- NID_secp224k1, /* secp224k1 (20) */
- NID_secp224r1, /* secp224r1 (21) */
- NID_secp256k1, /* secp256k1 (22) */
- NID_X9_62_prime256v1, /* secp256r1 (23) */
- NID_secp384r1, /* secp384r1 (24) */
- NID_secp521r1, /* secp521r1 (25) */
- NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
- NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
- NID_brainpoolP512r1 /* brainpool512r1 (28) */
- };
- /** Updates the hash of all TLS handshake messages upon the
- * receipt of a new message. This hash is eventually used
- * to verify the TLS Finished message
- *
- * Inputs:
- * f: the tagged flow
- * hs: A pointer to the start of the handshake message
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int update_finish_hash(flow *f, uint8_t *hs){
- //find handshake length
- const struct handshake_header *hs_hdr;
- uint8_t *p = hs;
- hs_hdr = (struct handshake_header*) p;
- uint32_t hs_len = HANDSHAKE_MESSAGE_LEN(hs_hdr);
-
- EVP_DigestUpdate(f->finish_md_ctx, hs, hs_len+4);
- #ifdef DEBUG
- printf("SLITHEEN: adding to finish mac computation:\n");
- for(int i=0; i< hs_len + 4; i++){
- printf("%02x ", hs[i]);
- }
- printf("\n");
- #endif
- return 0;
- }
- /** Extracts the server parameters from the server key
- * exchange message
- *
- * Inputs:
- * f: the tagged flow
- * hs: the beginning of the server key exchange
- * handshake message
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int extract_parameters(flow *f, uint8_t *hs){
- uint8_t *p;
- long i;
- int ok=1;
- p = hs + HANDSHAKE_HEADER_LEN;
- if(f->keyex_alg == 1){
- DH *dh;
- if((dh = DH_new()) == NULL){
- return 1;
- }
- /* Extract prime modulus */
- n2s(p,i);
- if(!(dh->p = BN_bin2bn(p,i,NULL))){
- return 1;
- }
- p += i;
- /* Extract generator */
- n2s(p,i);
- if(!(dh->g = BN_bin2bn(p,i,NULL))){
- return 1;
- }
- p += i;
- /* Extract server public value */
- n2s(p,i);
- if(!(dh->pub_key = BN_bin2bn(p,i,NULL))){
- return 1;
- }
- f->dh = dh;
- } else if (f->keyex_alg == 2){
- EC_KEY *ecdh;
- EC_GROUP *ngroup;
- const EC_GROUP *group;
- BN_CTX *bn_ctx = NULL;
- EC_POINT *srvr_ecpoint = NULL;
- int curve_nid = 0;
- int encoded_pt_len = 0;
- if((ecdh = EC_KEY_new()) == NULL) {
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- if(p[0] != 0x03){//not a named curve
- goto err;
- }
- //int curve_id = (p[1] << 8) + p[2];
- int curve_id = *(p+2);
- if((curve_id < 0) || ((unsigned int)curve_id >
- sizeof(nid_list) / sizeof(nid_list[0]))){
- goto err;
- }
-
- curve_nid = nid_list[curve_id-1];
-
- /* Extract curve
- if(!tls1_check_curve(s, p, 3)) {
- goto err;
- }
- if((*(p+2) < 1) || ((unsigned int) (*(p+2)) > sizeof(nid_list) / sizeof(nid_list[0]))){
- goto err;
- }
- curve_nid = nid_list[*(p+2)];
- */
- ngroup = EC_GROUP_new_by_curve_name(curve_nid);
- if(ngroup == NULL){
- goto err;
- }
- if(EC_KEY_set_group(ecdh, ngroup) == 0){
- goto err;
- }
- EC_GROUP_free(ngroup);
- group = EC_KEY_get0_group(ecdh);
- p += 3;
- /* Get EC point */
- if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
- ((bn_ctx = BN_CTX_new()) == NULL)) {
- goto err;
- }
- encoded_pt_len = *p;
- p += 1;
- if(EC_POINT_oct2point(group, srvr_ecpoint, p, encoded_pt_len,
- bn_ctx) == 0){
- goto err;
- }
- p += encoded_pt_len;
- EC_KEY_set_public_key(ecdh, srvr_ecpoint);
- f->ecdh = ecdh;
- ecdh = NULL;
- BN_CTX_free(bn_ctx);
- bn_ctx = NULL;
- EC_POINT_free(srvr_ecpoint);
- srvr_ecpoint = NULL;
- ok=0;
-
- err:
- if(bn_ctx != NULL){
- BN_CTX_free(bn_ctx);
- }
- if(srvr_ecpoint != NULL){
- EC_POINT_free(srvr_ecpoint);
- }
- if(ecdh != NULL){
- EC_KEY_free(ecdh);
- }
- }
- return ok;
- }
- /* Encrypt/Decrypt a TLS record
- *
- * Inputs:
- * f: the tagged flow
- * input: a pointer to the data that is to be encrypted/
- * decrypted
- * output: a pointer to where the data should be written
- * after it is encrypted or decrypted
- * len: the length of the data
- * incoming: the direction of the record
- * type: the type of the TLS record
