1 /*
2 * devtls - record layer for transport layer security 1.0, 1.1, 1.2 and secure sockets layer 3.0
3 */
4 #include "u.h"
5 #include "../port/lib.h"
6 #include "mem.h"
7 #include "dat.h"
8 #include "fns.h"
9 #include "../port/error.h"
10
11 #include <libsec.h>
12
13 typedef struct OneWay OneWay;
14 typedef struct Secret Secret;
15 typedef struct TlsRec TlsRec;
16 typedef struct TlsErrs TlsErrs;
17
18 enum {
19 Statlen= 1024, /* max. length of status or stats message */
20 /* buffer limits */
21 MaxRecLen = 1<<14, /* max payload length of a record layer message */
22 MaxCipherRecLen = MaxRecLen + 2048,
23 RecHdrLen = 5,
24 MaxMacLen = SHA2_256dlen,
25
26 /* protocol versions we can accept */
27 SSL3Version = 0x0300,
28 TLS10Version = 0x0301,
29 TLS11Version = 0x0302,
30 TLS12Version = 0x0303,
31 MinProtoVersion = 0x0300, /* limits on version we accept */
32 MaxProtoVersion = 0x03ff,
33
34 /* connection states */
35 SHandshake = 1 << 0, /* doing handshake */
36 SOpen = 1 << 1, /* application data can be sent */
37 SRClose = 1 << 2, /* remote side has closed down */
38 SLClose = 1 << 3, /* sent a close notify alert */
39 SAlert = 1 << 5, /* sending or sent a fatal alert */
40 SError = 1 << 6, /* some sort of error has occured */
41 SClosed = 1 << 7, /* it is all over */
42
43 /* record types */
44 RChangeCipherSpec = 20,
45 RAlert,
46 RHandshake,
47 RApplication,
48
49 SSL2ClientHello = 1,
50 HSSL2ClientHello = 9, /* local convention; see tlshand.c */
51
52 /* alerts */
53 ECloseNotify = 0,
54 EUnexpectedMessage = 10,
55 EBadRecordMac = 20,
56 EDecryptionFailed = 21,
57 ERecordOverflow = 22,
58 EDecompressionFailure = 30,
59 EHandshakeFailure = 40,
60 ENoCertificate = 41,
61 EBadCertificate = 42,
62 EUnsupportedCertificate = 43,
63 ECertificateRevoked = 44,
64 ECertificateExpired = 45,
65 ECertificateUnknown = 46,
66 EIllegalParameter = 47,
67 EUnknownCa = 48,
68 EAccessDenied = 49,
69 EDecodeError = 50,
70 EDecryptError = 51,
71 EExportRestriction = 60,
72 EProtocolVersion = 70,
73 EInsufficientSecurity = 71,
74 EInternalError = 80,
75 EUserCanceled = 90,
76 ENoRenegotiation = 100,
77 EUnrecognizedName = 112,
78
79 EMAX = 256
80 };
81
82 struct Secret
83 {
84 char *encalg; /* name of encryption alg */
85 char *hashalg; /* name of hash alg */
86 int (*enc)(Secret*, uchar*, int);
87 int (*dec)(Secret*, uchar*, int);
88 int (*unpad)(uchar*, int, int);
89 DigestState *(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
90 int block; /* encryption block len, 0 if none */
91 int maclen;
92 void *enckey;
93 uchar mackey[MaxMacLen];
94 };
95
96 struct OneWay
97 {
98 QLock io; /* locks io access */
99 QLock seclock; /* locks secret paramaters */
100 ulong seq;
101 Secret *sec; /* cipher in use */
102 Secret *new; /* cipher waiting for enable */
103 };
104
105 struct TlsRec
106 {
107 Chan *c; /* io channel */
108 int ref; /* serialized by tdlock for atomic destroy */
109 int version; /* version of the protocol we are speaking */
110 char verset; /* version has been set */
111 char opened; /* opened command every issued? */
112 char err[ERRMAX]; /* error message to return to handshake requests */
113 vlong handin; /* bytes communicated by the record layer */
114 vlong handout;
115 vlong datain;
116 vlong dataout;
117
118 Lock statelk;
119 int state;
120 int debug;
121
122 /* record layer mac functions for different protocol versions */
123 void (*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
124
125 /* input side -- protected by in.io */
126 OneWay in;
127 Block *processed; /* next bunch of application data */
128 Block *unprocessed; /* data read from c but not parsed into records */
129
130 /* handshake queue */
131 Lock hqlock; /* protects hqref, alloc & free of handq, hprocessed */
132 int hqref;
133 Queue *handq; /* queue of handshake messages */
134 Block *hprocessed; /* remainder of last block read from handq */
135 QLock hqread; /* protects reads for hprocessed, handq */
136
137 /* output side */
138 OneWay out;
139
140 /* protections */
141 char *user;
142 int perm;
143 };
144
145 struct TlsErrs{
146 int err;
147 int sslerr;
148 int tlserr;
149 int fatal;
150 char *msg;
151 };
152
153 static TlsErrs tlserrs[] = {
154 {ECloseNotify, ECloseNotify, ECloseNotify, 0, "close notify"},
155 {EUnexpectedMessage, EUnexpectedMessage, EUnexpectedMessage, 1, "unexpected message"},
156 {EBadRecordMac, EBadRecordMac, EBadRecordMac, 1, "bad record mac"},
157 {EDecryptionFailed, EIllegalParameter, EDecryptionFailed, 1, "decryption failed"},
158 {ERecordOverflow, EIllegalParameter, ERecordOverflow, 1, "record too long"},
159 {EDecompressionFailure, EDecompressionFailure, EDecompressionFailure, 1, "decompression failed"},
160 {EHandshakeFailure, EHandshakeFailure, EHandshakeFailure, 1, "could not negotiate acceptable security parameters"},
161 {ENoCertificate, ENoCertificate, ECertificateUnknown, 1, "no appropriate certificate available"},
162 {EBadCertificate, EBadCertificate, EBadCertificate, 1, "corrupted or invalid certificate"},
