crypto.c 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563
  1. /* Name: crypto.c
  2. * Author: Cecylia Bocovich <cbocovic@uwaterloo.ca>
  3. *
  4. * This file contains code for checking tagged flows, processing handshake
  5. * messages, and computing the master secret for a TLS session.
  6. *
  7. * Some code in this document is based on the OpenSSL source files:
  8. * crypto/ec/ec_key.c
  9. * crypto/dh/dh_key.c
  10. * */
  11. /*
  12. * Written by Nils Larsch for the OpenSSL project.
  13. */
  14. /* ====================================================================
  15. * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
  16. *
  17. * Redistribution and use in source and binary forms, with or without
  18. * modification, are permitted provided that the following conditions
  19. * are met:
  20. *
  21. * 1. Redistributions of source code must retain the above copyright
  22. * notice, this list of conditions and the following disclaimer.
  23. *
  24. * 2. Redistributions in binary form must reproduce the above copyright
  25. * notice, this list of conditions and the following disclaimer in
  26. * the documentation and/or other materials provided with the
  27. * distribution.
  28. *
  29. * 3. All advertising materials mentioning features or use of this
  30. * software must display the following acknowledgment:
  31. * "This product includes software developed by the OpenSSL Project
  32. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  33. *
  34. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  35. * endorse or promote products derived from this software without
  36. * prior written permission. For written permission, please contact
  37. * openssl-core@openssl.org.
  38. *
  39. * 5. Products derived from this software may not be called "OpenSSL"
  40. * nor may "OpenSSL" appear in their names without prior written
  41. * permission of the OpenSSL Project.
  42. *
  43. * 6. Redistributions of any form whatsoever must retain the following
  44. * acknowledgment:
  45. * "This product includes software developed by the OpenSSL Project
  46. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  47. *
  48. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  49. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  50. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  51. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  52. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  53. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  54. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  55. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  56. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  57. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  58. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  59. * OF THE POSSIBILITY OF SUCH DAMAGE.
  60. * ====================================================================
  61. *
  62. * This product includes cryptographic software written by Eric Young
  63. * (eay@cryptsoft.com). This product includes software written by Tim
  64. * Hudson (tjh@cryptsoft.com).
  65. *
  66. */
  67. /* ====================================================================
  68. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  69. * Portions originally developed by SUN MICROSYSTEMS, INC., and
  70. * contributed to the OpenSSL project.
  71. */
  72. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  73. * All rights reserved.
  74. *
  75. * This package is an SSL implementation written
  76. * by Eric Young (eay@cryptsoft.com).
  77. * The implementation was written so as to conform with Netscapes SSL.
  78. *
  79. * This library is free for commercial and non-commercial use as long as
  80. * the following conditions are aheared to. The following conditions
  81. * apply to all code found in this distribution, be it the RC4, RSA,
  82. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  83. * included with this distribution is covered by the same copyright terms
  84. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  85. *
  86. * Copyright remains Eric Young's, and as such any Copyright notices in
  87. * the code are not to be removed.
  88. * If this package is used in a product, Eric Young should be given attribution
  89. * as the author of the parts of the library used.
  90. * This can be in the form of a textual message at program startup or
  91. * in documentation (online or textual) provided with the package.
  92. *
  93. * Redistribution and use in source and binary forms, with or without
  94. * modification, are permitted provided that the following conditions
  95. * are met:
  96. * 1. Redistributions of source code must retain the copyright
  97. * notice, this list of conditions and the following disclaimer.
  98. * 2. Redistributions in binary form must reproduce the above copyright
  99. * notice, this list of conditions and the following disclaimer in the
  100. * documentation and/or other materials provided with the distribution.
  101. * 3. All advertising materials mentioning features or use of this software
  102. * must display the following acknowledgement:
  103. * "This product includes cryptographic software written by
  104. * Eric Young (eay@cryptsoft.com)"
  105. * The word 'cryptographic' can be left out if the rouines from the library
  106. * being used are not cryptographic related :-).
  107. * 4. If you include any Windows specific code (or a derivative thereof) from
  108. * the apps directory (application code) you must include an acknowledgement:
  109. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  110. *
  111. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  112. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  113. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  114. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  115. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  116. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  117. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  118. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  119. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  120. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  121. * SUCH DAMAGE.
  122. *
  123. * The licence and distribution terms for any publically available version or
  124. * derivative of this code cannot be changed. i.e. this code cannot simply be
  125. * copied and put under another distribution licence
  126. * [including the GNU Public Licence.]
  127. */
  128. #include <stdio.h>
  129. #include <stdlib.h>
  130. #include <assert.h>
  131. #include <string.h>
  132. #include <openssl/evp.h>
  133. #include <openssl/dh.h>
  134. #include <openssl/bn.h>
  135. #include <openssl/err.h>
  136. #include <openssl/rand.h>
  137. #include <openssl/ssl.h>
  138. #include <openssl/sha.h>
  139. #include "ptwist.h"
  140. #include "crypto.h"
  141. #include "flow.h"
  142. #include "slitheen.h"
  143. #include "util.h"
  144. #include "relay.h"
  145. #define NID_sect163k1 721
  146. #define NID_sect163r1 722
  147. #define NID_sect163r2 723
  148. #define NID_sect193r1 724
  149. #define NID_sect193r2 725
  150. #define NID_sect233k1 726
  151. #define NID_sect233r1 727
  152. #define NID_sect239k1 728
  153. #define NID_sect283k1 729
  154. #define NID_sect283r1 730
  155. #define NID_sect409k1 731
  156. #define NID_sect409r1 732
  157. #define NID_sect571k1 733
  158. #define NID_sect571r1 734
  159. #define NID_secp160k1 708
  160. #define NID_secp160r1 709
  161. #define NID_secp160r2 710
