ssldump/ssl/ssldecode.c
2024-09-09 08:28:28 +02:00

1397 lines
38 KiB
C

/**
ssldecode.c
Copyright (C) 1999-2000 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH
DAMAGE.
$Id: ssldecode.c,v 1.9 2002/08/17 01:33:17 ekr Exp $
ekr@rtfm.com Thu Apr 1 09:54:53 1999
*/
#include "network.h"
#include "ssl_h.h"
#include "sslprint.h"
#include "ssl.enums.h"
#ifdef OPENSSL
#include <openssl/err.h>
#include <openssl/kdf.h>
#include <openssl/ssl.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
#include <openssl/x509v3.h>
#endif
#include "ssldecode.h"
#include "ssl_rec.h"
#include "r_assoc.h"
#define PRF(ssl, secret, usage, rnd1, rnd2, out) \
(ssl->version == SSLV3_VERSION) \
? ssl3_prf(ssl, secret, usage, rnd1, rnd2, out) \
: ((ssl->version == TLSV12_VERSION) \
? tls12_prf(ssl, secret, usage, rnd1, rnd2, out) \
: tls_prf(ssl, secret, usage, rnd1, rnd2, out))
static char *ssl_password;
extern char *digests[];
extern UINT4 SSL_print_flags;
struct ssl_decode_ctx_ {
#ifdef OPENSSL
SSL_CTX *ssl_ctx;
SSL *ssl;
r_assoc *session_cache;
FILE *ssl_key_log_file;
#else
char dummy; /* Some compilers (Win32) don't like empty
structs */
#endif
};
struct ssl_decoder_ {
ssl_decode_ctx *ctx;
Data *session_id;
SSL_CipherSuite *cs;
Data *client_random;
Data *server_random;
int ephemeral_rsa;
Data *PMS;
Data *MS;
Data *SHTS; // Server Handshake traffic secret
Data *CHTS; // Client Handshake traffic secret
Data *STS; // Server traffic Secret
Data *CTS; // Client traffic secret
Data *handshake_messages;
Data *session_hash;
ssl_rec_decoder *c_to_s;
ssl_rec_decoder *s_to_c;
ssl_rec_decoder *c_to_s_n;
ssl_rec_decoder *s_to_c_n;
};
#ifdef OPENSSL
static int tls_P_hash PROTO_LIST(
(ssl_obj * ssl, Data *secret, Data *seed, char *md_name, Data *out));
static int tls12_prf PROTO_LIST((ssl_obj * ssl,
Data *secret,
char *usage,
Data *rnd1,
Data *rnd2,
Data *out));
static int tls_prf PROTO_LIST((ssl_obj * ssl,
Data *secret,
char *usage,
Data *rnd1,
Data *rnd2,
Data *out));
static int ssl3_prf PROTO_LIST((ssl_obj * ssl,
Data *secret,
char *usage,
Data *rnd1,
Data *rnd2,
Data *out));
static int ssl3_generate_export_iv
PROTO_LIST((ssl_obj * ssl, Data *rnd1, Data *rnd2, Data *out));
static int ssl_generate_keying_material PROTO_LIST((ssl_obj * ssl,
ssl_decoder *d));
static int ssl_generate_session_hash PROTO_LIST((ssl_obj * ssl,
ssl_decoder *d));
static int ssl_read_key_log_file PROTO_LIST((ssl_obj * obj, ssl_decoder *d));
#endif
static int ssl_create_session_lookup_key PROTO_LIST(
(ssl_obj * ssl, UCHAR *id, UINT4 idlen, UCHAR **keyp, UINT4 *keyl));
int ssl_save_session PROTO_LIST((ssl_obj * ssl, ssl_decoder *d));
int ssl_restore_session PROTO_LIST((ssl_obj * ssl, ssl_decoder *d));
/*The password code is not thread safe*/
static int password_cb(char *buf, int num, int rwflag, void *userdata) {
if(num < strlen(ssl_password) + 1)
return 0;
strcpy(buf, ssl_password);
return strlen(ssl_password);
}
int ssl_decode_ctx_create(ssl_decode_ctx **dp,
char *keyfile,
char *pass,
char *keylogfile) {
#ifdef OPENSSL
ssl_decode_ctx *d = 0;
int _status;
SSL_library_init();
OpenSSL_add_all_algorithms();
if(!(d = (ssl_decode_ctx *)malloc(sizeof(ssl_decode_ctx))))
ABORT(R_NO_MEMORY);
if(!(d->ssl_ctx = SSL_CTX_new(SSLv23_server_method())))
ABORT(R_NO_MEMORY);
if(keyfile) {
if(pass) {
ssl_password = pass;
SSL_CTX_set_default_passwd_cb(d->ssl_ctx, password_cb);
}
#if 0
if(SSL_CTX_use_certificate_file(d->ssl_ctx,keyfile,SSL_FILETYPE_PEM)!=1){
fprintf(stderr,"Problem loading certificate file\n");