163 {EUnsupportedCertificate, EUnsupportedCertificate, EUnsupportedCertificate, 1, "unsupported certificate type"},
164 {ECertificateRevoked, ECertificateRevoked, ECertificateRevoked, 1, "revoked certificate"},
165 {ECertificateExpired, ECertificateExpired, ECertificateExpired, 1, "expired certificate"},
166 {ECertificateUnknown, ECertificateUnknown, ECertificateUnknown, 1, "unacceptable certificate"},
167 {EIllegalParameter, EIllegalParameter, EIllegalParameter, 1, "illegal parameter"},
168 {EUnknownCa, EHandshakeFailure, EUnknownCa, 1, "unknown certificate authority"},
169 {EAccessDenied, EHandshakeFailure, EAccessDenied, 1, "access denied"},
170 {EDecodeError, EIllegalParameter, EDecodeError, 1, "error decoding message"},
171 {EDecryptError, EIllegalParameter, EDecryptError, 1, "error decrypting message"},
172 {EExportRestriction, EHandshakeFailure, EExportRestriction, 1, "export restriction violated"},
173 {EProtocolVersion, EIllegalParameter, EProtocolVersion, 1, "protocol version not supported"},
174 {EInsufficientSecurity, EHandshakeFailure, EInsufficientSecurity, 1, "stronger security routines required"},
175 {EInternalError, EHandshakeFailure, EInternalError, 1, "internal error"},
176 {EUserCanceled, ECloseNotify, EUserCanceled, 0, "handshake canceled by user"},
177 {ENoRenegotiation, EUnexpectedMessage, ENoRenegotiation, 0, "no renegotiation"},
178 };
179
180 enum
181 {
182 /* max. open tls connections */
183 MaxTlsDevs = 1024
184 };
185
186 static Lock tdlock;
187 static int tdhiwat;
188 static int maxtlsdevs = 128;
189 static TlsRec **tlsdevs;
190 static char **trnames;
191 static char *encalgs;
192 static char *hashalgs;
193
194 enum{
195 Qtopdir = 1, /* top level directory */
196 Qprotodir,
197 Qclonus,
198 Qencalgs,
199 Qhashalgs,
200 Qconvdir, /* directory for a conversation */
201 Qdata,
202 Qctl,
203 Qhand,
204 Qstatus,
205 Qstats,
206 };
207
208 #define TYPE(x) ((x).path & 0xf)
209 #define CONV(x) (((x).path >> 5)&(MaxTlsDevs-1))
210 #define QID(c, y) (((c)<<5) | (y))
211
212 static void checkstate(TlsRec *, int, int);
213 static void ensure(TlsRec*, Block**, int);
214 static void consume(Block**, uchar*, int);
215 static Chan* buftochan(char*);
216 static void tlshangup(TlsRec*);
217 static void tlsError(TlsRec*, char *);
218 static void alertHand(TlsRec*, char *);
219 static TlsRec *newtls(Chan *c);
220 static TlsRec *mktlsrec(void);
221 static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
222 static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
223 static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
224 static void sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
225 static void tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
226 static void put64(uchar *p, vlong x);
227 static void put32(uchar *p, u32int);
228 static void put24(uchar *p, int);
229 static void put16(uchar *p, int);
230 static u32int get32(uchar *p);
231 static int get16(uchar *p);
232 static void tlsSetState(TlsRec *tr, int new, int old);
233 static void rcvAlert(TlsRec *tr, int err);
234 static void sendAlert(TlsRec *tr, int err);
235 static void rcvError(TlsRec *tr, int err, char *msg, ...);
236 static int rc4enc(Secret *sec, uchar *buf, int n);
237 static int des3enc(Secret *sec, uchar *buf, int n);
238 static int des3dec(Secret *sec, uchar *buf, int n);
239 static int aesenc(Secret *sec, uchar *buf, int n);
240 static int aesdec(Secret *sec, uchar *buf, int n);
241 static int noenc(Secret *sec, uchar *buf, int n);
242 static int sslunpad(uchar *buf, int n, int block);
243 static int tlsunpad(uchar *buf, int n, int block);
244 static void freeSec(Secret *sec);
245 static char *tlsstate(int s);
246 static void pdump(int, void*, char*);
247
248 #pragma varargck argpos rcvError 3
249
250 static char *tlsnames[] = {
251 [Qclonus] "clone",
252 [Qencalgs] "encalgs",
253 [Qhashalgs] "hashalgs",
254 [Qdata] "data",
255 [Qctl] "ctl",
256 [Qhand] "hand",
257 [Qstatus] "status",
258 [Qstats] "stats",
259 };
260
261 static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
262
263 static int
tlsgen(Chan * c,char *,Dirtab *,int,int s,Dir * dp)264 tlsgen(Chan *c, char*, Dirtab *, int, int s, Dir *dp)
265 {
266 Qid q;
267 TlsRec *tr;
268 char *name, *nm;
269 int perm, t;
270
271 q.vers = 0;
272 q.type = QTFILE;
273
274 t = TYPE(c->qid);
275 switch(t) {
276 case Qtopdir:
277 if(s == DEVDOTDOT){
278 q.path = QID(0, Qtopdir);
279 q.type = QTDIR;
280 devdir(c, q, "#a", 0, eve, 0555, dp);
281 return 1;
282 }
283 if(s > 0)
284 return -1;
285 q.path = QID(0, Qprotodir);
286 q.type = QTDIR;
287 devdir(c, q, "tls", 0, eve, 0555, dp);
288 return 1;
289 case Qprotodir:
290 if(s == DEVDOTDOT){
291 q.path = QID(0, Qtopdir);
292 q.type = QTDIR;
293 devdir(c, q, ".", 0, eve, 0555, dp);
294 return 1;
295 }
296 if(s < 3){
297 switch(s) {
298 default:
299 return -1;
300 case 0:
301 q.path = QID(0, Qclonus);
302 break;
303 case 1:
304 q.path = QID(0, Qencalgs);
305 break;
306 case 2:
307 q.path = QID(0, Qhashalgs);
308 break;
309 }
310 perm = 0444;
311 if(TYPE(q) == Qclonus)
312 perm = 0555;