  162. #define NID_secp192k1 711
  163. #define NID_X9_62_prime192v1 409
  164. #define NID_secp224k1 712
  165. #define NID_secp224r1 713
  166. #define NID_secp256k1 714
  167. #define NID_X9_62_prime256v1 415
  168. #define NID_secp384r1 715
  169. #define NID_secp521r1 716
  170. #define NID_brainpoolP256r1 927
  171. #define NID_brainpoolP384r1 931
  172. #define NID_brainpoolP512r1 933
  173. static int nid_list[] = {
  174. NID_sect163k1, /* sect163k1 (1) */
  175. NID_sect163r1, /* sect163r1 (2) */
  176. NID_sect163r2, /* sect163r2 (3) */
  177. NID_sect193r1, /* sect193r1 (4) */
  178. NID_sect193r2, /* sect193r2 (5) */
  179. NID_sect233k1, /* sect233k1 (6) */
  180. NID_sect233r1, /* sect233r1 (7) */
  181. NID_sect239k1, /* sect239k1 (8) */
  182. NID_sect283k1, /* sect283k1 (9) */
  183. NID_sect283r1, /* sect283r1 (10) */
  184. NID_sect409k1, /* sect409k1 (11) */
  185. NID_sect409r1, /* sect409r1 (12) */
  186. NID_sect571k1, /* sect571k1 (13) */
  187. NID_sect571r1, /* sect571r1 (14) */
  188. NID_secp160k1, /* secp160k1 (15) */
  189. NID_secp160r1, /* secp160r1 (16) */
  190. NID_secp160r2, /* secp160r2 (17) */
  191. NID_secp192k1, /* secp192k1 (18) */
  192. NID_X9_62_prime192v1, /* secp192r1 (19) */
  193. NID_secp224k1, /* secp224k1 (20) */
  194. NID_secp224r1, /* secp224r1 (21) */
  195. NID_secp256k1, /* secp256k1 (22) */
  196. NID_X9_62_prime256v1, /* secp256r1 (23) */
  197. NID_secp384r1, /* secp384r1 (24) */
  198. NID_secp521r1, /* secp521r1 (25) */
  199. NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
  200. NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
  201. NID_brainpoolP512r1 /* brainpool512r1 (28) */
  202. };
  203. /** Updates the hash of all TLS handshake messages upon the
  204. * receipt of a new message. This hash is eventually used
  205. * to verify the TLS Finished message
  206. *
  207. * Inputs:
  208. * f: the tagged flow
  209. * hs: A pointer to the start of the handshake message
  210. *
  211. * Output:
  212. * 0 on success, 1 on failure
  213. */
  214. int update_finish_hash(flow *f, uint8_t *hs){
  215. //find handshake length
  216. const struct handshake_header *hs_hdr;
  217. uint8_t *p = hs;
  218. hs_hdr = (struct handshake_header*) p;
  219. uint32_t hs_len = HANDSHAKE_MESSAGE_LEN(hs_hdr);
  220. EVP_DigestUpdate(f->finish_md_ctx, hs, hs_len+4);
  221. #ifdef DEBUG
  222. printf("SLITHEEN: adding to finish mac computation:\n");
  223. for(int i=0; i< hs_len + 4; i++){
  224. printf("%02x ", hs[i]);
  225. }
  226. printf("\n");
  227. #endif
  228. return 0;
  229. }
  230. /** Extracts the server parameters from the server key
  231. * exchange message
  232. *
  233. * Inputs:
  234. * f: the tagged flow
  235. * hs: the beginning of the server key exchange
  236. * handshake message
  237. *
  238. * Output:
  239. * 0 on success, 1 on failure
  240. */
  241. int extract_parameters(flow *f, uint8_t *hs){
  242. uint8_t *p;
  243. long i;
  244. int ok=1;
  245. p = hs + HANDSHAKE_HEADER_LEN;
  246. if(f->keyex_alg == 1){
  247. DH *dh;
  248. if((dh = DH_new()) == NULL){
  249. return 1;
  250. }
  251. /* Extract prime modulus */
  252. n2s(p,i);
  253. if(!(dh->p = BN_bin2bn(p,i,NULL))){
  254. return 1;
  255. }
  256. p += i;
  257. /* Extract generator */
  258. n2s(p,i);
  259. if(!(dh->g = BN_bin2bn(p,i,NULL))){
  260. return 1;
  261. }
  262. p += i;
  263. /* Extract server public value */
  264. n2s(p,i);
  265. if(!(dh->pub_key = BN_bin2bn(p,i,NULL))){
  266. return 1;
  267. }
  268. f->dh = dh;
  269. } else if (f->keyex_alg == 2){
  270. EC_KEY *ecdh;
  271. EC_GROUP *ngroup;
  272. const EC_GROUP *group;
  273. BN_CTX *bn_ctx = NULL;
  274. EC_POINT *srvr_ecpoint = NULL;
  275. int curve_nid = 0;
  276. int encoded_pt_len = 0;
  277. if((ecdh = EC_KEY_new()) == NULL) {
  278. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  279. goto err;
  280. }
  281. if(p[0] != 0x03){//not a named curve
  282. goto err;
  283. }
  284. //int curve_id = (p[1] << 8) + p[2];
  285. int curve_id = *(p+2);
  286. if((curve_id < 0) || ((unsigned int)curve_id >
  287. sizeof(nid_list) / sizeof(nid_list[0]))){
  288. goto err;
  289. }
  290. curve_nid = nid_list[curve_id-1];
  291. /* Extract curve
  292. if(!tls1_check_curve(s, p, 3)) {
  293. goto err;
  294. }
  295. if((*(p+2) < 1) || ((unsigned int) (*(p+2)) > sizeof(nid_list) / sizeof(nid_list[0]))){
  296. goto err;
  297. }
  298. curve_nid = nid_list[*(p+2)];
  299. */
  300. ngroup = EC_GROUP_new_by_curve_name(curve_nid);
  301. if(ngroup == NULL){
  302. goto err;
  303. }
  304. if(EC_KEY_set_group(ecdh, ngroup) == 0){
  305. goto err;
  306. }
  307. EC_GROUP_free(ngroup);
  308. group = EC_KEY_get0_group(ecdh);
  309. p += 3;
  310. /* Get EC point */
  311. if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
  312. ((bn_ctx = BN_CTX_new()) == NULL)) {
  313. goto err;
  314. }
  315. encoded_pt_len = *p;
  316. p += 1;
  317. if(EC_POINT_oct2point(group, srvr_ecpoint, p, encoded_pt_len,
  318. bn_ctx) == 0){
  319. goto err;
  320. }
  321. p += encoded_pt_len;
  322. EC_KEY_set_public_key(ecdh, srvr_ecpoint);
  323. f->ecdh = ecdh;
  324. ecdh = NULL;
  325. BN_CTX_free(bn_ctx);
  326. bn_ctx = NULL;
  327. EC_POINT_free(srvr_ecpoint);
  328. srvr_ecpoint = NULL;
  329. ok=0;
  330. err:
  331. if(bn_ctx != NULL){
  332. BN_CTX_free(bn_ctx);
  333. }
  334. if(srvr_ecpoint != NULL){
  335. EC_POINT_free(srvr_ecpoint);
  336. }
  337. if(ecdh != NULL){
  338. EC_KEY_free(ecdh);
  339. }
  340. }
  341. return ok;
  342. }
  343. /* Encrypt/Decrypt a TLS record
  344. *
  345. * Inputs:
  346. * f: the tagged flow
  347. * input: a pointer to the data that is to be encrypted/
  348. * decrypted
  349. * output: a pointer to where the data should be written
  350. * after it is encrypted or decrypted
  351. * len: the length of the data
  352. * incoming: the direction of the record
  353. * type: the type of the TLS record
  354. * enc: 1 for encryption, 0 for decryption
  355. * re: 1 if this is a re-encryption (counters are reset), 0 otherwise
  356. * Note: is only checked during encryption
  357. *
  358. * Output:
  359. * length of the output data
  360. */
  361. int encrypt(flow *f, uint8_t *input, uint8_t *output, int32_t len, int32_t incoming, int32_t type, int32_t enc, uint8_t re){
  362. uint8_t *p = input;
  363. EVP_CIPHER_CTX *ds = (incoming) ? ((enc) ? f->srvr_write_ctx : f->clnt_read_ctx) : ((enc) ? f->clnt_write_ctx : f->srvr_read_ctx);
  364. if(ds == NULL){
  365. printf("FAIL\n");
  366. return 1;
  367. }
  368. uint8_t *seq;
  369. seq = (incoming) ? f->read_seq : f->write_seq;
  370. if(enc && re){
  371. for(int i=7; i>=0; i--){
  372. --seq[i];
  373. if(seq[i] != 0xff)
  374. break;
  375. }
  376. }
  377. if(f->application && (ds->iv[EVP_GCM_TLS_FIXED_IV_LEN] == 0)){
  378. //fill in rest of iv
  379. for(int i = EVP_GCM_TLS_FIXED_IV_LEN; i< ds->cipher->iv_len; i++){
  380. ds->iv[i] = p[i- EVP_GCM_TLS_FIXED_IV_LEN];
  381. }
  382. }
  383. #ifdef DEBUG
  384. printf("\t\tiv: ");
  385. for(int i=0; i<ds->cipher->iv_len; i++){
  386. printf("%02X ", ds->iv[i]);
  387. }
  388. printf("\n");
  389. #endif
  390. uint8_t buf[13];
  391. memcpy(buf, seq, 8);
  392. for(int i=7; i>=0; i--){
  393. ++seq[i];
  394. if(seq[i] != 0)
  395. break;
  396. }
  397. buf[8] = type;
  398. buf[9] = 0x03;
  399. buf[10] = 0x03;
  400. buf[11] = len >> 8; //len >> 8;
  401. buf[12] = len & 0xff;//len *0xff;
  402. int32_t pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD,
  403. 13, buf); // = int32_t pad?