ABORT(R_INTERNAL);
}
#endif
if(SSL_CTX_use_PrivateKey_file(d->ssl_ctx, keyfile, SSL_FILETYPE_PEM) !=
1) {
fprintf(stderr, "Problem loading private key\n");
ABORT(R_INTERNAL);
}
}
if(!(d->ssl = SSL_new(d->ssl_ctx)))
ABORT(R_NO_MEMORY);
if(r_assoc_create(&d->session_cache))
ABORT(R_NO_MEMORY);
if(keylogfile) {
if(!(d->ssl_key_log_file = fopen(keylogfile, "r"))) {
fprintf(stderr, "Failed to open ssl key log file");
ABORT(R_INTERNAL);
}
} else {
d->ssl_key_log_file = NULL;
}
X509V3_add_standard_extensions();
*dp = d;
_status = 0;
abort:
return _status;
#else
return 0;
#endif
}
int ssl_decode_ctx_destroy(ssl_decode_ctx **dp) {
#ifdef OPENSSL
ssl_decode_ctx *d = *dp;
if(!d)
return 0;
if(d->ssl_key_log_file) {
fclose(d->ssl_key_log_file);
}
r_assoc_destroy(&d->session_cache);
SSL_CTX_free(d->ssl_ctx);
SSL_free(d->ssl);
free(d);
#endif
return 0;
}
int ssl_decoder_create(ssl_decoder **dp, ssl_decode_ctx *ctx) {
int _status;
ssl_decoder *d = 0;
#ifdef OPENSSL
if(!(d = (ssl_decoder *)calloc(1, sizeof(ssl_decoder))))
ABORT(R_NO_MEMORY);
d->ctx = ctx;
*dp = d;
_status = 0;
abort:
if(_status)
ssl_decoder_destroy(&d);
return _status;
#else
return 0;
#endif
}
int ssl_decoder_destroy(ssl_decoder **dp) {
#ifdef OPENSSL
ssl_decoder *d;
if(!dp || !*dp)
return 0;
d = *dp;
r_data_destroy(&d->client_random);
r_data_destroy(&d->server_random);
r_data_destroy(&d->session_id);
r_data_destroy(&d->PMS);
r_data_destroy(&d->MS);
r_data_destroy(&d->handshake_messages);
r_data_destroy(&d->session_hash);
ssl_destroy_rec_decoder(&d->c_to_s);
ssl_destroy_rec_decoder(&d->c_to_s_n);
ssl_destroy_rec_decoder(&d->s_to_c);
ssl_destroy_rec_decoder(&d->s_to_c_n);
free(d);
*dp = 0;
#endif
return 0;
}
int ssl_set_client_random(ssl_decoder *d, UCHAR *msg, int len) {
#ifdef OPENSSL
int r;
r_data_destroy(&d->client_random);
if((r = r_data_create(&d->client_random, msg, len)))
ERETURN(r);
#endif
return 0;
}
int ssl_set_server_random(ssl_decoder *d, UCHAR *msg, int len) {
#ifdef OPENSSL
int r;
r_data_destroy(&d->server_random);
if((r = r_data_create(&d->server_random, msg, len)))
ERETURN(r);
#endif
return 0;
}
int ssl_set_client_session_id(ssl_decoder *d, UCHAR *msg, int len) {
#ifdef OPENSSL
int r;
if(len > 0) {
r_data_destroy(&d->session_id);
if((r = r_data_create(&d->session_id, msg, len)))
ERETURN(r);
}
#endif
return 0;
}
int ssl_process_server_session_id(ssl_obj *ssl,
ssl_decoder *d,
UCHAR *msg,
int len) {
#ifdef OPENSSL
int r, _status;
Data idd;
int restored = 0;
INIT_DATA(idd, msg, len);
if(ssl->version == TLSV13_VERSION) {
// No need to save/restore session in tls1.3 since the only way of
// decrypting is through log file
} else {
/* First check to see if the client tried to restore */
if(d->session_id) {
/* Now check to see if we restored */
if((r = r_data_compare(&idd, d->session_id)))
ABORT(r);
/* Now try to look up the session. We may not be able
to find it if, for instance, the original session
was initiated with something other than static RSA */
if((r = ssl_restore_session(ssl, d)))
ABORT(r);
restored = 1;
}
}
_status = 0;
abort:
if(!restored) {
/* Copy over the session ID */
r_data_destroy(&d->session_id);
r_data_create(&d->session_id, msg, len);
}
return _status;
#else
return 0;
#endif
}
int ssl_process_client_session_id(ssl_obj *ssl,
ssl_decoder *d,
UCHAR *msg,
int len) {
#ifdef OPENSSL
int _status;
/* First check if the client set session id */
// todo: check that session_id in decoder and msg are the same (and if not
// then take from msg?)