313 devdir(c, q, tlsnames[TYPE(q)], 0, eve, perm, dp);
314 return 1;
315 }
316 s -= 3;
317 if(s >= tdhiwat)
318 return -1;
319 q.path = QID(s, Qconvdir);
320 q.type = QTDIR;
321 lock(&tdlock);
322 tr = tlsdevs[s];
323 if(tr != nil)
324 nm = tr->user;
325 else
326 nm = eve;
327 if((name = trnames[s]) == nil){
328 name = trnames[s] = smalloc(16);
329 snprint(name, 16, "%d", s);
330 }
331 devdir(c, q, name, 0, nm, 0555, dp);
332 unlock(&tdlock);
333 return 1;
334 case Qconvdir:
335 if(s == DEVDOTDOT){
336 q.path = QID(0, Qprotodir);
337 q.type = QTDIR;
338 devdir(c, q, "tls", 0, eve, 0555, dp);
339 return 1;
340 }
341 if(s < 0 || s >= nelem(convdir))
342 return -1;
343 lock(&tdlock);
344 tr = tlsdevs[CONV(c->qid)];
345 if(tr != nil){
346 nm = tr->user;
347 perm = tr->perm;
348 }else{
349 perm = 0;
350 nm = eve;
351 }
352 t = convdir[s];
353 if(t == Qstatus || t == Qstats)
354 perm &= 0444;
355 q.path = QID(CONV(c->qid), t);
356 devdir(c, q, tlsnames[t], 0, nm, perm, dp);
357 unlock(&tdlock);
358 return 1;
359 case Qclonus:
360 case Qencalgs:
361 case Qhashalgs:
362 perm = 0444;
363 if(t == Qclonus)
364 perm = 0555;
365 devdir(c, c->qid, tlsnames[t], 0, eve, perm, dp);
366 return 1;
367 default:
368 lock(&tdlock);
369 tr = tlsdevs[CONV(c->qid)];
370 if(tr != nil){
371 nm = tr->user;
372 perm = tr->perm;
373 }else{
374 perm = 0;
375 nm = eve;
376 }
377 if(t == Qstatus || t == Qstats)
378 perm &= 0444;
379 devdir(c, c->qid, tlsnames[t], 0, nm, perm, dp);
380 unlock(&tdlock);
381 return 1;
382 }
383 }
384
385 static Chan*
tlsattach(char * spec)386 tlsattach(char *spec)
387 {
388 Chan *c;
389
390 c = devattach('a', spec);
391 c->qid.path = QID(0, Qtopdir);
392 c->qid.type = QTDIR;
393 c->qid.vers = 0;
394 return c;
395 }
396
397 static Walkqid*
tlswalk(Chan * c,Chan * nc,char ** name,int nname)398 tlswalk(Chan *c, Chan *nc, char **name, int nname)
399 {
400 return devwalk(c, nc, name, nname, nil, 0, tlsgen);
401 }
402
403 static long
tlsstat(Chan * c,uchar * db,long n)404 tlsstat(Chan *c, uchar *db, long n)
405 {
406 return devstat(c, db, n, nil, 0, tlsgen);
407 }
408
409 static Chan*
tlsopen(Chan * c,int omode)410 tlsopen(Chan *c, int omode)
411 {
412 TlsRec *tr, **pp;
413 int t, perm;
414
415 perm = 0;
416 omode &= 3;
417 switch(omode) {
418 case OREAD:
419 perm = 4;
420 break;
421 case OWRITE:
422 perm = 2;
423 break;
424 case ORDWR:
425 perm = 6;
426 break;
427 }
428
429 t = TYPE(c->qid);
430 switch(t) {
431 default:
432 panic("tlsopen");
433 case Qtopdir:
434 case Qprotodir:
435 case Qconvdir:
436 if(omode != OREAD)
437 error(Eperm);
438 break;
439 case Qclonus:
440 tr = newtls(c);
441 if(tr == nil)
442 error(Enodev);
443 break;
444 case Qctl:
445 case Qdata:
446 case Qhand:
447 case Qstatus:
448 case Qstats:
449 if((t == Qstatus || t == Qstats) && omode != OREAD)
450 error(Eperm);
451 if(waserror()) {
452 unlock(&tdlock);
453 nexterror();
454 }
455 lock(&tdlock);
456 pp = &tlsdevs[CONV(c->qid)];
457 tr = *pp;
458 if(tr == nil)
459 error("must open connection using clone");
460 if((perm & (tr->perm>>6)) != perm
461 && (strcmp(up->user, tr->user) != 0
462 || (perm & tr->perm) != perm))
463 error(Eperm);
464 if(t == Qhand){
465 if(waserror()){
466 unlock(&tr->hqlock);
467 nexterror();
468 }
469 lock(&tr->hqlock);
470 if(tr->handq != nil)
471 error(Einuse);
472 tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
473 if(tr->handq == nil)
474 error("cannot allocate handshake queue");
475 tr->hqref = 1;
476 unlock(&tr->hqlock);
477 poperror();
478 }
479 tr->ref++;
480 unlock(&tdlock);
481 poperror();
482 break;
483 case Qencalgs:
484 case Qhashalgs:
485 if(omode != OREAD)
486 error(Eperm);
487 break;
488 }
489 c->mode = openmode(omode);
490 c->flag |= COPEN;
491 c->offset = 0;
492 c->iounit = qiomaxatomic;
493 return c;
494 }
495
496 static long
tlswstat(Chan * c,uchar * dp,long n)497 tlswstat(Chan *c, uchar *dp, long n)
498 {
499 Dir *d;
500 TlsRec *tr;
501 int rv;
502
503 d = nil;
504 if(waserror()){
505 free(d);
506 unlock(&tdlock);
507 nexterror();
508 }
509
510 lock(&tdlock);
511 tr = tlsdevs[CONV(c->qid)];
512 if(tr == nil)
513 error(Ebadusefd);
514 if(strcmp(tr->user, up->user) != 0)
515 error(Eperm);
516
517 d = smalloc(n + sizeof *d);
518 rv = convM2D(dp, n, &d[0], (char*) &d[1]);
519 if(rv == 0)
520 error(Eshortstat);
521 if(!emptystr(d->uid))
522 kstrdup(&tr->user, d->uid);
523 if(d->mode != ~0UL)
524 tr->perm = d->mode;
525
526 free(d);
527 poperror();
528 unlock(&tdlock);
529
530 return rv;
531 }
532
533 static void
dechandq(TlsRec * tr)534 dechandq(TlsRec *tr)
535 {
536 lock(&tr->hqlock);
537 if(--tr->hqref == 0){
538 if(tr->handq != nil){
539 qfree(tr->handq);
540 tr->handq = nil;
541 }
542 if(tr->hprocessed != nil){
543 freeb(tr->hprocessed);
544 tr->hprocessed = nil;
545 }
546 }
547 unlock(&tr->hqlock);
548 }
549
550 static void
tlsclose(Chan * c)551 tlsclose(Chan *c)
552 {
553 TlsRec *tr;
554 int t;
555
556 t = TYPE(c->qid);
557 switch(t) {
558 case Qctl:
559 case Qdata:
560 case Qhand:
561 case Qstatus:
562 case Qstats:
563 if((c->flag & COPEN) == 0)