  404. if(enc)
  405. len += pad;
  406. int32_t n = EVP_Cipher(ds, p, p, len); //decrypt in place
  407. if(n<0) return 0;
  408. #ifdef DEBUG
  409. printf("decrypted data:\n");
  410. for(int i=0; i< len; i++){
  411. printf("%02x ", p[EVP_GCM_TLS_EXPLICIT_IV_LEN+i]);
  412. }
  413. printf("\n");
  414. #endif
  415. if(!enc)
  416. p[EVP_GCM_TLS_EXPLICIT_IV_LEN+n] = '\0';
  417. return n;
  418. }
  419. /** Verifies the hash in a TLS finished message
  420. *
  421. * Adds string derived from the client-relay shared secret to the finished hash.
  422. * This feature detects and prevents suspicious behaviour in the event of a MiTM
  423. * or RAD attack.
  424. *
  425. * Inputs:
  426. * f: the tagged flow
  427. * p: a pointer to the TLS Finished handshake message
  428. * incoming: the direction of the flow
  429. *
  430. * Output:
  431. * 0 on success, 1 on failure
  432. */
  433. int verify_finish_hash(flow *f, uint8_t *hs, int32_t incoming){
  434. EVP_MD_CTX ctx;
  435. uint8_t hash[EVP_MAX_MD_SIZE];
  436. uint32_t hash_len;
  437. uint8_t *p = hs;
  438. EVP_MD_CTX_init(&ctx);
  439. //get header length
  440. struct handshake_header *hs_hdr;
  441. hs_hdr = (struct handshake_header*) p;
  442. uint32_t fin_length = HANDSHAKE_MESSAGE_LEN(hs_hdr);
  443. //save old finished to update finished mac hash
  444. uint8_t *old_finished = emalloc(fin_length+ HANDSHAKE_HEADER_LEN);
  445. memcpy(old_finished, p, fin_length+HANDSHAKE_HEADER_LEN);
  446. p += HANDSHAKE_HEADER_LEN;
  447. //finalize hash of handshake msgs (have not yet added this one)
  448. EVP_MD_CTX_copy_ex(&ctx, f->finish_md_ctx);
  449. EVP_DigestFinal_ex(&ctx, hash, &hash_len);
  450. //now use pseudorandom function
  451. uint8_t *output = ecalloc(1, fin_length);
  452. if(incoming){
  453. PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
  454. } else {
  455. PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE, (uint8_t *) TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE , hash, hash_len, NULL, 0, NULL, 0, output, fin_length);
  456. }
  457. //now compare
  458. if(CRYPTO_memcmp(p, output, fin_length) != 0){
  459. printf("VERIFY FAILED\n");
  460. goto err;
  461. }
  462. #ifdef DEBUG_HS
  463. printf("Old finished:\n");
  464. for(int i=0; i< fin_length; i++){
  465. printf("%02x ", p[i]);
  466. }
  467. printf("\n");
  468. #endif
  469. //now add extra input seeded with client-relay shared secret
  470. if(incoming){
  471. uint32_t extra_input_len = SSL3_RANDOM_SIZE;
  472. uint8_t *extra_input = calloc(1, extra_input_len);
  473. PRF(f, f->key, 16,
  474. (uint8_t *) SLITHEEN_FINISHED_INPUT_CONST, SLITHEEN_FINISHED_INPUT_CONST_SIZE,
  475. NULL, 0, NULL, 0, NULL, 0,
  476. extra_input, extra_input_len);
  477. #ifdef DEBUG_HS
  478. printf("Extra input:\n");
  479. for(int i=0; i< extra_input_len; i++){
  480. printf("%02x ", extra_input[i]);
  481. }
  482. printf("\n");
  483. #endif
  484. EVP_MD_CTX_copy_ex(&ctx, f->finish_md_ctx);
  485. EVP_DigestUpdate(&ctx, extra_input, extra_input_len);
  486. EVP_DigestFinal_ex(&ctx, hash, &hash_len);
  487. PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE,
  488. (uint8_t *) TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE ,
  489. hash, hash_len, NULL, 0, NULL, 0,
  490. output, fin_length);
  491. //replace existing MAC with modified one
  492. memcpy(p, output, fin_length);
  493. #ifdef DEBUG_HS
  494. printf("New finished:\n");
  495. for(int i=0; i< fin_length; i++){
  496. printf("%02x ", p[i]);
  497. }
  498. printf("\n");
  499. #endif
  500. free(extra_input);
  501. }
  502. if(update_finish_hash(f, old_finished)){
  503. fprintf(stderr, "Error updating finish hash with FINISHED msg\n");
  504. goto err;
  505. }
  506. free(old_finished);
  507. free(output);
  508. EVP_MD_CTX_cleanup(&ctx);
  509. return 0;
  510. err:
  511. if(output != NULL)
  512. free(output);
  513. if(old_finished != NULL)
  514. free(old_finished);
  515. EVP_MD_CTX_cleanup(&ctx);
  516. return 1;
  517. }
  518. /** Computes the TLS master secret from the decoy server's
  519. * public key parameters and the leaked secret from the
  520. * extracted Slitheen tag
  521. *
  522. * Input:
  523. * f: the tagged flow
  524. *
  525. * Output:
  526. * 0 on success, 1 on failure
  527. */
  528. int compute_master_secret(flow *f){
  529. #ifdef DEBUG_HS
  530. printf("Computing master secret (%x:%d -> %x:%d)...\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
  531. #endif
  532. DH *dh_srvr = NULL;
  533. DH *dh_clnt = NULL;
  534. BN_CTX *ctx = NULL;
  535. BIGNUM *pub_key = NULL, *priv_key = NULL, *order = NULL;
  536. EC_KEY *clnt_ecdh = NULL;
  537. EC_POINT *e_pub_key = NULL;
  538. int ok =1;
  539. uint8_t *pre_master_secret = ecalloc(1, PRE_MASTER_MAX_LEN);
  540. int32_t pre_master_len;
  541. uint32_t l;
  542. int32_t bytes;
  543. uint8_t *buf = NULL;
  544. if(f->keyex_alg == 1){
  545. BN_MONT_CTX *mont = NULL;
  546. ctx = BN_CTX_new();
  547. dh_srvr = f->dh;
  548. dh_clnt = DHparams_dup(dh_srvr);
  549. l = dh_clnt->length ? dh_clnt->length : BN_num_bits(dh_clnt->p) - 1;
  550. bytes = (l+7) / 8;
  551. buf = (uint8_t *)OPENSSL_malloc(bytes);
  552. if (buf == NULL){