if(d->session_id) {
/* Remove the master secret */
// todo: better save and destroy only when successfully read key log
r_data_destroy(&d->MS);
if(d->ctx->ssl_key_log_file && (ssl_read_key_log_file(ssl, d) == 0) &&
d->MS) {
// we found master secret for session in keylog
// try to save session
_status = ssl_save_session(ssl, d);
} else {
// just return error
_status = -1;
}
} else {
_status = -1;
}
return _status;
#else
return 0;
#endif
}
int ssl_process_handshake_finished(ssl_obj *ssl, ssl_decoder *dec, Data *data) {
if(ssl->version == TLSV13_VERSION) {
if(ssl->direction ==
DIR_I2R) { // Change from handshake decoder to data traffic decoder
dec->c_to_s = dec->c_to_s_n;
dec->c_to_s_n = 0;
} else {
dec->s_to_c = dec->s_to_c_n;
dec->s_to_c_n = 0;
}
}
return 0;
}
int ssl_process_change_cipher_spec(ssl_obj *ssl,
ssl_decoder *d,
int direction) {
#ifdef OPENSSL
if(ssl->version != TLSV13_VERSION) {
if(direction == DIR_I2R) {
d->c_to_s = d->c_to_s_n;
d->c_to_s_n = 0;
if(d->c_to_s)
ssl->process_ciphertext |= direction;
} else {
d->s_to_c = d->s_to_c_n;
d->s_to_c_n = 0;
if(d->s_to_c)
ssl->process_ciphertext |= direction;
}
}
#endif
return 0;
}
int ssl_decode_record(ssl_obj *ssl,
ssl_decoder *dec,
int direction,
int ct,
int version,
Data *d) {
ssl_rec_decoder *rd;
UCHAR *out;
int outl;
int r, _status;
UINT4 state;
if(dec)
rd = (direction == DIR_I2R) ? dec->c_to_s : dec->s_to_c;
else
rd = 0;
state = (direction == DIR_I2R) ? ssl->i_state : ssl->r_state;
if(ssl->version == TLSV13_VERSION &&
ct != 23) { // Only type 23 is encrypted in tls1.3
ssl->record_encryption = REC_PLAINTEXT;
return 0;
} else if(!rd) {
if(state & SSL_ST_SENT_CHANGE_CIPHER_SPEC) {
ssl->record_encryption = REC_CIPHERTEXT;
return SSL_NO_DECRYPT;
} else {
ssl->record_encryption = REC_PLAINTEXT;
return 0;
}
}
ssl->record_encryption = REC_CIPHERTEXT;
#ifdef OPENSSL
if(!(out = (UCHAR *)malloc(d->len)))
ABORT(R_NO_MEMORY);
if(ssl->version == TLSV13_VERSION) {
r = tls13_decode_rec_data(ssl, rd, ct, version, d->data, d->len, out,
&outl);
} else {
r = ssl_decode_rec_data(ssl, rd, ct, version, d->data, d->len, out, &outl);
}
if(r) {
ABORT(r);
}
memcpy(d->data, out, outl);
d->len = outl;
ssl->record_encryption = REC_DECRYPTED_CIPHERTEXT;
_status = 0;
abort:
FREE(out);
return _status;
#else
return 0;
#endif
}
int ssl_update_handshake_messages(ssl_obj *ssl, Data *data) {
#ifdef OPENSSL
Data *hms;
UCHAR *d;
int l, r;
hms = ssl->decoder->handshake_messages;
d = data->data - 4;
l = data->len + 4;
if(hms) {
if(!(hms->data = realloc(hms->data, l + hms->len)))
ERETURN(R_NO_MEMORY);
memcpy(hms->data + hms->len, d, l);
hms->len += l;
} else {
if((r = r_data_create(&hms, d, l)))
ERETURN(r);
ssl->decoder->handshake_messages = hms;
}
#endif
return 0;
}
static int ssl_create_session_lookup_key(ssl_obj *ssl,
UCHAR *id,
UINT4 idlen,
UCHAR **keyp,
UINT4 *keyl) {
UCHAR *key = 0;
UINT4 l;
int _status;
l = idlen + strlen(ssl->server_name) + idlen + 15; /* HOST + PORT + id */
if(!(key = (UCHAR *)malloc(l)))
ABORT(R_NO_MEMORY);
*keyp = key;
memcpy(key, id, idlen);
*keyl = idlen;
key += idlen;
snprintf((char *)key, l, "%s:%d", ssl->server_name, ssl->server_port);
*keyl += strlen((char *)key);
_status = 0;
abort:
return _status;
}
/* Look up the session id in the session cache and generate
the appropriate keying material */
int ssl_restore_session(ssl_obj *ssl, ssl_decoder *d) {
UCHAR *lookup_key = 0;
void *msv;
Data *msd;
int lookup_key_len;
int r, _status;
#ifdef OPENSSL
if((r = ssl_create_session_lookup_key(ssl, d->session_id->data,
d->session_id->len, &lookup_key,
(UINT4 *)&lookup_key_len)))
ABORT(r);
if((r = r_assoc_fetch(d->ctx->session_cache, (char *)lookup_key,
lookup_key_len, &msv)))
ABORT(r);
msd = (Data *)msv;
if((r = r_data_create(&d->MS, msd->data, msd->len)))
ABORT(r);
CRDUMPD("Restored MS", d->MS);
switch(ssl->version) {
case SSLV3_VERSION:
case TLSV1_VERSION:
case TLSV11_VERSION:
case TLSV12_VERSION:
case TLSV13_VERSION:
if((r = ssl_generate_keying_material(ssl, d)))