564 break;
565
566 tr = tlsdevs[CONV(c->qid)];
567 if(tr == nil)
568 break;
569
570 if(t == Qhand)
571 dechandq(tr);
572
573 lock(&tdlock);
574 if(--tr->ref > 0) {
575 unlock(&tdlock);
576 return;
577 }
578 tlsdevs[CONV(c->qid)] = nil;
579 unlock(&tdlock);
580
581 if(tr->c != nil && !waserror()){
582 checkstate(tr, 0, SOpen|SHandshake|SRClose);
583 sendAlert(tr, ECloseNotify);
584 poperror();
585 }
586 tlshangup(tr);
587 if(tr->c != nil)
588 cclose(tr->c);
589 freeSec(tr->in.sec);
590 freeSec(tr->in.new);
591 freeSec(tr->out.sec);
592 freeSec(tr->out.new);
593 free(tr->user);
594 free(tr);
595 break;
596 }
597 }
598
599 /*
600 * make sure we have at least 'n' bytes in list 'l'
601 */
602 static void
ensure(TlsRec * s,Block ** l,int n)603 ensure(TlsRec *s, Block **l, int n)
604 {
605 int sofar, i;
606 Block *b, *bl;
607
608 sofar = 0;
609 for(b = *l; b; b = b->next){
610 sofar += BLEN(b);
611 if(sofar >= n)
612 return;
613 l = &b->next;
614 }
615
616 while(sofar < n){
617 bl = s->c->dev->bread(s->c, MaxCipherRecLen + RecHdrLen, 0);
618 if(bl == 0)
619 error(Ehungup);
620 *l = bl;
621 i = 0;
622 for(b = bl; b; b = b->next){
623 i += BLEN(b);
624 l = &b->next;
625 }
626 if(i == 0)
627 error(Ehungup);
628 sofar += i;
629 }
630 if(s->debug) pprint("ensure read %d\n", sofar);
631 }
632
633 /*
634 * copy 'n' bytes from 'l' into 'p' and free
635 * the bytes in 'l'
636 */
637 static void
consume(Block ** l,uchar * p,int n)638 consume(Block **l, uchar *p, int n)
639 {
640 Block *b;
641 int i;
642
643 for(; *l && n > 0; n -= i){
644 b = *l;
645 i = BLEN(b);
646 if(i > n)
647 i = n;
648 memmove(p, b->rp, i);
649 b->rp += i;
650 p += i;
651 if(BLEN(b) < 0)
652 panic("consume");
653 if(BLEN(b))
654 break;
655 *l = b->next;
656 freeb(b);
657 }
658 }
659
660 /*
661 * give back n bytes
662 */
663 static void
regurgitate(TlsRec * s,uchar * p,int n)664 regurgitate(TlsRec *s, uchar *p, int n)
665 {
666 Block *b;
667
668 if(n <= 0)
669 return;
670 b = s->unprocessed;
671 if(s->unprocessed == nil || b->rp - b->base < n) {
672 b = allocb(n);
673 memmove(b->wp, p, n);
674 b->wp += n;
675 b->next = s->unprocessed;
676 s->unprocessed = b;
677 } else {
678 b->rp -= n;
679 memmove(b->rp, p, n);
680 }
681 }
682
683 /*
684 * remove at most n bytes from the queue
685 */
686 static Block*
qgrab(Block ** l,int n)687 qgrab(Block **l, int n)
688 {
689 Block *bb, *b;
690 int i;
691
692 b = *l;
693 if(BLEN(b) == n){
694 *l = b->next;
695 b->next = nil;
696 return b;
697 }
698
699 i = 0;
700 for(bb = b; bb != nil && i < n; bb = bb->next)
701 i += BLEN(bb);
702 if(i > n)
703 i = n;
704
705 bb = allocb(i);
706 consume(l, bb->wp, i);
707 bb->wp += i;
708 return bb;
709 }
710
711 static void
tlsclosed(TlsRec * tr,int new)712 tlsclosed(TlsRec *tr, int new)
713 {
714 lock(&tr->statelk);
715 if(tr->state == SOpen || tr->state == SHandshake)
716 tr->state = new;
717 else if((new | tr->state) == (SRClose|SLClose))
718 tr->state = SClosed;
719 unlock(&tr->statelk);
720 alertHand(tr, "close notify");
721 }
722
723 /*
724 * read and process one tls record layer message
725 * must be called with tr->in.io held
726 * We can't let Eintrs lose data, since doing so will get
727 * us out of sync with the sender and break the reliablity
728 * of the channel. Eintr only happens during the reads in
729 * consume. Therefore we put back any bytes consumed before
730 * the last call to ensure.
731 */
732 static void
tlsrecread(TlsRec * tr)733 tlsrecread(TlsRec *tr)
734 {
735 OneWay *volatile in;
736 Block *volatile b;
737 uchar *p, seq[8], header[RecHdrLen], hmac[MaxMacLen];
738 int volatile nconsumed;
739 int len, type, ver, unpad_len;
740
741 nconsumed = 0;
742 if(waserror()){
743 if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
744 regurgitate(tr, header, nconsumed);
745 poperror();
746 }else
747 tlsError(tr, "channel error");
748 nexterror();
749 }
750 ensure(tr, &tr->unprocessed, RecHdrLen);
751 consume(&tr->unprocessed, header, RecHdrLen);
752 if(tr->debug)pprint("consumed %d header\n", RecHdrLen);
753 nconsumed = RecHdrLen;
754
755 if((tr->handin == 0) && (header[0] & 0x80)){
756 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
757 This is sent by some clients that we must interoperate
758 with, such as Java's JSSE and Microsoft's Internet Explorer. */
759 len = (get16(header) & ~0x8000) - 3;
760 type = header[2];
761 ver = get16(header + 3);
762 if(type != SSL2ClientHello || len < 22)
763 rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
764 }else{ /* normal SSL3 record format */
765 type = header[0];
766 ver = get16(header+1);
767 len = get16(header+3);
768 }
769 if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
770 rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
771 tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
772 if(len > MaxCipherRecLen || len < 0)
773 rcvError(tr, ERecordOverflow, "record message too long %d", len);
774 ensure(tr, &tr->unprocessed, len);
775 nconsumed = 0;
776 poperror();
777
778 /*
779 * If an Eintr happens after this, we'll get out of sync.