- * enc: 1 for encryption, 0 for decryption
- * re: 1 if this is a re-encryption (counters are reset), 0 otherwise
- * Note: is only checked during encryption
- *
- * Output:
- * length of the output data
- */
- int encrypt(flow *f, uint8_t *input, uint8_t *output, int32_t len, int32_t incoming, int32_t type, int32_t enc, uint8_t re){
- uint8_t *p = input;
-
- EVP_CIPHER_CTX *ds = (incoming) ? ((enc) ? f->srvr_write_ctx : f->clnt_read_ctx) : ((enc) ? f->clnt_write_ctx : f->srvr_read_ctx);
- if(ds == NULL){
- printf("FAIL\n");
- return 1;
- }
- uint8_t *seq;
- seq = (incoming) ? f->read_seq : f->write_seq;
- if(enc && re){
- for(int i=7; i>=0; i--){
- --seq[i];
- if(seq[i] != 0xff)
- break;
- }
- }
- if(f->application && (ds->iv[EVP_GCM_TLS_FIXED_IV_LEN] == 0)){
- //fill in rest of iv
- for(int i = EVP_GCM_TLS_FIXED_IV_LEN; i< ds->cipher->iv_len; i++){
- ds->iv[i] = p[i- EVP_GCM_TLS_FIXED_IV_LEN];
- }
- }
- #ifdef DEBUG
- printf("\t\tiv: ");
- for(int i=0; i<ds->cipher->iv_len; i++){
- printf("%02X ", ds->iv[i]);
- }
- printf("\n");
- #endif
- uint8_t buf[13];
- memcpy(buf, seq, 8);
- for(int i=7; i>=0; i--){
- ++seq[i];
- if(seq[i] != 0)
- break;
- }
-
- buf[8] = type;
- buf[9] = 0x03;
- buf[10] = 0x03;
- buf[11] = len >> 8; //len >> 8;
- buf[12] = len & 0xff;//len *0xff;
- int32_t pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
- 13, buf); // = int32_t pad?
- if(enc)
- len += pad;
- int32_t n = EVP_Cipher(ds, p, p, len); //decrypt in place
- if(n<0) return 0;
- #ifdef DEBUG
- printf("decrypted data:\n");
- for(int i=0; i< len; i++){
- printf("%02x ", p[EVP_GCM_TLS_EXPLICIT_IV_LEN+i]);
- }
- printf("\n");
- #endif
- if(!enc)
- p[EVP_GCM_TLS_EXPLICIT_IV_LEN+n] = '\0';
- return n;
- }
- /** Verifies the hash in a TLS finished message
- *
- * Adds string derived from the client-relay shared secret to the finished hash.
- * This feature detects and prevents suspicious behaviour in the event of a MiTM
- * or RAD attack.
- *
- * Inputs:
- * f: the tagged flow
- * p: a pointer to the TLS Finished handshake message
- * incoming: the direction of the flow
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int verify_finish_hash(flow *f, uint8_t *hs, int32_t incoming){
- EVP_MD_CTX ctx;
- uint8_t hash[EVP_MAX_MD_SIZE];
- uint32_t hash_len;
- uint8_t *p = hs;
- EVP_MD_CTX_init(&ctx);
-
- //get header length
- struct handshake_header *hs_hdr;
- hs_hdr = (struct handshake_header*) p;
- uint32_t fin_length = HANDSHAKE_MESSAGE_LEN(hs_hdr);
- //save old finished to update finished mac hash
- uint8_t *old_finished = emalloc(fin_length+ HANDSHAKE_HEADER_LEN);
- memcpy(old_finished, p, fin_length+HANDSHAKE_HEADER_LEN);
-
- p += HANDSHAKE_HEADER_LEN;
- //finalize hash of handshake msgs (have not yet added this one)
- EVP_MD_CTX_copy_ex(&ctx, f->finish_md_ctx);
- EVP_DigestFinal_ex(&ctx, hash, &hash_len);
- //now use pseudorandom function
- uint8_t *output = ecalloc(1, fin_length);
- if(incoming){
- PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
- } else {
- PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
- }
- //now compare
- if(CRYPTO_memcmp(p, output, fin_length) != 0){
- printf("VERIFY FAILED\n");
- goto err;
- }
- #ifdef DEBUG_HS
- printf("Old finished:\n");
- for(int i=0; i< fin_length; i++){
- printf("%02x ", p[i]);
- }
- printf("\n");
- #endif
- //now add extra input seeded with client-relay shared secret
- if(incoming){
- uint32_t extra_input_len = SSL3_RANDOM_SIZE;
- uint8_t *extra_input = calloc(1, extra_input_len);
- PRF(f, f->key, 16,
- (uint8_t *) SLITHEEN_FINISHED_INPUT_CONST, SLITHEEN_FINISHED_INPUT_CONST_SIZE,
- NULL, 0, NULL, 0, NULL, 0,
- extra_input, extra_input_len);
- #ifdef DEBUG_HS
- printf("Extra input:\n");
- for(int i=0; i< extra_input_len; i++){
- printf("%02x ", extra_input[i]);
- }
- printf("\n");
- #endif
- EVP_MD_CTX_copy_ex(&ctx, f->finish_md_ctx);
- EVP_DigestUpdate(&ctx, extra_input, extra_input_len);