ABORT(r);
break;
default:
ABORT(SSL_CANT_DO_CIPHER);
}
_status = 0;
abort:
FREE(lookup_key);
return _status;
#else
return 0;
#endif
}
/* Look up the session id in the session cache and generate
the appropriate keying material */
int ssl_save_session(ssl_obj *ssl, ssl_decoder *d) {
#ifdef OPENSSL
UCHAR *lookup_key = 0;
Data *msd = 0;
int lookup_key_len;
int r, _status;
if((r = ssl_create_session_lookup_key(ssl, d->session_id->data,
d->session_id->len, &lookup_key,
(UINT4 *)&lookup_key_len)))
ABORT(r);
if((r = r_data_create(&msd, d->MS->data, d->MS->len)))
ABORT(r);
if((r = r_assoc_insert(d->ctx->session_cache, (char *)lookup_key,
lookup_key_len, (void *)msd, 0,
(int (*)(void *))r_data_zfree,
R_ASSOC_NEW | R_ASSOC_REPLACE)))
ABORT(r);
_status = 0;
abort:
if(_status) {
r_data_zfree(msd);
}
FREE(lookup_key);
return _status;
#else
return 0;
#endif
}
/* This only works with RSA because the other cipher suites
offer PFS. Yuck. */
int ssl_process_client_key_exchange(ssl_obj *ssl,
ssl_decoder *d,
UCHAR *msg,
int len) {
#ifdef OPENSSL
int r, _status;
size_t i;
EVP_PKEY *pk;
BIGNUM *n;
/* Remove the master secret if it was there
to force keying material regeneration in
case we're renegotiating */
r_data_destroy(&d->MS);
if(!d->ctx->ssl_key_log_file || ssl_read_key_log_file(ssl, d) || !d->MS) {
if(ssl->cs->kex != KEX_RSA)
return -1;
if(d->ephemeral_rsa)
return -1;
pk = SSL_get_privatekey(d->ctx->ssl);
if(!pk)
return -1;
if(EVP_PKEY_id(pk) != EVP_PKEY_RSA)
return -1;
EVP_PKEY_get_bn_param(pk, "priv", &n);
if((r = r_data_alloc(&d->PMS, BN_num_bytes(n))))
ABORT(r);
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pk, NULL);
EVP_PKEY_decrypt_init(ctx);
EVP_PKEY_decrypt(ctx, d->PMS->data, &i, msg, len);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pk);
if(i != 48)
ABORT(SSL_BAD_PMS);
d->PMS->len = 48;
CRDUMPD("PMS", d->PMS);
}
switch(ssl->version) {
case SSLV3_VERSION:
case TLSV1_VERSION:
case TLSV11_VERSION:
case TLSV12_VERSION:
case TLSV13_VERSION:
if((r = ssl_generate_keying_material(ssl, d)))
ABORT(r);
break;
default:
ABORT(SSL_CANT_DO_CIPHER);
}
/* Now store the data in the session cache */
if((r = ssl_save_session(ssl, d)))
ABORT(r);
_status = 0;
abort:
return _status;
#else
return 0;
#endif
}
#ifdef OPENSSL
static int tls_P_hash(ssl_obj *ssl,
Data *secret,
Data *seed,
char *md_name,
Data *out) {
UCHAR *ptr = out->data;
int left = out->len;
int tocpy;
UCHAR *A;
UCHAR _A[128], tmp[128];
size_t A_l, tmp_l;
OSSL_PARAM params[2];
EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
EVP_MAC_CTX *mac_ctx = EVP_MAC_CTX_new(hmac);
EVP_MAC_free(hmac);
params[0] = OSSL_PARAM_construct_utf8_string("digest", md_name, 0);
params[1] = OSSL_PARAM_construct_end();
CRDUMPD("P_hash secret", secret);
CRDUMPD("P_hash seed", seed);
A = seed->data;
A_l = seed->len;
while(left) {
EVP_MAC_init(mac_ctx, secret->data, secret->len, params);
EVP_MAC_update(mac_ctx, A, A_l);
EVP_MAC_final(mac_ctx, (unsigned char *) &_A, &A_l, sizeof(_A));
A = _A;
EVP_MAC_init(mac_ctx, secret->data, secret->len, params);
EVP_MAC_update(mac_ctx, A, A_l);
EVP_MAC_update(mac_ctx, seed->data, seed->len);
EVP_MAC_final(mac_ctx, (unsigned char *) &tmp, &tmp_l, sizeof(tmp));
tocpy = MIN(left, tmp_l);
memcpy(ptr, tmp, tocpy);
ptr += tocpy;
left -= tocpy;
}
EVP_MAC_CTX_free(mac_ctx);
CRDUMPD("P_hash out", out);
return 0;
}
static int tls_prf(ssl_obj *ssl,
Data *secret,
char *usage,
Data *rnd1,
Data *rnd2,
Data *out) {
int r, _status;
Data *md5_out = 0, *sha_out = 0;
Data *seed;
UCHAR *ptr;
Data *S1 = 0, *S2 = 0;
int i, S_l;
if((r = r_data_alloc(&md5_out, MAX(out->len, 16))))
ABORT(r);
if((r = r_data_alloc(&sha_out, MAX(out->len, 20))))
ABORT(r);
if((r = r_data_alloc(&seed, strlen(usage) + rnd1->len + rnd2->len)))
ABORT(r);
ptr = seed->data;
memcpy(ptr, usage, strlen(usage));
ptr += strlen(usage);
memcpy(ptr, rnd1->data, rnd1->len);
ptr += rnd1->len;
memcpy(ptr, rnd2->data, rnd2->len);
ptr += rnd2->len;
S_l = secret->len / 2 + secret->len % 2;
if((r = r_data_alloc(&S1, S_l)))