  553. BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE);
  554. goto err;
  555. }
  556. pub_key = BN_new();
  557. priv_key = BN_new();
  558. #ifdef DEBUG
  559. printf("key =");
  560. for(int i=0; i< 16; i++)
  561. printf(" %02x", f->key[i]);
  562. printf("\n");
  563. #endif
  564. PRF(f, f->key, 16,
  565. (uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
  566. NULL, 0, NULL, 0, NULL, 0,
  567. buf, bytes);
  568. #ifdef DEBUG
  569. printf("Generated the following rand bytes: ");
  570. for(int i=0; i< bytes; i++){
  571. printf(" %02x ", buf[i]);
  572. }
  573. printf("\n");
  574. #endif
  575. if (!BN_bin2bn(buf, bytes, priv_key))
  576. goto err;
  577. {
  578. BIGNUM *prk;
  579. prk = priv_key;
  580. if (!dh_clnt->meth->bn_mod_exp(dh_clnt, pub_key, dh_clnt->g, prk, dh_clnt->p, ctx, mont)){
  581. goto err;
  582. }
  583. }
  584. dh_clnt->pub_key = pub_key;
  585. dh_clnt->priv_key = priv_key;
  586. pre_master_len = DH_compute_key(pre_master_secret, dh_srvr->pub_key, dh_clnt);
  587. } else if(f->keyex_alg == 2){
  588. const EC_GROUP *srvr_group = NULL;
  589. const EC_POINT *srvr_ecpoint = NULL;
  590. EC_KEY *tkey;
  591. tkey = f->ecdh;
  592. if(tkey == NULL){
  593. return 1;
  594. }
  595. srvr_group = EC_KEY_get0_group(tkey);
  596. srvr_ecpoint = EC_KEY_get0_public_key(tkey);
  597. if((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
  598. return 1;
  599. }
  600. if((clnt_ecdh = EC_KEY_new()) == NULL) {
  601. goto err;
  602. }
  603. if(!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
  604. goto err;
  605. }
  606. /* Now generate key from tag */
  607. if((order = BN_new()) == NULL){
  608. goto err;
  609. }
  610. if((ctx = BN_CTX_new()) == NULL){
  611. goto err;
  612. }
  613. if((priv_key = BN_new()) == NULL){
  614. goto err;
  615. }
  616. if(!EC_GROUP_get_order(srvr_group, order, ctx)){
  617. goto err;
  618. }
  619. l = BN_num_bits(order)-1;
  620. bytes = (l+7)/8;
  621. buf = (unsigned char *)OPENSSL_malloc(bytes);
  622. if(buf == NULL){
  623. goto err;
  624. }
  625. PRF(f, f->key, 16, (uint8_t *) SLITHEEN_KEYGEN_CONST, SLITHEEN_KEYGEN_CONST_SIZE,
  626. NULL, 0, NULL, 0, NULL, 0, buf, bytes);
  627. #ifdef DEBUG
  628. printf("Generated the following rand bytes: ");
  629. for(int i=0; i< bytes; i++){
  630. printf("%02x ", buf[i]);
  631. }
  632. printf("\n");
  633. #endif
  634. if(!BN_bin2bn(buf, bytes, priv_key)){
  635. goto err;
  636. }
  637. if((e_pub_key = EC_POINT_new(srvr_group)) == NULL){
  638. goto err;
  639. }
  640. if(!EC_POINT_mul(EC_KEY_get0_group(clnt_ecdh), e_pub_key, priv_key, NULL, NULL, ctx)){
  641. goto err;
  642. }
  643. EC_KEY_set_private_key(clnt_ecdh, priv_key);
  644. EC_KEY_set_public_key(clnt_ecdh, e_pub_key);
  645. /*Compute the master secret */
  646. int32_t field_size = EC_GROUP_get_degree(srvr_group);
  647. if(field_size <= 0){
  648. goto err;
  649. }
  650. pre_master_len = ECDH_compute_key(pre_master_secret, (field_size + 7) / 8,
  651. srvr_ecpoint, clnt_ecdh, NULL);
  652. if(pre_master_len <= 0) {
  653. goto err;
  654. }
  655. }
  656. /*Generate master secret */
  657. PRF(f, pre_master_secret, pre_master_len, (uint8_t *) TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, f->client_random, SSL3_RANDOM_SIZE, f->server_random, SSL3_RANDOM_SIZE, NULL, 0, f->master_secret, SSL3_MASTER_SECRET_SIZE);
  658. if(f->current_session != NULL){
  659. memcpy(f->current_session->master_secret, f->master_secret, SSL3_MASTER_SECRET_SIZE);
  660. }
  661. #ifdef DEBUG
  662. fprintf(stdout, "Premaster Secret:\n");
  663. BIO_dump_fp(stdout, (char *)pre_master_secret, pre_master_len);
  664. fprintf(stdout, "Client Random:\n");
  665. BIO_dump_fp(stdout, (char *)f->client_random, SSL3_RANDOM_SIZE);
  666. fprintf(stdout, "Server Random:\n");
  667. BIO_dump_fp(stdout, (char *)f->server_random, SSL3_RANDOM_SIZE);
  668. fprintf(stdout, "Master Secret:\n");
  669. BIO_dump_fp(stdout, (char *)f->master_secret, SSL3_MASTER_SECRET_SIZE);
  670. #endif
  671. //remove pre_master_secret from memory
  672. memset(pre_master_secret, 0, PRE_MASTER_MAX_LEN);
  673. ok = 0;
  674. err:
  675. if((pub_key != NULL) && (dh_srvr == NULL)){
  676. BN_free(pub_key);
  677. }
  678. if((priv_key != NULL) && ((dh_clnt == NULL) || (EC_KEY_get0_private_key(clnt_ecdh) == NULL))){
  679. BN_free(priv_key);
  680. }
  681. if(ctx != NULL){
  682. BN_CTX_free(ctx);
  683. }
  684. OPENSSL_free(buf);
  685. free(pre_master_secret);
  686. if(dh_srvr != NULL){
  687. DH_free(dh_srvr);
  688. }
  689. if(dh_clnt != NULL) {
  690. DH_free(dh_clnt);
  691. }
  692. if(order){
  693. BN_free(order);
  694. }
  695. if(clnt_ecdh != NULL){
  696. EC_KEY_free(clnt_ecdh);
  697. }
  698. if(e_pub_key != NULL){
  699. EC_POINT_free(e_pub_key);
  700. }
  701. return ok;
  702. }
  703. /** Saves the random none from the server hello message
  704. *
  705. * Inputs:
  706. * f: the tagged flow
  707. * hs: a pointer to the beginning of the server hello msg
  708. *
  709. * Output:
  710. * 0 on success, 1 on failure
  711. */
  712. int extract_server_random(flow *f, uint8_t *hs){
  713. uint8_t *p;
  714. p = hs + HANDSHAKE_HEADER_LEN;
  715. p+=2; //skip version
  716. memcpy(f->server_random, p, SSL3_RANDOM_SIZE);