- EVP_DigestFinal_ex(&ctx, hash, &hash_len);
- PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE,
- (uint8_t *) TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE ,
- hash, hash_len, NULL, 0, NULL, 0,
- output, fin_length);
- //replace existing MAC with modified one
- memcpy(p, output, fin_length);
- #ifdef DEBUG_HS
- printf("New finished:\n");
- for(int i=0; i< fin_length; i++){
- printf("%02x ", p[i]);
- }
- printf("\n");
- #endif
- free(extra_input);
- }
- if(update_finish_hash(f, old_finished)){
- fprintf(stderr, "Error updating finish hash with FINISHED msg\n");
- goto err;
- }
- free(old_finished);
- free(output);
- EVP_MD_CTX_cleanup(&ctx);
- return 0;
- err:
- if(output != NULL)
- free(output);
- if(old_finished != NULL)
- free(old_finished);
- EVP_MD_CTX_cleanup(&ctx);
- return 1;
- }
- /** Computes the TLS master secret from the decoy server's
- * public key parameters and the leaked secret from the
- * extracted Slitheen tag
- *
- * Input:
- * f: the tagged flow
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int compute_master_secret(flow *f){
- #ifdef DEBUG_HS
- printf("Computing master secret (%x:%d -> %x:%d)...\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
- #endif
- DH *dh_srvr = NULL;
- DH *dh_clnt = NULL;
- BN_CTX *ctx = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL, *order = NULL;
- EC_KEY *clnt_ecdh = NULL;
- EC_POINT *e_pub_key = NULL;
- int ok =1;
- uint8_t *pre_master_secret = ecalloc(1, PRE_MASTER_MAX_LEN);
- int32_t pre_master_len;
- uint32_t l;
- int32_t bytes;
- uint8_t *buf = NULL;
- if(f->keyex_alg == 1){
- BN_MONT_CTX *mont = NULL;
- ctx = BN_CTX_new();
- dh_srvr = f->dh;
- dh_clnt = DHparams_dup(dh_srvr);
- l = dh_clnt->length ? dh_clnt->length : BN_num_bits(dh_clnt->p) - 1;
- bytes = (l+7) / 8;
- buf = (uint8_t *)OPENSSL_malloc(bytes);
- if (buf == NULL){
- BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- pub_key = BN_new();
- priv_key = BN_new();
- #ifdef DEBUG
- printf("key =");
- for(int i=0; i< 16; i++)
- printf(" %02x", f->key[i]);
- printf("\n");
- #endif
- PRF(f, f->key, 16,
- (uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
- NULL, 0, NULL, 0, NULL, 0,
- buf, bytes);
- #ifdef DEBUG
- printf("Generated the following rand bytes: ");
- for(int i=0; i< bytes; i++){
- printf(" %02x ", buf[i]);
- }
- printf("\n");
- #endif
- if (!BN_bin2bn(buf, bytes, priv_key))
- goto err;
- {
- BIGNUM *prk;
- prk = priv_key;
- if (!dh_clnt->meth->bn_mod_exp(dh_clnt, pub_key, dh_clnt->g, prk, dh_clnt->p, ctx, mont)){
- goto err;
- }
- }
- dh_clnt->pub_key = pub_key;
- dh_clnt->priv_key = priv_key;
- pre_master_len = DH_compute_key(pre_master_secret, dh_srvr->pub_key, dh_clnt);
-
- } else if(f->keyex_alg == 2){
- const EC_GROUP *srvr_group = NULL;
- const EC_POINT *srvr_ecpoint = NULL;
- EC_KEY *tkey;
- tkey = f->ecdh;
- if(tkey == NULL){
- return 1;
- }
- srvr_group = EC_KEY_get0_group(tkey);
- srvr_ecpoint = EC_KEY_get0_public_key(tkey);
- if((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
- return 1;
- }
- if((clnt_ecdh = EC_KEY_new()) == NULL) {
- goto err;
- }
- if(!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
- goto err;
- }
- /* Now generate key from tag */
-
- if((order = BN_new()) == NULL){
- goto err;
- }
- if((ctx = BN_CTX_new()) == NULL){
- goto err;
- }
- if((priv_key = BN_new()) == NULL){
- goto err;
- }
- if(!EC_GROUP_get_order(srvr_group, order, ctx)){
- goto err;
- }
- l = BN_num_bits(order)-1;
- bytes = (l+7)/8;
- buf = (unsigned char *)OPENSSL_malloc(bytes);
- if(buf == NULL){
- goto err;
- }
- PRF(f, f->key, 16, (uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
- NULL, 0, NULL, 0, NULL, 0, buf, bytes);
- #ifdef DEBUG
- printf("Generated the following rand bytes: ");
- for(int i=0; i< bytes; i++){
- printf("%02x ", buf[i]);
- }
- printf("\n");
- #endif
-
- if(!BN_bin2bn(buf, bytes, priv_key)){
- goto err;
- }
- if((e_pub_key = EC_POINT_new(srvr_group)) == NULL){
- goto err;