ABORT(r);
if((r = r_data_alloc(&S2, S_l)))
ABORT(r);
memcpy(S1->data, secret->data, S_l);
memcpy(S2->data, secret->data + (secret->len - S_l), S_l);
if((r = tls_P_hash(ssl, S1, seed, "MD5", md5_out)))
ABORT(r);
if((r = tls_P_hash(ssl, S2, seed, "SHA1", sha_out)))
ABORT(r);
for(i = 0; i < out->len; i++)
out->data[i] = md5_out->data[i] ^ sha_out->data[i];
CRDUMPD("PRF out", out);
_status = 0;
abort:
r_data_destroy(&md5_out);
r_data_destroy(&sha_out);
r_data_destroy(&seed);
r_data_destroy(&S1);
r_data_destroy(&S2);
return _status;
}
static int tls12_prf(ssl_obj *ssl,
Data *secret,
char *usage,
Data *rnd1,
Data *rnd2,
Data *out)
{
const EVP_MD *md;
int r, _status;
Data *sha_out = 0;
Data *seed;
UCHAR *ptr;
int i, dgi;
if((r = r_data_alloc(&sha_out, MAX(out->len, 64)))) /* assume max SHA512 */
ABORT(r);
if((r = r_data_alloc(&seed, strlen(usage) + rnd1->len + rnd2->len)))
ABORT(r);
ptr = seed->data;
memcpy(ptr, usage, strlen(usage));
ptr += strlen(usage);
memcpy(ptr, rnd1->data, rnd1->len);
ptr += rnd1->len;
memcpy(ptr, rnd2->data, rnd2->len);
ptr += rnd2->len;
/* Earlier versions of openssl didn't have SHA256 of course... */
dgi = MAX(DIG_SHA256, ssl->cs->dig);
dgi -= 0x40;
if((md = EVP_get_digestbyname(digests[dgi])) == NULL) {
DBG((0, "Cannot get EVP for digest %s, openssl library current?",
digests[dgi]));
ERETURN(SSL_BAD_MAC);
}
if((r = tls_P_hash(ssl, secret, seed, digests[dgi], sha_out)))
ABORT(r);
for(i = 0; i < out->len; i++)
out->data[i] = sha_out->data[i];
CRDUMPD("PRF out", out);
_status = 0;
abort:
r_data_destroy(&sha_out);
r_data_destroy(&seed);
return _status;
}
static int ssl3_generate_export_iv(ssl_obj *ssl,
Data *r1,
Data *r2,
Data *out) {
UCHAR tmp[16];
unsigned int tmp_len;
EVP_MD_CTX *mdctx;
mdctx = EVP_MD_CTX_new();
EVP_DigestInit(mdctx, EVP_get_digestbyname("MD5"));
EVP_DigestUpdate(mdctx, r1->data, r1->len);
EVP_DigestUpdate(mdctx, r2->data, r2->len);
EVP_DigestFinal_ex(mdctx, tmp, &tmp_len);
EVP_MD_CTX_free(mdctx);
memcpy(out->data, tmp, tmp_len);
return 0;
}
static int ssl3_prf(ssl_obj *ssl,
Data *secret,
char *usage,
Data *r1,
Data *r2,
Data *out) {
EVP_MD_CTX *md5_ctx;
EVP_MD_CTX *sha1_ctx;
Data *rnd1, *rnd2;
int off;
int i = 0, j;
UCHAR buf[20];
unsigned int buf_len;
rnd1 = r1;
rnd2 = r2;
CRDUMPD("Secret", secret);
CRDUMPD("RND1", rnd1);
CRDUMPD("RND2", rnd2);
md5_ctx = EVP_MD_CTX_new();
EVP_DigestInit(md5_ctx, EVP_get_digestbyname("MD5"));
sha1_ctx = EVP_MD_CTX_new();
EVP_DigestInit(sha1_ctx, EVP_get_digestbyname("SHA1"));
for(off = 0; off < out->len; off += 16) {
char outbuf[16];
unsigned int outbuf_len;
int tocpy;
i++;
/* A, BB, CCC, ... */
for(j = 0; j < i; j++) {
buf[j] = 64 + i;
}
EVP_DigestUpdate(sha1_ctx, buf, i);
CRDUMP("BUF", buf, i);
if(secret)
EVP_DigestUpdate(sha1_ctx, secret->data, secret->len);
CRDUMPD("secret", secret);
if(!strcmp(usage, "client write key") ||
!strcmp(usage, "server write key")) {
EVP_DigestUpdate(sha1_ctx, rnd2->data, rnd2->len);
CRDUMPD("rnd2", rnd2);
EVP_DigestUpdate(sha1_ctx, rnd1->data, rnd1->len);
CRDUMPD("rnd1", rnd1);
} else {
EVP_DigestUpdate(sha1_ctx, rnd1->data, rnd1->len);
CRDUMPD("rnd1", rnd1);
EVP_DigestUpdate(sha1_ctx, rnd2->data, rnd2->len);
CRDUMPD("rnd2", rnd2);
}
EVP_DigestFinal_ex(sha1_ctx, buf, &buf_len);
EVP_MD_CTX_free(sha1_ctx);
CRDUMP("SHA out", buf, 20);
sha1_ctx = EVP_MD_CTX_new();
EVP_DigestInit(sha1_ctx, EVP_get_digestbyname("SHA1"));
EVP_DigestUpdate(md5_ctx, secret->data, secret->len);
EVP_DigestUpdate(md5_ctx, buf, 20);
EVP_DigestFinal_ex(md5_ctx, outbuf, &outbuf_len);
EVP_MD_CTX_free(md5_ctx);
tocpy = MIN(out->len - off, 16);
memcpy(out->data + off, outbuf, tocpy);
CRDUMP("MD5 out", (UCHAR *)outbuf, 16);
md5_ctx = EVP_MD_CTX_new();
EVP_DigestInit(md5_ctx, EVP_get_digestbyname("MD5"));
}
return 0;
}
static int ssl_generate_keying_material(ssl_obj *ssl, ssl_decoder *d) {
Data *key_block = 0, temp;
UCHAR _iv_c[8], _iv_s[8];
UCHAR _key_c[16], _key_s[16];
unsigned int _key_c_len, _key_s_len;
int needed;
int r, _status;