780 * Make sure nothing we call can sleep.
781 * Errors are ok, as they kill the connection.
782 * Luckily, allocb won't sleep, it'll just error out.
783 */
784 b = nil;
785 if(waserror()){
786 if(b != nil)
787 freeb(b);
788 tlsError(tr, "channel error");
789 nexterror();
790 }
791 b = qgrab(&tr->unprocessed, len);
792 if(tr->debug) pprint("consumed unprocessed %d\n", len);
793
794 in = &tr->in;
795 if(waserror()){
796 qunlock(&in->seclock);
797 nexterror();
798 }
799 qlock(&in->seclock);
800 p = b->rp;
801 if(in->sec != nil) {
802 /* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
803 should look alike, including timing of the response. */
804 unpad_len = (*in->sec->dec)(in->sec, p, len);
805
806 /* excplicit iv */
807 if(tr->version >= TLS11Version){
808 len -= in->sec->block;
809 if(len < 0)
810 rcvError(tr, EDecodeError, "runt record message");
811
812 unpad_len -= in->sec->block;
813 p += in->sec->block;
814 }
815
816 if(unpad_len >= in->sec->maclen)
817 len = unpad_len - in->sec->maclen;
818 if(tr->debug) pprint("decrypted %d\n", unpad_len);
819 if(tr->debug) pdump(unpad_len, p, "decrypted:");
820
821 /* update length */
822 put16(header+3, len);
823 put64(seq, in->seq);
824 in->seq++;
825 (*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
826 if(unpad_len < in->sec->maclen)
827 rcvError(tr, EBadRecordMac, "short record mac");
828 if(memcmp(hmac, p+len, in->sec->maclen) != 0)
829 rcvError(tr, EBadRecordMac, "record mac mismatch");
830 b->rp = p;
831 b->wp = p+len;
832 }
833 qunlock(&in->seclock);
834 poperror();
835 if(len < 0)
836 rcvError(tr, EDecodeError, "runt record message");
837
838 switch(type) {
839 default:
840 rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
841 break;
842 case RChangeCipherSpec:
843 if(len != 1 || p[0] != 1)
844 rcvError(tr, EDecodeError, "invalid change cipher spec");
845 qlock(&in->seclock);
846 if(in->new == nil){
847 qunlock(&in->seclock);
848 rcvError(tr, EUnexpectedMessage, "unexpected change cipher spec");
849 }
850 freeSec(in->sec);
851 in->sec = in->new;
852 in->new = nil;
853 in->seq = 0;
854 qunlock(&in->seclock);
855 break;
856 case RAlert:
857 if(len != 2)
858 rcvError(tr, EDecodeError, "invalid alert");
859 if(p[0] == 2)
860 rcvAlert(tr, p[1]);
861 if(p[0] != 1)
862 rcvError(tr, EIllegalParameter, "invalid alert fatal code");
863
864 /*
865 * propate non-fatal alerts to handshaker
866 */
867 switch(p[1]){
868 case ECloseNotify:
869 tlsclosed(tr, SRClose);
870 if(tr->opened)
871 error("tls hungup");
872 error("close notify");
873 break;
874 case ENoRenegotiation:
875 alertHand(tr, "no renegotiation");
876 break;
877 case EUserCanceled:
878 alertHand(tr, "handshake canceled by user");
879 break;
880 case EUnrecognizedName:
881 /* happens in response to SNI, can be ignored. */
882 break;
883 default:
884 rcvError(tr, EIllegalParameter, "invalid alert code");
885 }
886 break;
887 case RHandshake:
888 /*
889 * don't worry about dropping the block
890 * qbwrite always queues even if flow controlled and interrupted.
891 *
892 * if there isn't any handshaker, ignore the request,
893 * but notify the other side we are doing so.
894 */
895 lock(&tr->hqlock);
896 if(tr->handq != nil){
897 tr->hqref++;
898 unlock(&tr->hqlock);
899 if(waserror()){
900 dechandq(tr);
901 nexterror();
902 }
903 b = padblock(b, 1);
904 *b->rp = RHandshake;
905 qbwrite(tr->handq, b);
906 b = nil;
907 poperror();
908 dechandq(tr);
909 }else{
910 unlock(&tr->hqlock);
911 if(tr->verset && tr->version != SSL3Version && !waserror()){
912 sendAlert(tr, ENoRenegotiation);
913 poperror();
914 }
915 }
916 break;
917 case SSL2ClientHello:
918 lock(&tr->hqlock);
919 if(tr->handq != nil){
920 tr->hqref++;
921 unlock(&tr->hqlock);
922 if(waserror()){
923 dechandq(tr);
924 nexterror();
925 }
926 /* Pass the SSL2 format data, so that the handshake code can compute
927 the correct checksums. HSSL2ClientHello = HandshakeType 9 is
928 unused in RFC2246. */
929 b = padblock(b, 8);
930 b->rp[0] = RHandshake;
931 b->rp[1] = HSSL2ClientHello;
932 put24(&b->rp[2], len+3);
933 b->rp[5] = SSL2ClientHello;
934 put16(&b->rp[6], ver);
935 qbwrite(tr->handq, b);
936 b = nil;
937 poperror();
938 dechandq(tr);
939 }else{
940 unlock(&tr->hqlock);
941 if(tr->verset && tr->version != SSL3Version && !waserror()){
942 sendAlert(tr, ENoRenegotiation);
943 poperror();
944 }
945 }
946 break;
947 case RApplication:
948 if(!tr->opened)
949 rcvError(tr, EUnexpectedMessage, "application message received before handshake completed");
950 if(BLEN(b) > 0){
951 tr->processed = b;
952 b = nil;
953 }
954 break;
955 }
956 if(b != nil)
957 freeb(b);
958 poperror();
959 }
960
961 /*
962 * got a fatal alert message
963 */
964 static void
rcvAlert(TlsRec * tr,int err)965 rcvAlert(TlsRec *tr, int err)
966 {
967 char *s;
968 int i;
969
970 s = "unknown error";
971 for(i=0; i < nelem(tlserrs); i++){
972 if(tlserrs[i].err == err){
973 s = tlserrs[i].msg;
974 break;
975 }
976 }
977 if(tr->debug) pprint("rcvAlert: %s\n", s);
978
979 tlsError(tr, s);
980 if(!tr->opened)
981 error(s);
982 error("tls error");
983 }
984
985 /*
986 * found an error while decoding the input stream
987 */
988 static void
rcvError(TlsRec * tr,int err,char * fmt,...)989 rcvError(TlsRec *tr, int err, char *fmt, ...)