- }
- if(!EC_POINT_mul(EC_KEY_get0_group(clnt_ecdh), e_pub_key, priv_key, NULL, NULL, ctx)){
- goto err;
- }
- EC_KEY_set_private_key(clnt_ecdh, priv_key);
- EC_KEY_set_public_key(clnt_ecdh, e_pub_key);
- /*Compute the master secret */
- int32_t field_size = EC_GROUP_get_degree(srvr_group);
- if(field_size <= 0){
- goto err;
- }
- pre_master_len = ECDH_compute_key(pre_master_secret, (field_size + 7) / 8,
- srvr_ecpoint, clnt_ecdh, NULL);
- if(pre_master_len <= 0) {
- goto err;
- }
- }
- /*Generate master secret */
-
- PRF(f, pre_master_secret, pre_master_len, (uint8_t *) TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, f->client_random, SSL3_RANDOM_SIZE, f->server_random, SSL3_RANDOM_SIZE, NULL, 0, f->master_secret, SSL3_MASTER_SECRET_SIZE);
- if(f->current_session != NULL){
- memcpy(f->current_session->master_secret, f->master_secret, SSL3_MASTER_SECRET_SIZE);
- }
- #ifdef DEBUG
- fprintf(stdout, "Premaster Secret:\n");
- BIO_dump_fp(stdout, (char *)pre_master_secret, pre_master_len);
- fprintf(stdout, "Client Random:\n");
- BIO_dump_fp(stdout, (char *)f->client_random, SSL3_RANDOM_SIZE);
- fprintf(stdout, "Server Random:\n");
- BIO_dump_fp(stdout, (char *)f->server_random, SSL3_RANDOM_SIZE);
- fprintf(stdout, "Master Secret:\n");
- BIO_dump_fp(stdout, (char *)f->master_secret, SSL3_MASTER_SECRET_SIZE);
- #endif
- //remove pre_master_secret from memory
- memset(pre_master_secret, 0, PRE_MASTER_MAX_LEN);
- ok = 0;
- err:
- if((pub_key != NULL) && (dh_srvr == NULL)){
- BN_free(pub_key);
- }
- if((priv_key != NULL) && ((dh_clnt == NULL) || (EC_KEY_get0_private_key(clnt_ecdh) == NULL))){
- BN_free(priv_key);
- }
- if(ctx != NULL){
- BN_CTX_free(ctx);
- }
- OPENSSL_free(buf);
- free(pre_master_secret);
- if(dh_srvr != NULL){
- DH_free(dh_srvr);
- }
- if(dh_clnt != NULL) {
- DH_free(dh_clnt);
- }
-
- if(order){
- BN_free(order);
- }
- if(clnt_ecdh != NULL){
- EC_KEY_free(clnt_ecdh);
- }
- if(e_pub_key != NULL){
- EC_POINT_free(e_pub_key);
- }
- return ok;
- }
- /** Saves the random none from the server hello message
- *
- * Inputs:
- * f: the tagged flow
- * hs: a pointer to the beginning of the server hello msg
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int extract_server_random(flow *f, uint8_t *hs){
- uint8_t *p;
- p = hs + HANDSHAKE_HEADER_LEN;
- p+=2; //skip version
- memcpy(f->server_random, p, SSL3_RANDOM_SIZE);
- p += SSL3_RANDOM_SIZE;
- //skip session id
- uint8_t id_len = (uint8_t) p[0];
- p ++;
- p += id_len;
- //now extract ciphersuite
- #ifdef DEBUG_HS
- printf("Checking cipher\n");
- #endif
- if(((p[0] <<8) + p[1]) == 0x9E){
- #ifdef DEBUG_HS
- printf("USING DHE-RSA-AES128-GCM-SHA256\n");
- fflush(stdout);
- #endif
- f->keyex_alg = 1;
- f->cipher = EVP_aes_128_gcm();
- f->message_digest = EVP_sha256();
- } else if(((p[0] <<8) + p[1]) == 0x9F){
- #ifdef DEBUG_HS
- printf("USING DHE-RSA-AES256-GCM-SHA384\n");
- fflush(stdout);
- #endif
- f->keyex_alg = 1;
- f->cipher = EVP_aes_256_gcm();
- f->message_digest = EVP_sha384();
- } else if(((p[0] <<8) + p[1]) == 0xC02F){
- #ifdef DEBUG_HS
- printf("USING ECDHE-RSA-AES128-GCM-SHA256\n");
- fflush(stdout);
- #endif
- f->keyex_alg = 2;
- f->cipher = EVP_aes_128_gcm();
- f->message_digest = EVP_sha256();
- } else if(((p[0] <<8) + p[1]) == 0xC030){
- #ifdef DEBUG_HS
- printf("USING ECDHE-RSA-AES256-GCM-SHA384\n");
- fflush(stdout);
- #endif
- f->keyex_alg = 2;
- f->cipher = EVP_aes_256_gcm();
- f->message_digest = EVP_sha384();
- } else {
- printf("%x %x = %x\n", p[0], p[1], ((p[0] <<8) + p[1]));
- printf("Error: unsupported cipher\n");
- fflush(stdout);
- return 1;
- }
- return 0;
- }
- /** PRF using sha384, as defined in RFC 5246
- *
- * Inputs:
- * secret: the master secret used to sign the hash
- * secret_len: the length of the master secret
- * seed{1, ..., 4}: seed values that are virtually
- * concatenated
- * seed{1,...4}_len: length of the seeds
- * output: a pointer to the output of the PRF