UCHAR *ptr, *c_wk, *s_wk, *c_mk = NULL, *s_mk = NULL, *c_iv = NULL,
*s_iv = NULL;
if(!d->MS) {
if((r = r_data_alloc(&d->MS, 48)))
ABORT(r);
if(ssl->extensions->extended_master_secret == 2) {
if((r = ssl_generate_session_hash(ssl, d)))
ABORT(r);
temp.len = 0;
if((r = PRF(ssl, d->PMS, "extended master secret", d->session_hash, &temp,
d->MS)))
ABORT(r);
} else if((r = PRF(ssl, d->PMS, "master secret", d->client_random,
d->server_random, d->MS)))
ABORT(r);
CRDUMPD("MS", d->MS);
}
/* Compute the key block. First figure out how much data
we need*/
/* Ideally find a cleaner way to check for AEAD cipher */
needed = !IS_AEAD_CIPHER(ssl->cs) ? ssl->cs->dig_len * 2 : 0;
needed += ssl->cs->bits / 4;
if(ssl->cs->block > 1)
needed += ssl->cs->block * 2;
if((r = r_data_alloc(&key_block, needed)))
ABORT(r);
if((r = PRF(ssl, d->MS, "key expansion", d->server_random, d->client_random,
key_block)))
ABORT(r);
ptr = key_block->data;
/* Ideally find a cleaner way to check for AEAD cipher */
if(!IS_AEAD_CIPHER(ssl->cs)) {
c_mk = ptr;
ptr += ssl->cs->dig_len;
s_mk = ptr;
ptr += ssl->cs->dig_len;
}
c_wk = ptr;
ptr += ssl->cs->eff_bits / 8;
s_wk = ptr;
ptr += ssl->cs->eff_bits / 8;
if(ssl->cs->block > 1) {
c_iv = ptr;
ptr += ssl->cs->block;
s_iv = ptr;
ptr += ssl->cs->block;
}
if(ssl->cs->export) {
Data iv_c, iv_s;
Data key_c, key_s;
Data k;
if(ssl->cs->block > 1) {
ATTACH_DATA(iv_c, _iv_c);
ATTACH_DATA(iv_s, _iv_s);
if(ssl->version == SSLV3_VERSION) {
if((r = ssl3_generate_export_iv(ssl, d->client_random, d->server_random,
&iv_c)))
ABORT(r);
if((r = ssl3_generate_export_iv(ssl, d->server_random, d->client_random,
&iv_s)))
ABORT(r);
} else {
UCHAR _iv_block[16];
Data iv_block;
Data key_null;
UCHAR _key_null;
INIT_DATA(key_null, &_key_null, 0);
/* We only have room for 8 bit IVs, but that's
all we should need. This is a sanity check */
if(ssl->cs->block > 8)
ABORT(R_INTERNAL);
ATTACH_DATA(iv_block, _iv_block);
if((r = PRF(ssl, &key_null, "IV block", d->client_random,
d->server_random, &iv_block)))
ABORT(r);
memcpy(_iv_c, iv_block.data, 8);
memcpy(_iv_s, iv_block.data + 8, 8);
}
c_iv = _iv_c;
s_iv = _iv_s;
}
if(ssl->version == SSLV3_VERSION) {
EVP_MD_CTX *mdctx;
mdctx = EVP_MD_CTX_new();
EVP_DigestInit(mdctx, EVP_get_digestbyname("MD5"));
EVP_DigestUpdate(mdctx, c_wk, ssl->cs->eff_bits / 8);
EVP_DigestUpdate(mdctx, d->client_random->data, d->client_random->len);
EVP_DigestUpdate(mdctx, d->server_random->data, d->server_random->len);
EVP_DigestFinal_ex(mdctx, _key_c, &_key_c_len);
EVP_MD_CTX_free(mdctx);
c_wk = _key_c;
mdctx = EVP_MD_CTX_new();
EVP_DigestInit(mdctx, EVP_get_digestbyname("MD5"));
EVP_DigestUpdate(mdctx, s_wk, ssl->cs->eff_bits / 8);
EVP_DigestUpdate(mdctx, d->server_random->data, d->server_random->len);
EVP_DigestUpdate(mdctx, d->client_random->data, d->client_random->len);
EVP_DigestFinal_ex(mdctx, _key_s, &_key_s_len);
EVP_MD_CTX_free(mdctx);
s_wk = _key_s;
} else {
ATTACH_DATA(key_c, _key_c);
ATTACH_DATA(key_s, _key_s);
INIT_DATA(k, c_wk, ssl->cs->eff_bits / 8);
if((r = PRF(ssl, &k, "client write key", d->client_random,
d->server_random, &key_c)))
ABORT(r);
c_wk = _key_c;
INIT_DATA(k, s_wk, ssl->cs->eff_bits / 8);
if((r = PRF(ssl, &k, "server write key", d->client_random,
d->server_random, &key_s)))
ABORT(r);
s_wk = _key_s;
}
}
if(!IS_AEAD_CIPHER(ssl->cs)) {
CRDUMP("Client MAC key", c_mk, ssl->cs->dig_len);
CRDUMP("Server MAC key", s_mk, ssl->cs->dig_len);
}
CRDUMP("Client Write key", c_wk, ssl->cs->bits / 8);
CRDUMP("Server Write key", s_wk, ssl->cs->bits / 8);
if(ssl->cs->block > 1) {
CRDUMP("Client Write IV", c_iv, ssl->cs->block);
CRDUMP("Server Write IV", s_iv, ssl->cs->block);
}
if((r = ssl_create_rec_decoder(&d->c_to_s_n, ssl, c_mk, c_wk, c_iv)))
ABORT(r);
if((r = ssl_create_rec_decoder(&d->s_to_c_n, ssl, s_mk, s_wk, s_iv)))
ABORT(r);
_status = 0;
abort:
if(key_block) {
r_data_zfree(key_block);
free(key_block);
}
return _status;
}
static int hkdf_expand_label(ssl_obj *ssl,
ssl_decoder *d,
Data *secret,