990 {
991 char msg[ERRMAX];
992 va_list arg;
993
994 va_start(arg, fmt);
995 vseprint(msg, msg+sizeof(msg), fmt, arg);
996 va_end(arg);
997 if(tr->debug) pprint("rcvError: %s\n", msg);
998
999 sendAlert(tr, err);
1000
1001 if(!tr->opened)
1002 error(msg);
1003 error("tls error");
1004 }
1005
1006 /*
1007 * make sure the next hand operation returns with a 'msg' error
1008 */
1009 static void
alertHand(TlsRec * tr,char * msg)1010 alertHand(TlsRec *tr, char *msg)
1011 {
1012 Block *b;
1013 int n;
1014
1015 lock(&tr->hqlock);
1016 if(tr->handq == nil){
1017 unlock(&tr->hqlock);
1018 return;
1019 }
1020 tr->hqref++;
1021 unlock(&tr->hqlock);
1022
1023 n = strlen(msg);
1024 if(waserror()){
1025 dechandq(tr);
1026 nexterror();
1027 }
1028 b = allocb(n + 2);
1029 *b->wp++ = RAlert;
1030 memmove(b->wp, msg, n + 1);
1031 b->wp += n + 1;
1032
1033 qbwrite(tr->handq, b);
1034
1035 poperror();
1036 dechandq(tr);
1037 }
1038
1039 static void
checkstate(TlsRec * tr,int ishand,int ok)1040 checkstate(TlsRec *tr, int ishand, int ok)
1041 {
1042 int state;
1043
1044 lock(&tr->statelk);
1045 state = tr->state;
1046 unlock(&tr->statelk);
1047 if(state & ok)
1048 return;
1049 switch(state){
1050 case SHandshake:
1051 case SOpen:
1052 break;
1053 case SError:
1054 case SAlert:
1055 if(ishand)
1056 error(tr->err);
1057 error("tls error");
1058 case SRClose:
1059 case SLClose:
1060 case SClosed:
1061 error("tls hungup");
1062 }
1063 error("tls improperly configured");
1064 }
1065
1066 static Block*
tlsbread(Chan * c,long n,vlong offset)1067 tlsbread(Chan *c, long n, vlong offset)
1068 {
1069 int ty;
1070 Block *b;
1071 TlsRec *volatile tr;
1072
1073 ty = TYPE(c->qid);
1074 switch(ty) {
1075 default:
1076 return devbread(c, n, offset);
1077 case Qhand:
1078 case Qdata:
1079 break;
1080 }
1081
1082 tr = tlsdevs[CONV(c->qid)];
1083 if(tr == nil)
1084 panic("tlsbread");
1085
1086 if(waserror()){
1087 qunlock(&tr->in.io);
1088 nexterror();
1089 }
1090 qlock(&tr->in.io);
1091 if(ty == Qdata){
1092 checkstate(tr, 0, SOpen);
1093 while(tr->processed == nil)
1094 tlsrecread(tr);
1095
1096 /* return at most what was asked for */
1097 b = qgrab(&tr->processed, n);
1098 if(tr->debug) pprint("consumed processed %ld\n", BLEN(b));
1099 if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
1100 qunlock(&tr->in.io);
1101 poperror();
1102 tr->datain += BLEN(b);
1103 }else{
1104 checkstate(tr, 1, SOpen|SHandshake|SLClose);
1105
1106 /*
1107 * it's ok to look at state without the lock
1108 * since it only protects reading records,
1109 * and we have that tr->in.io held.