- * output_len: the number of desired bytes
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int PRF(flow *f, uint8_t *secret, int32_t secret_len,
- uint8_t *seed1, int32_t seed1_len,
- uint8_t *seed2, int32_t seed2_len,
- uint8_t *seed3, int32_t seed3_len,
- uint8_t *seed4, int32_t seed4_len,
- uint8_t *output, int32_t output_len){
- EVP_MD_CTX ctx, ctx_tmp, ctx_init;
- EVP_PKEY *mac_key;
- const EVP_MD *md;
- if(f == NULL){
- md = EVP_sha256();
- } else {
- md = f->message_digest;
- }
- uint8_t A[EVP_MAX_MD_SIZE];
- size_t len, A_len;
- int chunk = EVP_MD_size(md);
- int remaining = output_len;
- uint8_t *out = output;
- EVP_MD_CTX_init(&ctx);
- EVP_MD_CTX_init(&ctx_tmp);
- EVP_MD_CTX_init(&ctx_init);
- EVP_MD_CTX_set_flags(&ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
- /* Calculate first A value */
- EVP_DigestSignInit(&ctx_init, NULL, md, NULL, mac_key);
- EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
- if(seed1 != NULL && seed1_len > 0){
- EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
- }
- if(seed2 != NULL && seed2_len > 0){
- EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
- }
- if(seed3 != NULL && seed3_len > 0){
- EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
- }
- if(seed4 != NULL && seed4_len > 0){
- EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
- }
- EVP_DigestSignFinal(&ctx, A, &A_len);
- //iterate until desired length is achieved
- while(remaining > 0){
- /* Now compute SHA384(secret, A+seed) */
- EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
- EVP_DigestSignUpdate(&ctx, A, A_len);
- EVP_MD_CTX_copy_ex(&ctx_tmp, &ctx);
- if(seed1 != NULL && seed1_len > 0){
- EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
- }
- if(seed2 != NULL && seed2_len > 0){
- EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
- }
- if(seed3 != NULL && seed3_len > 0){
- EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
- }
- if(seed4 != NULL && seed4_len > 0){
- EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
- }
-
- if(remaining > chunk){
- EVP_DigestSignFinal(&ctx, out, &len);
- out += len;
- remaining -= len;
- /* Next A value */
- EVP_DigestSignFinal(&ctx_tmp, A, &A_len);
- } else {
- EVP_DigestSignFinal(&ctx, A, &A_len);
- memcpy(out, A, remaining);
- remaining -= remaining;
- }
- }
- EVP_PKEY_free(mac_key);
- EVP_MD_CTX_cleanup(&ctx);
- EVP_MD_CTX_cleanup(&ctx_tmp);
- EVP_MD_CTX_cleanup(&ctx_init);
- OPENSSL_cleanse(A, sizeof(A));
- return 0;
- }
- /** After receiving change cipher spec, calculate keys from master secret
- *
- * Input:
- * f: the tagged flow
- *
- * Output:
- * 0 on success, 1 on failure
- */
- int init_ciphers(flow *f){
- EVP_CIPHER_CTX *r_ctx;
- EVP_CIPHER_CTX *w_ctx;
- EVP_CIPHER_CTX *w_ctx_srvr;
- EVP_CIPHER_CTX *r_ctx_srvr;
- const EVP_CIPHER *c = f->cipher;
- if(c == NULL){
- /*This *shouldn't* happen, but might if a serverHello msg isn't received
- * or if a session is resumed in a strange way */
- return 1;
- }
- /* Generate Keys */
- uint8_t *write_key, *write_iv;
- uint8_t *read_key, *read_iv;
- int32_t mac_len, key_len, iv_len;
- key_len = EVP_CIPHER_key_length(c);
- iv_len = EVP_CIPHER_iv_length(c); //EVP_GCM_TLS_FIXED_IV_LEN;
- mac_len = EVP_MD_size(f->message_digest);
- int32_t total_len = key_len + iv_len + mac_len;
- total_len *= 2;
- uint8_t *key_block = ecalloc(1, total_len);
- PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE,
- (uint8_t *) TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
- f->server_random, SSL3_RANDOM_SIZE,
- f->client_random, SSL3_RANDOM_SIZE,
- NULL, 0,
- key_block, total_len);
- #ifdef DEBUG
- printf("master secret: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
- for(int i=0; i< SSL3_MASTER_SECRET_SIZE; i++){
- printf("%02x ", f->master_secret[i]);
- }
- printf("\n");
- printf("client random: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
- for(int i=0; i< SSL3_RANDOM_SIZE; i++){