  717. p += SSL3_RANDOM_SIZE;
  718. //skip session id
  719. uint8_t id_len = (uint8_t) p[0];
  720. p ++;
  721. p += id_len;
  722. //now extract ciphersuite
  723. #ifdef DEBUG_HS
  724. printf("Checking cipher\n");
  725. #endif
  726. if(((p[0] <<8) + p[1]) == 0x9E){
  727. #ifdef DEBUG_HS
  728. printf("USING DHE-RSA-AES128-GCM-SHA256\n");
  729. fflush(stdout);
  730. #endif
  731. f->keyex_alg = 1;
  732. f->cipher = EVP_aes_128_gcm();
  733. f->message_digest = EVP_sha256();
  734. } else if(((p[0] <<8) + p[1]) == 0x9F){
  735. #ifdef DEBUG_HS
  736. printf("USING DHE-RSA-AES256-GCM-SHA384\n");
  737. fflush(stdout);
  738. #endif
  739. f->keyex_alg = 1;
  740. f->cipher = EVP_aes_256_gcm();
  741. f->message_digest = EVP_sha384();
  742. } else if(((p[0] <<8) + p[1]) == 0xC02F){
  743. #ifdef DEBUG_HS
  744. printf("USING ECDHE-RSA-AES128-GCM-SHA256\n");
  745. fflush(stdout);
  746. #endif
  747. f->keyex_alg = 2;
  748. f->cipher = EVP_aes_128_gcm();
  749. f->message_digest = EVP_sha256();
  750. } else if(((p[0] <<8) + p[1]) == 0xC030){
  751. #ifdef DEBUG_HS
  752. printf("USING ECDHE-RSA-AES256-GCM-SHA384\n");
  753. fflush(stdout);
  754. #endif
  755. f->keyex_alg = 2;
  756. f->cipher = EVP_aes_256_gcm();
  757. f->message_digest = EVP_sha384();
  758. } else {
  759. printf("%x %x = %x\n", p[0], p[1], ((p[0] <<8) + p[1]));
  760. printf("Error: unsupported cipher\n");
  761. fflush(stdout);
  762. return 1;
  763. }
  764. return 0;
  765. }
  766. /** PRF using sha384, as defined in RFC 5246
  767. *
  768. * Inputs:
  769. * secret: the master secret used to sign the hash
  770. * secret_len: the length of the master secret
  771. * seed{1, ..., 4}: seed values that are virtually
  772. * concatenated
  773. * seed{1,...4}_len: length of the seeds
  774. * output: a pointer to the output of the PRF
  775. * output_len: the number of desired bytes
  776. *
  777. * Output:
  778. * 0 on success, 1 on failure
  779. */
  780. int PRF(flow *f, uint8_t *secret, int32_t secret_len,
  781. uint8_t *seed1, int32_t seed1_len,
  782. uint8_t *seed2, int32_t seed2_len,
  783. uint8_t *seed3, int32_t seed3_len,
  784. uint8_t *seed4, int32_t seed4_len,
  785. uint8_t *output, int32_t output_len){
  786. EVP_MD_CTX ctx, ctx_tmp, ctx_init;
  787. EVP_PKEY *mac_key;
  788. const EVP_MD *md;
  789. if(f == NULL){
  790. md = EVP_sha256();
  791. } else {
  792. md = f->message_digest;
  793. }
  794. uint8_t A[EVP_MAX_MD_SIZE];
  795. size_t len, A_len;
  796. int chunk = EVP_MD_size(md);
  797. int remaining = output_len;
  798. uint8_t *out = output;
  799. EVP_MD_CTX_init(&ctx);
  800. EVP_MD_CTX_init(&ctx_tmp);
  801. EVP_MD_CTX_init(&ctx_init);
  802. EVP_MD_CTX_set_flags(&ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  803. mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
  804. /* Calculate first A value */
  805. EVP_DigestSignInit(&ctx_init, NULL, md, NULL, mac_key);
  806. EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
  807. if(seed1 != NULL && seed1_len > 0){
  808. EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
  809. }
  810. if(seed2 != NULL && seed2_len > 0){
  811. EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
  812. }
  813. if(seed3 != NULL && seed3_len > 0){
  814. EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
  815. }
  816. if(seed4 != NULL && seed4_len > 0){
  817. EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
  818. }
  819. EVP_DigestSignFinal(&ctx, A, &A_len);
  820. //iterate until desired length is achieved
  821. while(remaining > 0){
  822. /* Now compute SHA384(secret, A+seed) */
  823. EVP_MD_CTX_copy_ex(&ctx, &ctx_init);
  824. EVP_DigestSignUpdate(&ctx, A, A_len);
  825. EVP_MD_CTX_copy_ex(&ctx_tmp, &ctx);
  826. if(seed1 != NULL && seed1_len > 0){
  827. EVP_DigestSignUpdate(&ctx, seed1, seed1_len);
  828. }
  829. if(seed2 != NULL && seed2_len > 0){
  830. EVP_DigestSignUpdate(&ctx, seed2, seed2_len);
  831. }
  832. if(seed3 != NULL && seed3_len > 0){
  833. EVP_DigestSignUpdate(&ctx, seed3, seed3_len);
  834. }
  835. if(seed4 != NULL && seed4_len > 0){
  836. EVP_DigestSignUpdate(&ctx, seed4, seed4_len);
  837. }
  838. if(remaining > chunk){
  839. EVP_DigestSignFinal(&ctx, out, &len);
  840. out += len;
  841. remaining -= len;
  842. /* Next A value */
  843. EVP_DigestSignFinal(&ctx_tmp, A, &A_len);
  844. } else {
  845. EVP_DigestSignFinal(&ctx, A, &A_len);
  846. memcpy(out, A, remaining);
  847. remaining -= remaining;
  848. }
  849. }
  850. EVP_PKEY_free(mac_key);
  851. EVP_MD_CTX_cleanup(&ctx);
  852. EVP_MD_CTX_cleanup(&ctx_tmp);
  853. EVP_MD_CTX_cleanup(&ctx_init);
  854. OPENSSL_cleanse(A, sizeof(A));
  855. return 0;
  856. }
  857. /** After receiving change cipher spec, calculate keys from master secret
  858. *
  859. * Input:
  860. * f: the tagged flow
  861. *
  862. * Output:
  863. * 0 on success, 1 on failure
  864. */
  865. int init_ciphers(flow *f){
  866. EVP_CIPHER_CTX *r_ctx;
  867. EVP_CIPHER_CTX *w_ctx;
  868. EVP_CIPHER_CTX *w_ctx_srvr;
  869. EVP_CIPHER_CTX *r_ctx_srvr;
  870. const EVP_CIPHER *c = f->cipher;
  871. if(c == NULL){
  872. /*This *shouldn't* happen, but might if a serverHello msg isn't received