char *label,
Data *context,
uint16_t length,
UCHAR **out) {
int r = -1;
size_t outlen = length;
EVP_PKEY_CTX *pctx;
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
Data hkdf_label;
UCHAR *ptr;
// Construct HkdfLabel
hkdf_label.data = ptr = malloc(512);
*(uint16_t *)ptr = ntohs(length);
ptr += 2;
*(uint8_t *)ptr++ = 6 + (label ? strlen(label) : 0);
memcpy(ptr, "tls13 ", 6);
ptr += 6;
if(label) {
memcpy(ptr, label, strlen(label));
ptr += strlen(label);
}
*(uint8_t *)ptr++ = context ? context->len : 0;
if(context) {
memcpy(ptr, context->data, context->len);
ptr += context->len;
}
hkdf_label.len = ptr - hkdf_label.data;
CRDUMPD("hkdf_label", &hkdf_label);
// Load parameters
*out = malloc(length);
if(EVP_PKEY_derive_init(pctx) <= 0) {
fprintf(stderr, "EVP_PKEY_derive_init failed\n");
}
/* Error */
if(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
fprintf(stderr, "EVP_PKEY_CTX_hkdf_mode failed\n");
goto abort;
}
if(EVP_PKEY_CTX_set_hkdf_md(
pctx, EVP_get_digestbyname(digests[ssl->cs->dig - 0x40])) <= 0) {
fprintf(stderr, "EVP_PKEY_CTX_set_hkdf_md failed\n");
goto abort;
}
if(EVP_PKEY_CTX_set1_hkdf_key(pctx, secret->data, secret->len) <= 0) {
fprintf(stderr, "EVP_PKEY_CTX_set_hkdf_md failed\n");
goto abort;
}
if(EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdf_label.data, hkdf_label.len) <= 0) {
fprintf(stderr, "EVP_PKEY_CTX_add1_hkdf_info failed\n");
goto abort;
}
if(EVP_PKEY_derive(pctx, *out, &outlen) <= 0) {
fprintf(stderr, "EVP_PKEY_derive failed\n");
goto abort;
}
CRDUMP("out_hkdf", *out, outlen);
return 0;
abort:
ERR_print_errors_fp(stderr);
return r;
}
// Will update the keys for the particular direction
int ssl_tls13_update_keying_material(ssl_obj *ssl,
ssl_decoder *d,
int direction) {
Data *secret;
ssl_rec_decoder *decoder;
UCHAR *newsecret;
UCHAR *newkey;
UCHAR *newiv;
if(direction == DIR_I2R) {
secret = d->CTS;
decoder = d->c_to_s;
} else {
secret = d->STS;
decoder = d->s_to_c;
}
hkdf_expand_label(ssl, d, secret, "traffic upd", NULL, ssl->cs->dig_len,
&newsecret);
secret->data = newsecret;
hkdf_expand_label(ssl, d, secret, "key", NULL, ssl->cs->eff_bits / 8,
&newkey);
hkdf_expand_label(ssl, d, secret, "iv", NULL, 12, &newiv);
tls13_update_rec_key(decoder, newkey, newiv);
return 0;
}
int ssl_tls13_generate_keying_material(ssl_obj *ssl, ssl_decoder *d) {
int r, _status;
UCHAR *s_wk_h, *s_iv_h, *c_wk_h, *c_iv_h, *s_wk, *s_iv, *c_wk, *c_iv;
if(!(d->ctx->ssl_key_log_file && ssl_read_key_log_file(ssl, d) == 0 &&
d->SHTS && d->CHTS && d->STS && d->CTS)) {
ABORT(-1);
}
// It is 12 for all ciphers
if(hkdf_expand_label(ssl, d, d->SHTS, "key", NULL, ssl->cs->eff_bits / 8,
&s_wk_h)) {
fprintf(stderr, "s_wk_h hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->SHTS, "iv", NULL, 12, &s_iv_h)) {
fprintf(stderr, "s_iv_h hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->CHTS, "key", NULL, ssl->cs->eff_bits / 8,
&c_wk_h)) {
fprintf(stderr, "c_wk_h hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->CHTS, "iv", NULL, 12, &c_iv_h)) {
fprintf(stderr, "c_iv_h hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->STS, "key", NULL, ssl->cs->eff_bits / 8,
&s_wk)) {
fprintf(stderr, "s_wk hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->STS, "iv", NULL, 12, &s_iv)) {
fprintf(stderr, "s_iv hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->CTS, "key", NULL, ssl->cs->eff_bits / 8,
&c_wk)) {
fprintf(stderr, "c_wk hkdf_expand_label failed\n");
ABORT(-1);
}
if(hkdf_expand_label(ssl, d, d->CTS, "iv", NULL, 12, &c_iv)) {
fprintf(stderr, "c_iv hkdf_expand_label failed\n");
ABORT(-1);
}
CRDUMP("Server Handshake Write key", s_wk_h, ssl->cs->eff_bits / 8);
CRDUMP("Server Handshake IV", s_iv_h, 12);
CRDUMP("Client Handshake Write key", c_wk_h, ssl->cs->eff_bits / 8);
CRDUMP("Client Handshake IV", c_iv_h, 12);
CRDUMP("Server Write key", s_wk, ssl->cs->eff_bits / 8);
CRDUMP("Server IV", s_iv, 12);
CRDUMP("Client Write key", c_wk, ssl->cs->eff_bits / 8);
CRDUMP("Client IV", c_iv, 12);