- printf("%02x ", f->client_random[i]);
- }
- printf("\n");
- printf("server random: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
- for(int i=0; i< SSL3_RANDOM_SIZE; i++){
- printf("%02x ", f->server_random[i]);
- }
- printf("\n");
- printf("keyblock: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
- for(int i=0; i< total_len; i++){
- printf("%02x ", key_block[i]);
- }
- printf("\n");
- #endif
- iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
-
- write_key = key_block;
- read_key = key_block + key_len;
- write_iv = key_block + 2*key_len;
- read_iv = key_block + 2*key_len + iv_len;
- /* Initialize Cipher Contexts */
- r_ctx = EVP_CIPHER_CTX_new();
- w_ctx = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_init(r_ctx);
- EVP_CIPHER_CTX_init(w_ctx);
- w_ctx_srvr = EVP_CIPHER_CTX_new();
- r_ctx_srvr = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_init(w_ctx_srvr);
- EVP_CIPHER_CTX_init(r_ctx_srvr);
-
- /* Initialize MACs --- not needed for aes_256_gcm
- write_mac = key_block + 2*key_len + 2*iv_len;
- read_mac = key_block + 2*key_len + 2*iv_len + mac_len;
- read_mac_ctx = EVP_MD_CTX_create();
- write_mac_ctx = EVP_MD_CTX_create();
- read_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, read_mac, mac_len);
- write_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, write_mac, mac_len);
- EVP_DigestSignInit(read_mac_ctx, NULL, EVP_sha384(), NULL, read_mac_key);
- EVP_DigestSignInit(write_mac_ctx, NULL, EVP_sha384(), NULL, write_mac_key);
- EVP_PKEY_free(read_mac_key);
- EVP_PKEY_free(write_mac_key);*/
- #ifdef DEBUG
- {
- int i;
- fprintf(stderr, "EVP_CipherInit_ex(r_ctx,c,key=,iv=,which)\n");
- fprintf(stderr, "\tkey= ");
- for (i = 0; i < c->key_len; i++)
- fprintf(stderr, "%02x", read_key[i]);
- fprintf(stderr, "\n");
- fprintf(stderr, "\t iv= ");
- for (i = 0; i < c->iv_len; i++)
- fprintf(stderr, "%02x", read_iv[i]);
- fprintf(stderr, "\n");
- }
-
- {
- int i;
- fprintf(stderr, "EVP_CipherInit_ex(w_ctx,c,key=,iv=,which)\n");
- fprintf(stderr, "\tkey= ");
- for (i = 0; i < c->key_len; i++)
- fprintf(stderr, "%02x", write_key[i]);
- fprintf(stderr, "\n");
- fprintf(stderr, "\t iv= ");
- for (i = 0; i < c->iv_len; i++)
- fprintf(stderr, "%02x", write_iv[i]);
- fprintf(stderr, "\n");
- }
- #endif
- if(!EVP_CipherInit_ex(r_ctx, c, NULL, read_key, NULL, 0)){
- printf("FAIL r_ctx\n");
- }
- if(!EVP_CipherInit_ex(w_ctx, c, NULL, write_key, NULL, 1)){
- printf("FAIL w_ctx\n");
- }
- if(!EVP_CipherInit_ex(w_ctx_srvr, c, NULL, read_key, NULL, 1)){
- printf("FAIL w_ctx_srvr\n");
- }
- if(!EVP_CipherInit_ex(r_ctx_srvr, c, NULL, write_key, NULL, 0)){
- printf("FAIL r_ctx_srvr\n");
- }
- EVP_CIPHER_CTX_ctrl(r_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
- EVP_CIPHER_CTX_ctrl(w_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
- EVP_CIPHER_CTX_ctrl(w_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
- EVP_CIPHER_CTX_ctrl(r_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
- f->clnt_read_ctx = r_ctx;
- f->clnt_write_ctx = w_ctx;
- f->srvr_read_ctx = r_ctx_srvr;
- f->srvr_write_ctx = w_ctx_srvr;
- free(key_block);
- return 0;
- }
- /* Generate the keys for a client's super encryption layer
- *
- * The header of each downstream slitheen data chunk is 16 bytes and encrypted with
- * a 256 bit AES key
- *
- * The body of each downstream chunk is CBC encrypted with a 256 bit AES key
- *
- * The last 16 bytes of the body is a MAC over the body
- *
- */
- void generate_client_super_keys(uint8_t *secret, client *c){
- EVP_MD_CTX *mac_ctx;
- const EVP_MD *md = EVP_sha256();
- FILE *fp;
- //extract shared secret from SLITHEEN_ID
- uint8_t shared_secret[16];
- byte privkey[PTWIST_BYTES];
- fp = fopen("privkey", "rb");
- if (fp == NULL) {
- perror("fopen");
- exit(1);
- }
- if(fread(privkey, PTWIST_BYTES, 1, fp) < 1){
- perror("fread");
- exit(1);
- }
- fclose(fp);
- /* check tag*/
- if(check_tag(shared_secret, privkey, secret, (const byte *)"context", 7)){