1110 */
1111 while(!tr->opened && tr->hprocessed == nil && !qcanread(tr->handq))
1112 tlsrecread(tr);
1113
1114 qunlock(&tr->in.io);
1115 poperror();
1116
1117 if(waserror()){
1118 qunlock(&tr->hqread);
1119 nexterror();
1120 }
1121 qlock(&tr->hqread);
1122 if(tr->hprocessed == nil){
1123 b = qbread(tr->handq, MaxRecLen + 1);
1124 if(*b->rp++ == RAlert){
1125 kstrcpy(up->errstr, (char*)b->rp, ERRMAX);
1126 freeb(b);
1127 nexterror();
1128 }
1129 tr->hprocessed = b;
1130 }
1131 b = qgrab(&tr->hprocessed, n);
1132 poperror();
1133 qunlock(&tr->hqread);
1134 tr->handin += BLEN(b);
1135 }
1136
1137 return b;
1138 }
1139
1140 static long
tlsread(Chan * c,void * a,long n,vlong off)1141 tlsread(Chan *c, void *a, long n, vlong off)
1142 {
1143 Block *volatile b;
1144 Block *nb;
1145 uchar *va;
1146 int i, ty;
1147 char *buf, *s, *e;
1148 long offset;
1149 TlsRec * tr;
1150
1151 if(c->qid.type & QTDIR)
1152 return devdirread(c, a, n, 0, 0, tlsgen);
1153
1154 offset = off;
1155 tr = tlsdevs[CONV(c->qid)];
1156 ty = TYPE(c->qid);
1157 switch(ty) {
1158 default:
1159 error(Ebadusefd);
1160 case Qstatus:
1161 buf = smalloc(Statlen);
1162 qlock(&tr->in.seclock);
1163 qlock(&tr->out.seclock);
1164 s = buf;
1165 e = buf + Statlen;
1166 s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
1167 s = seprint(s, e, "Version: %#x\n", tr->version);
1168 if(tr->in.sec != nil)
1169 s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
1170 if(tr->in.new != nil)
1171 s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
1172 if(tr->out.sec != nil)
1173 s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
1174 if(tr->out.new != nil)
1175 seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
1176 qunlock(&tr->in.seclock);
1177 qunlock(&tr->out.seclock);
1178 n = readstr(offset, a, n, buf);
1179 free(buf);
1180 return n;
1181 case Qstats:
1182 buf = smalloc(Statlen);
1183 s = buf;
1184 e = buf + Statlen;
1185 s = seprint(s, e, "DataIn: %lld\n", tr->datain);
1186 s = seprint(s, e, "DataOut: %lld\n", tr->dataout);
1187 s = seprint(s, e, "HandIn: %lld\n", tr->handin);
1188 seprint(s, e, "HandOut: %lld\n", tr->handout);
1189 n = readstr(offset, a, n, buf);
1190 free(buf);
1191 return n;
1192 case Qctl:
1193 buf = smalloc(Statlen);
1194 snprint(buf, Statlen, "%llud", CONV(c->qid));
1195 n = readstr(offset, a, n, buf);
1196 free(buf);
1197 return n;
1198 case Qdata:
1199 case Qhand:
1200 b = tlsbread(c, n, offset);
1201 break;
1202 case Qencalgs:
1203 return readstr(offset, a, n, encalgs);
1204 case Qhashalgs:
1205 return readstr(offset, a, n, hashalgs);
1206 }
1207
1208 if(waserror()){
1209 freeblist(b);
1210 nexterror();
1211 }
1212
1213 n = 0;
1214 va = a;
1215 for(nb = b; nb; nb = nb->next){
1216 i = BLEN(nb);
1217 memmove(va+n, nb->rp, i);
1218 n += i;
1219 }
1220
1221 freeblist(b);
1222 poperror();
1223
1224 return n;
1225 }
1226
1227 static void
randfill(uchar * buf,int len)1228 randfill(uchar *buf, int len)
1229 {
1230 while(len-- > 0)
1231 *buf++ = nrand(256);
1232 }
1233
1234 /*
1235 * write a block in tls records
1236 */
1237 static void
tlsrecwrite(TlsRec * tr,int type,Block * b)1238 tlsrecwrite(TlsRec *tr, int type, Block *b)
1239 {
1240 Block *volatile bb;
1241 Block *nb;
1242 uchar *p, seq[8];
1243 OneWay *volatile out;
1244 int n, ivlen, maclen, pad, ok;
1245
1246 out = &tr->out;
1247 bb = b;
1248 if(waserror()){
1249 qunlock(&out->io);
1250 if(bb != nil)
1251 freeb(bb);
1252 nexterror();
1253 }
1254 qlock(&out->io);
1255 if(tr->debug)pprint("send %ld\n", BLEN(b));
1256 if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
1257
1258
1259 ok = SHandshake|SOpen|SRClose;
1260 if(type == RAlert)
1261 ok |= SAlert;
1262 while(bb != nil){
1263 checkstate(tr, type != RApplication, ok);
1264
1265 /*
1266 * get at most one maximal record's input,
1267 * with padding on the front for header and
1268 * back for mac and maximal block padding.
1269 */
1270 if(waserror()){
1271 qunlock(&out->seclock);
1272 nexterror();
1273 }
1274 qlock(&out->seclock);
1275 maclen = 0;
1276 pad = 0;
1277 ivlen = 0;
1278 if(out->sec != nil){
1279 maclen = out->sec->maclen;
1280 pad = maclen + out->sec->block;
1281 if(tr->version >= TLS11Version)
1282 ivlen = out->sec->block;
1283 }
1284 n = BLEN(bb);
1285 if(n > MaxRecLen){
1286 n = MaxRecLen;
1287 nb = allocb(RecHdrLen + ivlen + n + pad);
1288 memmove(nb->wp + RecHdrLen + ivlen, bb->rp, n);
1289 bb->rp += n;
1290 }else{
1291 /*
1292 * carefully reuse bb so it will get freed if we're out of memory
1293 */
1294 bb = padblock(bb, RecHdrLen + ivlen);
1295 if(pad)
1296 nb = padblock(bb, -pad);
1297 else
1298 nb = bb;
1299 bb = nil;
1300 }
1301
1302 p = nb->rp;
1303 p[0] = type;
1304 put16(p+1, tr->version);
1305 put16(p+3, n);
1306
1307 if(out->sec != nil){
1308 put64(seq, out->seq);
1309 out->seq++;
1310 (*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen + ivlen, n, p + RecHdrLen + ivlen + n);
1311 n += maclen;
1312
1313 /* explicit iv */
1314 if(ivlen > 0){
1315 randfill(p + RecHdrLen, ivlen);
1316 n += ivlen;
1317 }
1318
1319 /* encrypt */
1320 n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
1321 nb->wp = p + RecHdrLen + n;
1322
1323 /* update length */
1324 put16(p+3, n);
1325 }
1326 if(type == RChangeCipherSpec){
1327 if(out->new == nil)
1328 error("change cipher without a new cipher");
1329 freeSec(out->sec);
1330 out->sec = out->new;
1331 out->new = nil;
1332 out->seq = 0;
1333 }
1334 qunlock(&out->seclock);
1335 poperror();
1336
1337 /*
1338 * if bwrite error's, we assume the block is queued.
1339 * if not, we're out of sync with the receiver and will not recover.