if((r = ssl_create_rec_decoder(&d->c_to_s_n, ssl, NULL, c_wk, c_iv)))
ABORT(r);
if((r = ssl_create_rec_decoder(&d->s_to_c_n, ssl, NULL, s_wk, s_iv)))
ABORT(r);
if((r = ssl_create_rec_decoder(&d->c_to_s, ssl, NULL, c_wk_h, c_iv_h)))
ABORT(r);
if((r = ssl_create_rec_decoder(&d->s_to_c, ssl, NULL, s_wk_h, s_iv_h)))
ABORT(r);
return 0;
abort:
return _status;
}
static int ssl_generate_session_hash(ssl_obj *ssl, ssl_decoder *d) {
int r, _status, dgi;
unsigned int len;
const EVP_MD *md;
EVP_MD_CTX *dgictx = EVP_MD_CTX_create();
if((r = r_data_alloc(&d->session_hash, EVP_MAX_MD_SIZE)))
ABORT(r);
switch(ssl->version) {
case TLSV12_VERSION:
dgi = MAX(DIG_SHA256, ssl->cs->dig) - 0x40;
if((md = EVP_get_digestbyname(digests[dgi])) == NULL) {
DBG((0, "Cannot get EVP for digest %s, openssl library current?",
digests[dgi]));
ERETURN(SSL_BAD_MAC);
}
EVP_DigestInit(dgictx, md);
EVP_DigestUpdate(dgictx, d->handshake_messages->data,
d->handshake_messages->len);
EVP_DigestFinal(dgictx, d->session_hash->data,
(unsigned int *)&d->session_hash->len);
break;
case SSLV3_VERSION:
case TLSV1_VERSION:
case TLSV11_VERSION:
EVP_DigestInit(dgictx, EVP_get_digestbyname("MD5"));
EVP_DigestUpdate(dgictx, d->handshake_messages->data,
d->handshake_messages->len);
EVP_DigestFinal_ex(dgictx, d->session_hash->data,
(unsigned int *)&d->session_hash->len);
EVP_DigestInit(dgictx, EVP_get_digestbyname("SHA1"));
EVP_DigestUpdate(dgictx, d->handshake_messages->data,
d->handshake_messages->len);
EVP_DigestFinal(dgictx, d->session_hash->data + d->session_hash->len,
&len);
d->session_hash->len += len;
break;
default:
ABORT(SSL_CANT_DO_CIPHER);
}
_status = 0;
abort:
return _status;
}
static int read_hex_string(char *str, UCHAR *buf, int n) {
unsigned int t;
int i;
for(i = 0; i < n; i++) {
if(sscanf(str + i * 2, "%02x", &t) != 1)
return -1;
buf[i] = (char)t;
}
return 0;
}
static int ssl_read_key_log_file(ssl_obj *ssl, ssl_decoder *d) {
int r = -1;
int _status, n, i;
size_t l = 0;
char *line, *d_client_random, *label, *client_random, *secret;
if(ssl->version == TLSV13_VERSION &&
!ssl->cs) // ssl->cs is not set when called from
// ssl_process_client_session_id
ABORT(r);
if(!(d_client_random = malloc((d->client_random->len * 2) + 1)))
ABORT(r);
for(i = 0; i < d->client_random->len; i++)
if(snprintf(d_client_random + (i * 2), 3, "%02x",
d->client_random->data[i]) != 2)
ABORT(r);
while((n = getline(&line, &l, d->ctx->ssl_key_log_file)) != -1) {
if(line[n - 1] == '\n')
line[n - 1] = '\0';
if(!(label = strtok(line, " ")))
continue;
if(!(client_random = strtok(NULL, " ")) || strlen(client_random) != 64 ||
STRNICMP(client_random, d_client_random, 64))
continue;
secret = strtok(NULL, " ");
if(!(secret) ||
strlen(secret) !=
(ssl->version == TLSV13_VERSION ? ssl->cs->dig_len * 2 : 96))
continue;
if(!strncmp(label, "CLIENT_RANDOM", 13)) {
if((r = r_data_alloc(&d->MS, 48)))
ABORT(r);
if(read_hex_string(secret, d->MS->data, 48))
ABORT(r);
}
if(ssl->version != TLSV13_VERSION)
continue;
if(!strncmp(label, "SERVER_HANDSHAKE_TRAFFIC_SECRET", 31)) {
if((r = r_data_alloc(&d->SHTS, ssl->cs->dig_len)))
ABORT(r);
if(read_hex_string(secret, d->SHTS->data, ssl->cs->dig_len))
ABORT(r);
} else if(!strncmp(label, "CLIENT_HANDSHAKE_TRAFFIC_SECRET", 31)) {
if((r = r_data_alloc(&d->CHTS, ssl->cs->dig_len)))
ABORT(r);
if(read_hex_string(secret, d->CHTS->data, ssl->cs->dig_len))
ABORT(r);
} else if(!strncmp(label, "SERVER_TRAFFIC_SECRET_0", 23)) {
if((r = r_data_alloc(&d->STS, ssl->cs->dig_len)))
ABORT(r);
if(read_hex_string(secret, d->STS->data, ssl->cs->dig_len))
ABORT(r);
} else if(!strncmp(label, "CLIENT_TRAFFIC_SECRET_0", 23)) {
if((r = r_data_alloc(&d->CTS, ssl->cs->dig_len)))
ABORT(r);
if(read_hex_string(secret, d->CTS->data, ssl->cs->dig_len))
ABORT(r);
}
/*
Eventually add support for other labels defined here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
*/
}
_status = 0;
abort:
if(d->ctx->ssl_key_log_file != NULL)
fseek(d->ctx->ssl_key_log_file, 0, SEEK_SET);
return _status;
}
#endif