- //something went wrong O.o
- printf("Error extracting secret from tag\n");
- return;
- }
- #ifdef DEBUG
- printf("Shared secret: ");
- for(int i=0; i< 16; i++){
- printf("%02x ", shared_secret[i]);
- }
- printf("\n");
- #endif
- /* Generate Keys */
- uint8_t *hdr_key, *bdy_key;
- uint8_t *mac_secret;
- EVP_PKEY *mac_key;
- int32_t mac_len, key_len;
- key_len = EVP_CIPHER_key_length(EVP_aes_256_cbc());
- mac_len = EVP_MD_size(md);
- int32_t total_len = 2*key_len + mac_len;
- uint8_t *key_block = ecalloc(1, total_len);
- PRF(NULL, shared_secret, SLITHEEN_SUPER_SECRET_SIZE,
- (uint8_t *) SLITHEEN_SUPER_CONST, SLITHEEN_SUPER_CONST_SIZE,
- NULL, 0,
- NULL, 0,
- NULL, 0,
- key_block, total_len);
- #ifdef DEBUG
- printf("slitheend id: \n");
- for(int i=0; i< SLITHEEN_ID_LEN; i++){
- printf("%02x ", secret[i]);
- }
- printf("\n");
- printf("keyblock: \n");
- for(int i=0; i< total_len; i++){
- printf("%02x ", key_block[i]);
- }
- printf("\n");
- #endif
- hdr_key = key_block;
- bdy_key = key_block + key_len;
- mac_secret = key_block + 2*key_len;
- /* Initialize MAC Context */
- mac_ctx = EVP_MD_CTX_create();
-
- EVP_DigestInit_ex(mac_ctx, md, NULL);
- mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, mac_secret, mac_len);
- EVP_DigestSignInit(mac_ctx, NULL, md, NULL, mac_key);
- c->header_key = emalloc(key_len);
- c->body_key = emalloc(key_len);
- memcpy(c->header_key, hdr_key, key_len);
- memcpy(c->body_key, bdy_key, key_len);
- c->mac_ctx = mac_ctx;
- //Free everything
- free(key_block);
- EVP_PKEY_free(mac_key);
- return;
- }
- int super_encrypt(client *c, uint8_t *data, uint32_t len){
- int retval = 1;
- EVP_CIPHER_CTX *hdr_ctx = NULL;
- EVP_CIPHER_CTX *bdy_ctx = NULL;
-
- int32_t out_len;
- size_t mac_len;
- uint8_t *p = data;
- uint8_t output[EVP_MAX_MD_SIZE];
- //first encrypt the header
- #ifdef DEBUG
- printf("Plaintext Header:\n");
- for(int i=0; i< SLITHEEN_HEADER_LEN; i++){
- printf("%02x ", p[i]);
- }
- printf("\n");
- #endif
- hdr_ctx = EVP_CIPHER_CTX_new();
- EVP_CipherInit_ex(hdr_ctx, EVP_aes_256_cbc(), NULL, c->header_key, NULL, 1);
-
- if(!EVP_CipherUpdate(hdr_ctx, p, &out_len, p, SLITHEEN_HEADER_LEN)){
- printf("Failed!\n");
- retval = 0;
- goto end;
- }
- #ifdef DEBUG
- printf("Encrypted Header (%d bytes)\n", out_len);
- for(int i=0; i< out_len; i++){
- printf("%02x ", p[i]);
- }
- printf("\n");
- #endif
- if(len == 0){ //only encrypt header: body contains garbage bytes
- retval = 1;
- goto end;
- }
- //encrypt the body
- p += SLITHEEN_HEADER_LEN;
- //generate IV
- RAND_bytes(p, 16);
- //set up cipher ctx
- bdy_ctx = EVP_CIPHER_CTX_new();
- EVP_CipherInit_ex(bdy_ctx, EVP_aes_256_cbc(), NULL, c->body_key, p, 1);
-
- p+= 16;
- #ifdef DEBUG
- printf("Plaintext:\n");
- for(int i=0; i< len; i++){
- printf("%02x ", p[i]);
- }
- printf("\n");
- #endif
- if(!EVP_CipherUpdate(bdy_ctx, p, &out_len, p, len)){
- printf("Failed!\n");
- goto end;
- retval = 0;
- }
- #ifdef DEBUG
- printf("Encrypted %d bytes\n", out_len);
- printf("Encrypted data:\n");
- for(int i=0; i< out_len; i++){
- printf("%02x ", p[i]);
- }
- printf("\n");
- #endif
-
- //MAC at the end
- EVP_MD_CTX mac_ctx;
- EVP_MD_CTX_init(&mac_ctx);
- EVP_MD_CTX_copy_ex(&mac_ctx, c->mac_ctx);
- EVP_DigestSignUpdate(&mac_ctx, p, out_len);
- EVP_DigestSignFinal(&mac_ctx, output, &mac_len);
- EVP_MD_CTX_cleanup(&mac_ctx);
- p += out_len;
- memcpy(p, output, 16);
- #ifdef DEBUG_PARSE
- printf("Computed mac:\n");
- for(int i=0; i< 16; i++){
- printf("%02x ", output[i]);
- }
- printf("\n");
- fflush(stdout);
- #endif
- end:
- if(hdr_ctx != NULL){
- EVP_CIPHER_CTX_cleanup(hdr_ctx);
- OPENSSL_free(hdr_ctx);
- }
- if(bdy_ctx != NULL){
- EVP_CIPHER_CTX_cleanup(bdy_ctx);
- OPENSSL_free(bdy_ctx);
- }
- return retval;
- }
- /** Checks a handshake message to see if it is tagged or a
- * recognized flow. If the client random nonce is tagged,
- * adds the flow to the flow table to be tracked.