  873. * or if a session is resumed in a strange way */
  874. return 1;
  875. }
  876. /* Generate Keys */
  877. uint8_t *write_key, *write_iv;
  878. uint8_t *read_key, *read_iv;
  879. int32_t mac_len, key_len, iv_len;
  880. key_len = EVP_CIPHER_key_length(c);
  881. iv_len = EVP_CIPHER_iv_length(c); //EVP_GCM_TLS_FIXED_IV_LEN;
  882. mac_len = EVP_MD_size(f->message_digest);
  883. int32_t total_len = key_len + iv_len + mac_len;
  884. total_len *= 2;
  885. uint8_t *key_block = ecalloc(1, total_len);
  886. PRF(f, f->master_secret, SSL3_MASTER_SECRET_SIZE,
  887. (uint8_t *) TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
  888. f->server_random, SSL3_RANDOM_SIZE,
  889. f->client_random, SSL3_RANDOM_SIZE,
  890. NULL, 0,
  891. key_block, total_len);
  892. #ifdef DEBUG
  893. printf("master secret: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
  894. for(int i=0; i< SSL3_MASTER_SECRET_SIZE; i++){
  895. printf("%02x ", f->master_secret[i]);
  896. }
  897. printf("\n");
  898. printf("client random: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
  899. for(int i=0; i< SSL3_RANDOM_SIZE; i++){
  900. printf("%02x ", f->client_random[i]);
  901. }
  902. printf("\n");
  903. printf("server random: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
  904. for(int i=0; i< SSL3_RANDOM_SIZE; i++){
  905. printf("%02x ", f->server_random[i]);
  906. }
  907. printf("\n");
  908. printf("keyblock: (%x:%d -> %x:%d)\n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
  909. for(int i=0; i< total_len; i++){
  910. printf("%02x ", key_block[i]);
  911. }
  912. printf("\n");
  913. #endif
  914. iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
  915. write_key = key_block;
  916. read_key = key_block + key_len;
  917. write_iv = key_block + 2*key_len;
  918. read_iv = key_block + 2*key_len + iv_len;
  919. /* Initialize Cipher Contexts */
  920. r_ctx = EVP_CIPHER_CTX_new();
  921. w_ctx = EVP_CIPHER_CTX_new();
  922. EVP_CIPHER_CTX_init(r_ctx);
  923. EVP_CIPHER_CTX_init(w_ctx);
  924. w_ctx_srvr = EVP_CIPHER_CTX_new();
  925. r_ctx_srvr = EVP_CIPHER_CTX_new();
  926. EVP_CIPHER_CTX_init(w_ctx_srvr);
  927. EVP_CIPHER_CTX_init(r_ctx_srvr);
  928. /* Initialize MACs --- not needed for aes_256_gcm
  929. write_mac = key_block + 2*key_len + 2*iv_len;
  930. read_mac = key_block + 2*key_len + 2*iv_len + mac_len;
  931. read_mac_ctx = EVP_MD_CTX_create();
  932. write_mac_ctx = EVP_MD_CTX_create();
  933. read_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, read_mac, mac_len);
  934. write_mac_key =EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, write_mac, mac_len);
  935. EVP_DigestSignInit(read_mac_ctx, NULL, EVP_sha384(), NULL, read_mac_key);
  936. EVP_DigestSignInit(write_mac_ctx, NULL, EVP_sha384(), NULL, write_mac_key);
  937. EVP_PKEY_free(read_mac_key);
  938. EVP_PKEY_free(write_mac_key);*/
  939. #ifdef DEBUG
  940. {
  941. int i;
  942. fprintf(stderr, "EVP_CipherInit_ex(r_ctx,c,key=,iv=,which)\n");
  943. fprintf(stderr, "\tkey= ");
  944. for (i = 0; i < c->key_len; i++)
  945. fprintf(stderr, "%02x", read_key[i]);
  946. fprintf(stderr, "\n");
  947. fprintf(stderr, "\t iv= ");
  948. for (i = 0; i < c->iv_len; i++)
  949. fprintf(stderr, "%02x", read_iv[i]);
  950. fprintf(stderr, "\n");
  951. }
  952. {
  953. int i;
  954. fprintf(stderr, "EVP_CipherInit_ex(w_ctx,c,key=,iv=,which)\n");
  955. fprintf(stderr, "\tkey= ");
  956. for (i = 0; i < c->key_len; i++)
  957. fprintf(stderr, "%02x", write_key[i]);
  958. fprintf(stderr, "\n");
  959. fprintf(stderr, "\t iv= ");
  960. for (i = 0; i < c->iv_len; i++)
  961. fprintf(stderr, "%02x", write_iv[i]);
  962. fprintf(stderr, "\n");
  963. }
  964. #endif
  965. if(!EVP_CipherInit_ex(r_ctx, c, NULL, read_key, NULL, 0)){
  966. printf("FAIL r_ctx\n");
  967. }
  968. if(!EVP_CipherInit_ex(w_ctx, c, NULL, write_key, NULL, 1)){
  969. printf("FAIL w_ctx\n");
  970. }
  971. if(!EVP_CipherInit_ex(w_ctx_srvr, c, NULL, read_key, NULL, 1)){
  972. printf("FAIL w_ctx_srvr\n");
  973. }
  974. if(!EVP_CipherInit_ex(r_ctx_srvr, c, NULL, write_key, NULL, 0)){
  975. printf("FAIL r_ctx_srvr\n");
  976. }
  977. EVP_CIPHER_CTX_ctrl(r_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
  978. EVP_CIPHER_CTX_ctrl(w_ctx, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
  979. EVP_CIPHER_CTX_ctrl(w_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, read_iv);
  980. EVP_CIPHER_CTX_ctrl(r_ctx_srvr, EVP_CTRL_GCM_SET_IV_FIXED, EVP_GCM_TLS_FIXED_IV_LEN, write_iv);
  981. f->clnt_read_ctx = r_ctx;
  982. f->clnt_write_ctx = w_ctx;
  983. f->srvr_read_ctx = r_ctx_srvr;
  984. f->srvr_write_ctx = w_ctx_srvr;
  985. free(key_block);
  986. return 0;
  987. }
  988. /* Generate the keys for a client's super encryption layer
  989. *
  990. * The header of each downstream slitheen data chunk is 16 bytes and encrypted with
  991. * a 256 bit AES key
  992. *
  993. * The body of each downstream chunk is CBC encrypted with a 256 bit AES key
  994. *
  995. * The last 16 bytes of the body is a MAC over the body
  996. *
  997. */
  998. void generate_client_super_keys(uint8_t *secret, client *c){
  999. EVP_MD_CTX *mac_ctx;
  1000. const EVP_MD *md = EVP_sha256();
  1001. FILE *fp;