- *
- * Inputs:
- * info: the processed packet
- * f: the tagged flow
- *
- * Output:
- * none
- */
- void check_handshake(struct packet_info *info){
- FILE *fp;
- int res, code;
- uint8_t *hello_rand;
- const struct handshake_header *handshake_hdr;
- byte privkey[PTWIST_BYTES];
- byte key[16];
- uint8_t *p = info->app_data + RECORD_HEADER_LEN;
- handshake_hdr = (struct handshake_header*) p;
- code = handshake_hdr->type;
- if (code == 0x01){
- p += CLIENT_HELLO_HEADER_LEN;
- //now pointing to hello random :D
- hello_rand = p;
- p += 4; //skipping time bytes
- /* Load the private key */
- fp = fopen("privkey", "rb");
- if (fp == NULL) {
- perror("fopen");
- exit(1);
- }
- res = fread(privkey, PTWIST_BYTES, 1, fp);
- if (res < 1) {
- perror("fread");
- exit(1);
- }
- fclose(fp);
- /* check tag*/
- res = check_tag(key, privkey, p, (const byte *)"context", 7);
- if (!res) {
- #ifdef DEBUG
- printf("Received tagged flow! (key =");
- for(i=0; i<16;i++){
- printf(" %02x", key[i]);
- }
- printf(")\n");
- #endif
- /* If flow is not in table, save it */
- flow *flow_ptr = check_flow(info);
- if(flow_ptr == NULL){
- flow_ptr = add_flow(info);
- if(flow_ptr == NULL){
- fprintf(stderr, "Memory failure\n");
- return;
- }
- for(int i=0; i<16; i++){
- flow_ptr->key[i] = key[i];
- }
- memcpy(flow_ptr->client_random, hello_rand, SSL3_RANDOM_SIZE);
- #ifdef DEBUG
- for(int i=0; i< SSL3_RANDOM_SIZE; i++){
- printf("%02x ", hello_rand[i]);
- }
- printf("\n");
-
- printf("Saved new flow\n");
- #endif
- flow_ptr->ref_ctr--;
- } else { /* else update saved flow with new key and random nonce */
- for(int i=0; i<16; i++){
- flow_ptr->key[i] = key[i];
- }
- memcpy(flow_ptr->client_random, hello_rand, SSL3_RANDOM_SIZE);
- flow_ptr->ref_ctr--;
- }
- }
- }
- }
- /* Check the given tag with the given context and private key. Return 0
- if the tag is properly formed, non-0 if not. If the tag is correct,
- set key to the resulting secret key. */
- int check_tag(byte key[16], const byte privkey[PTWIST_BYTES],
- const byte tag[PTWIST_TAG_BYTES], const byte *context,
- size_t context_len)
- {
- int ret = -1;
- byte sharedsec[PTWIST_BYTES+context_len];
- byte taghashout[32];
- #if PTWIST_PUZZLE_STRENGTH > 0
- byte hashout[32];
- size_t puzzle_len = 16+PTWIST_RESP_BYTES;
- byte value_to_hash[puzzle_len];
- unsigned int firstbits;
- int firstpass = 0;
- #endif
- /* Compute the shared secret privkey*TAG */
- ptwist_pointmul(sharedsec, tag, privkey);
- /* Create the hash tag keys */
- memmove(sharedsec+PTWIST_BYTES, context, context_len);
- SHA256(sharedsec, PTWIST_BYTES, taghashout);
- #if PTWIST_PUZZLE_STRENGTH > 0
- /* Construct the proposed solution to the puzzle */
- memmove(value_to_hash, taghashout, 16);
- memmove(value_to_hash+16, tag+PTWIST_BYTES, PTWIST_RESP_BYTES);
- value_to_hash[16+PTWIST_RESP_BYTES-1] &= PTWIST_RESP_MASK;
- /* Hash the proposed solution and see if it is correct; that is, the
- * hash should start with PTWIST_PUZZLE_STRENGTH bits of 0s,
- * followed by the last PTWIST_HASH_SHOWBITS of the tag. */
- md_map_sh256(hashout, value_to_hash, puzzle_len);
- #if PTWIST_PUZZLE_STRENGTH < 32
- /* This assumes that you're on an architecture that doesn't care
- * about alignment, and is little endian. */
- firstbits = *(unsigned int*)hashout;
- if ((firstbits & PTWIST_PUZZLE_MASK) == 0) {
- firstpass = 1;
- }
- #else
- #error "Code assumes PTWIST_PUZZLE_STRENGTH < 32"
- #endif
- if (firstpass) {
- bn_t Hbn, Tbn;
- bn_new(Hbn);
- bn_new(Tbn);
- hashout[PTWIST_HASH_TOTBYTES-1] &= PTWIST_HASH_MASK;
- bn_read_bin(Hbn, hashout, PTWIST_HASH_TOTBYTES, BN_POS);
- bn_rsh(Hbn, Hbn, PTWIST_PUZZLE_STRENGTH);
- bn_read_bin(Tbn, tag+PTWIST_BYTES, PTWIST_TAG_BYTES-PTWIST_BYTES,
- BN_POS);
- bn_rsh(Tbn, Tbn, PTWIST_RESP_BITS);
- ret = (bn_cmp(Tbn,Hbn) != CMP_EQ);
- bn_free(Hbn);
- bn_free(Tbn);
- }
- #else
- /* We're not using a client puzzle, so just check that the first
- * PTWIST_HASH_SHOWBITS bits of the above hash fill out the rest
- * of the tag. If there's no puzzle, PTWIST_HASH_SHOWBITS must be
- * a multiple of 8. */
- ret = (memcmp(tag+PTWIST_BYTES, taghashout, PTWIST_HASH_SHOWBITS/8) != 0);
- #endif
- if (ret == 0) {
- memmove(key, taghashout+16, 16);
- }
- return ret;
- }
|