  1002. //extract shared secret from SLITHEEN_ID
  1003. uint8_t shared_secret[16];
  1004. byte privkey[PTWIST_BYTES];
  1005. fp = fopen("privkey", "rb");
  1006. if (fp == NULL) {
  1007. perror("fopen");
  1008. exit(1);
  1009. }
  1010. if(fread(privkey, PTWIST_BYTES, 1, fp) < 1){
  1011. perror("fread");
  1012. exit(1);
  1013. }
  1014. fclose(fp);
  1015. /* check tag*/
  1016. if(check_tag(shared_secret, privkey, secret, (const byte *)"context", 7)){
  1017. //something went wrong O.o
  1018. printf("Error extracting secret from tag\n");
  1019. return;
  1020. }
  1021. #ifdef DEBUG
  1022. printf("Shared secret: ");
  1023. for(int i=0; i< 16; i++){
  1024. printf("%02x ", shared_secret[i]);
  1025. }
  1026. printf("\n");
  1027. #endif
  1028. /* Generate Keys */
  1029. uint8_t *hdr_key, *bdy_key;
  1030. uint8_t *mac_secret;
  1031. EVP_PKEY *mac_key;
  1032. int32_t mac_len, key_len;
  1033. key_len = EVP_CIPHER_key_length(EVP_aes_256_cbc());
  1034. mac_len = EVP_MD_size(md);
  1035. int32_t total_len = 2*key_len + mac_len;
  1036. uint8_t *key_block = ecalloc(1, total_len);
  1037. PRF(NULL, shared_secret, SLITHEEN_SUPER_SECRET_SIZE,
  1038. (uint8_t *) SLITHEEN_SUPER_CONST, SLITHEEN_SUPER_CONST_SIZE,
  1039. NULL, 0,
  1040. NULL, 0,
  1041. NULL, 0,
  1042. key_block, total_len);
  1043. #ifdef DEBUG
  1044. printf("slitheend id: \n");
  1045. for(int i=0; i< SLITHEEN_ID_LEN; i++){
  1046. printf("%02x ", secret[i]);
  1047. }
  1048. printf("\n");
  1049. printf("keyblock: \n");
  1050. for(int i=0; i< total_len; i++){
  1051. printf("%02x ", key_block[i]);
  1052. }
  1053. printf("\n");
  1054. #endif
  1055. hdr_key = key_block;
  1056. bdy_key = key_block + key_len;
  1057. mac_secret = key_block + 2*key_len;
  1058. /* Initialize MAC Context */
  1059. mac_ctx = EVP_MD_CTX_create();
  1060. EVP_DigestInit_ex(mac_ctx, md, NULL);
  1061. mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, mac_secret, mac_len);
  1062. EVP_DigestSignInit(mac_ctx, NULL, md, NULL, mac_key);
  1063. c->header_key = emalloc(key_len);
  1064. c->body_key = emalloc(key_len);
  1065. memcpy(c->header_key, hdr_key, key_len);
  1066. memcpy(c->body_key, bdy_key, key_len);
  1067. c->mac_ctx = mac_ctx;
  1068. //Free everything
  1069. free(key_block);
  1070. EVP_PKEY_free(mac_key);
  1071. return;
  1072. }
  1073. int super_encrypt(client *c, uint8_t *data, uint32_t len){
  1074. int retval = 1;
  1075. EVP_CIPHER_CTX *hdr_ctx = NULL;
  1076. EVP_CIPHER_CTX *bdy_ctx = NULL;
  1077. int32_t out_len;
  1078. size_t mac_len;
  1079. uint8_t *p = data;
  1080. uint8_t output[EVP_MAX_MD_SIZE];
  1081. //first encrypt the header
  1082. #ifdef DEBUG
  1083. printf("Plaintext Header:\n");
  1084. for(int i=0; i< SLITHEEN_HEADER_LEN; i++){
  1085. printf("%02x ", p[i]);
  1086. }
  1087. printf("\n");
  1088. #endif
  1089. hdr_ctx = EVP_CIPHER_CTX_new();
  1090. EVP_CipherInit_ex(hdr_ctx, EVP_aes_256_cbc(), NULL, c->header_key, NULL, 1);
  1091. if(!EVP_CipherUpdate(hdr_ctx, p, &out_len, p, SLITHEEN_HEADER_LEN)){
  1092. printf("Failed!\n");
  1093. retval = 0;
  1094. goto end;
  1095. }
  1096. #ifdef DEBUG
  1097. printf("Encrypted Header (%d bytes)\n", out_len);
  1098. for(int i=0; i< out_len; i++){
  1099. printf("%02x ", p[i]);
  1100. }
  1101. printf("\n");
  1102. #endif
  1103. if(len == 0){ //only encrypt header: body contains garbage bytes
  1104. retval = 1;
  1105. goto end;
  1106. }
  1107. //encrypt the body
  1108. p += SLITHEEN_HEADER_LEN;
  1109. //generate IV
  1110. RAND_bytes(p, 16);
  1111. //set up cipher ctx
  1112. bdy_ctx = EVP_CIPHER_CTX_new();
  1113. EVP_CipherInit_ex(bdy_ctx, EVP_aes_256_cbc(), NULL, c->body_key, p, 1);
  1114. p+= 16;
  1115. #ifdef DEBUG
  1116. printf("Plaintext:\n");
  1117. for(int i=0; i< len; i++){
  1118. printf("%02x ", p[i]);
  1119. }
  1120. printf("\n");
  1121. #endif
  1122. if(!EVP_CipherUpdate(bdy_ctx, p, &out_len, p, len)){
  1123. printf("Failed!\n");
  1124. goto end;
  1125. retval = 0;
  1126. }
  1127. #ifdef DEBUG
  1128. printf("Encrypted %d bytes\n", out_len);
  1129. printf("Encrypted data:\n");
  1130. for(int i=0; i< out_len; i++){
  1131. printf("%02x ", p[i]);
  1132. }
  1133. printf("\n");
  1134. #endif
  1135. //MAC at the end
  1136. EVP_MD_CTX mac_ctx;
  1137. EVP_MD_CTX_init(&mac_ctx);
  1138. EVP_MD_CTX_copy_ex(&mac_ctx, c->mac_ctx);
  1139. EVP_DigestSignUpdate(&mac_ctx, p, out_len);
  1140. EVP_DigestSignFinal(&mac_ctx, output, &mac_len);
  1141. EVP_MD_CTX_cleanup(&mac_ctx);
  1142. p += out_len;
  1143. memcpy(p, output, 16);
  1144. #ifdef DEBUG_PARSE
  1145. printf("Computed mac:\n");
  1146. for(int i=0; i< 16; i++){
  1147. printf("%02x ", output[i]);
  1148. }
  1149. printf("\n");
  1150. fflush(stdout);
  1151. #endif
  1152. end:
  1153. if(hdr_ctx != NULL){
  1154. EVP_CIPHER_CTX_cleanup(hdr_ctx);
  1155. OPENSSL_free(hdr_ctx);
  1156. }
  1157. if(bdy_ctx != NULL){
  1158. EVP_CIPHER_CTX_cleanup(bdy_ctx);
  1159. OPENSSL_free(bdy_ctx);
  1160. }
  1161. return retval;
  1162. }
  1163. /** Checks a handshake message to see if it is tagged or a
  1164. * recognized flow. If the client random nonce is tagged,
  1165. * adds the flow to the flow table to be tracked.
  1166. *
  1167. * Inputs:
  1168. * info: the processed packet
  1169. * f: the tagged flow
  1170. *
  1171. * Output:
  1172. * none
  1173. */
  1174. void check_handshake(struct packet_info *info){
  1175. FILE *fp;
  1176. int res, code;
  1177. uint8_t *hello_rand;
  1178. const struct handshake_header *handshake_hdr;
  1179. byte privkey[PTWIST_BYTES];
  1180. byte key[16];
  1181. uint8_t *p = info->app_data + RECORD_HEADER_LEN;
  1182. handshake_hdr = (struct handshake_header*) p;
  1183. code = handshake_hdr->type;
  1184. if (code == 0x01){
  1185. p += CLIENT_HELLO_HEADER_LEN;
  1186. //now pointing to hello random :D
  1187. hello_rand = p;
  1188. p += 4; //skipping time bytes
  1189. /* Load the private key */
  1190. fp = fopen("privkey", "rb");
  1191. if (fp == NULL) {
  1192. perror("fopen");
  1193. exit(1);
  1194. }
  1195. res = fread(privkey, PTWIST_BYTES, 1, fp);
  1196. if (res < 1) {
  1197. perror("fread");
  1198. exit(1);
  1199. }
  1200. fclose(fp);
  1201. /* check tag*/
  1202. res = check_tag(key, privkey, p, (const byte *)"context", 7);
  1203. if (!res) {
  1204. #ifdef DEBUG
  1205. printf("Received tagged flow! (key =");
  1206. for(i=0; i<16;i++){
  1207. printf(" %02x", key[i]);
  1208. }
  1209. printf(")\n");
  1210. #endif
  1211. /* If flow is not in table, save it */
  1212. flow *flow_ptr = check_flow(info);
  1213. if(flow_ptr == NULL){
  1214. flow_ptr = add_flow(info);
  1215. if(flow_ptr == NULL){
  1216. fprintf(stderr, "Memory failure\n");
  1217. return;
  1218. }
  1219. for(int i=0; i<16; i++){
  1220. flow_ptr->key[i] = key[i];
  1221. }
  1222. memcpy(flow_ptr->client_random, hello_rand, SSL3_RANDOM_SIZE);
  1223. #ifdef DEBUG
  1224. for(int i=0; i< SSL3_RANDOM_SIZE; i++){
  1225. printf("%02x ", hello_rand[i]);
  1226. }
  1227. printf("\n");
  1228. printf("Saved new flow\n");
  1229. #endif
  1230. flow_ptr->ref_ctr--;
  1231. } else { /* else update saved flow with new key and random nonce */
  1232. for(int i=0; i<16; i++){
  1233. flow_ptr->key[i] = key[i];
  1234. }
  1235. memcpy(flow_ptr->client_random, hello_rand, SSL3_RANDOM_SIZE);
  1236. flow_ptr->ref_ctr--;
  1237. }
  1238. }
  1239. }
  1240. }
  1241. /* Check the given tag with the given context and private key. Return 0
  1242. if the tag is properly formed, non-0 if not. If the tag is correct,
  1243. set key to the resulting secret key. */
  1244. int check_tag(byte key[16], const byte privkey[PTWIST_BYTES],
  1245. const byte tag[PTWIST_TAG_BYTES], const byte *context,
  1246. size_t context_len)
  1247. {
  1248. int ret = -1;
  1249. byte sharedsec[PTWIST_BYTES+context_len];
  1250. byte taghashout[32];
  1251. #if PTWIST_PUZZLE_STRENGTH > 0
  1252. byte hashout[32];
  1253. size_t puzzle_len = 16+PTWIST_RESP_BYTES;
  1254. byte value_to_hash[puzzle_len];
  1255. unsigned int firstbits;
  1256. int firstpass = 0;
  1257. #endif
  1258. /* Compute the shared secret privkey*TAG */
  1259. ptwist_pointmul(sharedsec, tag, privkey);
  1260. /* Create the hash tag keys */
  1261. memmove(sharedsec+PTWIST_BYTES, context, context_len);
  1262. SHA256(sharedsec, PTWIST_BYTES, taghashout);
  1263. #if PTWIST_PUZZLE_STRENGTH > 0
  1264. /* Construct the proposed solution to the puzzle */
  1265. memmove(value_to_hash, taghashout, 16);
  1266. memmove(value_to_hash+16, tag+PTWIST_BYTES, PTWIST_RESP_BYTES);
  1267. value_to_hash[16+PTWIST_RESP_BYTES-1] &= PTWIST_RESP_MASK;
  1268. /* Hash the proposed solution and see if it is correct; that is, the
  1269. * hash should start with PTWIST_PUZZLE_STRENGTH bits of 0s,
  1270. * followed by the last PTWIST_HASH_SHOWBITS of the tag. */
  1271. md_map_sh256(hashout, value_to_hash, puzzle_len);
  1272. #if PTWIST_PUZZLE_STRENGTH < 32
  1273. /* This assumes that you're on an architecture that doesn't care
  1274. * about alignment, and is little endian. */
  1275. firstbits = *(unsigned int*)hashout;
  1276. if ((firstbits & PTWIST_PUZZLE_MASK) == 0) {
  1277. firstpass = 1;
  1278. }
  1279. #else
  1280. #error "Code assumes PTWIST_PUZZLE_STRENGTH < 32"
  1281. #endif
  1282. if (firstpass) {
  1283. bn_t Hbn, Tbn;
  1284. bn_new(Hbn);
  1285. bn_new(Tbn);
  1286. hashout[PTWIST_HASH_TOTBYTES-1] &= PTWIST_HASH_MASK;
  1287. bn_read_bin(Hbn, hashout, PTWIST_HASH_TOTBYTES, BN_POS);
  1288. bn_rsh(Hbn, Hbn, PTWIST_PUZZLE_STRENGTH);
  1289. bn_read_bin(Tbn, tag+PTWIST_BYTES, PTWIST_TAG_BYTES-PTWIST_BYTES,
  1290. BN_POS);
  1291. bn_rsh(Tbn, Tbn, PTWIST_RESP_BITS);
  1292. ret = (bn_cmp(Tbn,Hbn) != CMP_EQ);
  1293. bn_free(Hbn);
  1294. bn_free(Tbn);
  1295. }
  1296. #else
  1297. /* We're not using a client puzzle, so just check that the first
  1298. * PTWIST_HASH_SHOWBITS bits of the above hash fill out the rest
  1299. * of the tag. If there's no puzzle, PTWIST_HASH_SHOWBITS must be
  1300. * a multiple of 8. */
  1301. ret = (memcmp(tag+PTWIST_BYTES, taghashout, PTWIST_HASH_SHOWBITS/8) != 0);
  1302. #endif
  1303. if (ret == 0) {
  1304. memmove(key, taghashout+16, 16);
  1305. }
  1306. return ret;
  1307. }