1340 */
1341 if(waserror()){
1342 if(strcmp(up->errstr, "interrupted") != 0)
1343 tlsError(tr, "channel error");
1344 nexterror();
1345 }
1346 tr->c->dev->bwrite(tr->c, nb, 0);
1347 poperror();
1348 }
1349 qunlock(&out->io);
1350 poperror();
1351 }
1352
1353 static long
tlsbwrite(Chan * c,Block * b,vlong offset)1354 tlsbwrite(Chan *c, Block *b, vlong offset)
1355 {
1356 int ty;
1357 ulong n;
1358 TlsRec *tr;
1359
1360 n = BLEN(b);
1361
1362 tr = tlsdevs[CONV(c->qid)];
1363 if(tr == nil)
1364 panic("tlsbwrite");
1365
1366 ty = TYPE(c->qid);
1367 switch(ty) {
1368 default:
1369 return devbwrite(c, b, offset);
1370 case Qhand:
1371 tlsrecwrite(tr, RHandshake, b);
1372 tr->handout += n;
1373 break;
1374 case Qdata:
1375 checkstate(tr, 0, SOpen);
1376 tlsrecwrite(tr, RApplication, b);
1377 tr->dataout += n;
1378 break;
1379 }
1380
1381 return n;
1382 }
1383
1384 typedef struct Hashalg Hashalg;
1385 struct Hashalg
1386 {
1387 char *name;
1388 int maclen;
1389 void (*initkey)(Hashalg *, int, Secret *, uchar*);
1390 };
1391
1392 static void
initmd5key(Hashalg * ha,int version,Secret * s,uchar * p)1393 initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
1394 {
1395 s->maclen = ha->maclen;
1396 if(version == SSL3Version)
1397 s->mac = sslmac_md5;
1398 else
1399 s->mac = hmac_md5;
1400 memmove(s->mackey, p, ha->maclen);
1401 }
1402
1403 static void
initclearmac(Hashalg *,int,Secret * s,uchar *)1404 initclearmac(Hashalg *, int, Secret *s, uchar *)
1405 {
1406 s->maclen = 0;
1407 s->mac = nomac;
1408 }
1409
1410 static void
initsha1key(Hashalg * ha,int version,Secret * s,uchar * p)1411 initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
1412 {
1413 s->maclen = ha->maclen;
1414 if(version == SSL3Version)
1415 s->mac = sslmac_sha1;
1416 else
1417 s->mac = hmac_sha1;
1418 memmove(s->mackey, p, ha->maclen);
1419 }
1420
1421 static void
initsha2_256key(Hashalg * ha,int version,Secret * s,uchar * p)1422 initsha2_256key(Hashalg *ha, int version, Secret *s, uchar *p)
1423 {
1424 if(version == SSL3Version)
1425 error("sha256 cannot be used with SSL");
1426 s->maclen = ha->maclen;
1427 s->mac = hmac_sha2_256;
1428 memmove(s->mackey, p, ha->maclen);
1429 }
1430
1431 static Hashalg hashtab[] =
1432 {
1433 { "clear", 0, initclearmac, },
1434 { "md5", MD5dlen, initmd5key, },
1435 { "sha1", SHA1dlen, initsha1key, },
1436 { "sha256", SHA2_256dlen, initsha2_256key, },
1437 { 0 }
1438 };
1439
1440 static Hashalg*
parsehashalg(char * p)1441 parsehashalg(char *p)
1442 {
1443 Hashalg *ha;
1444
1445 for(ha = hashtab; ha->name; ha++)
1446 if(strcmp(p, ha->name) == 0)
1447 return ha;
1448 error("unsupported hash algorithm");
1449 return nil;
1450 }
1451
1452 typedef struct Encalg Encalg;
1453 struct Encalg
1454 {
1455 char *name;
1456 int keylen;
1457 int ivlen;
1458 void (*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
1459 };
1460
1461 static void
initRC4key(Encalg * ea,Secret * s,uchar * p,uchar *)1462 initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
1463 {
1464 s->enckey = smalloc(sizeof(RC4state));
1465 s->enc = rc4enc;
1466 s->dec = rc4enc;
1467 s->block = 0;
1468 setupRC4state(s->enckey, p, ea->keylen);
1469 }
1470
1471 static void
initDES3key(Encalg *,Secret * s,uchar * p,uchar * iv)1472 initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
1473 {
1474 s->enckey = smalloc(sizeof(DES3state));
1475 s->enc = des3enc;
1476 s->dec = des3dec;
1477 s->block = 8;
1478 setupDES3state(s->enckey, (uchar (*)[8])p, iv);
1479 }
1480
1481 static void
initAESkey(Encalg * ea,Secret * s,uchar * p,uchar * iv)1482 initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
1483 {
1484 s->enckey = smalloc(sizeof(AESstate));
1485 s->enc = aesenc;
1486 s->dec = aesdec;
1487 s->block = 16;
1488 setupAESstate(s->enckey, p, ea->keylen, iv);
1489 }
1490
1491 static void
initclearenc(Encalg *,Secret * s,uchar *,uchar *)1492 initclearenc(Encalg *, Secret *s, uchar *, uchar *)
1493 {
1494 s->enc = noenc;
1495 s->dec = noenc;
1496 s->block = 0;
1497 }
1498
1499 static Encalg encrypttab[] =
1500 {
1501 { "clear", 0, 0, initclearenc },
1502 { "rc4_128", 128/8, 0, initRC4key },
1503 { "3des_ede_cbc", 3 * 8, 8, initDES3key },
1504 { "aes_128_cbc", 128/8, 16, initAESkey },
1505 { "aes_256_cbc", 256/8, 16, initAESkey },
1506 { 0 }
1507 };
1508
1509 static Encalg*
parseencalg(char * p)1510 parseencalg(char *p)
1511 {
1512 Encalg *ea;
1513
1514 for(ea = encrypttab; ea->name; ea++)
1515 if(strcmp(p, ea->name) == 0)
1516 return ea;
1517 error("unsupported encryption algorithm");
1518 return nil;
1519 }
1520
1521 static long
tlswrite(Chan * c,void * a,long n,vlong off)1522 tlswrite(Chan *c, void *a, long n, vlong off)
1523 {
1524 Encalg *ea;
1525 Hashalg *ha;
1526 TlsRec *volatile tr;
1527 Secret *volatile tos, *volatile toc;
1528 Block *volatile b;
1529 Cmdbuf *volatile cb;
1530 int i, ty;
1531 char *p, *e;
1532 uchar *volatile x;
1533 ulong offset = off;
1534
1535 tr = tlsdevs[CONV(c->qid)];
1536 if(tr == nil)
1537 panic("tlswrite");
1538
1539 ty = TYPE(c->qid);
1540 switch(ty){
1541 case Qdata:
1542 case Qhand:
1543 p = a;
1544 e = p + n;
1545 do{
1546 i = e - p;
1547 if(i > MaxRecLen)
1548 i = MaxRecLen;
1549
1550 b = allocb(i);
1551 if(waserror()){
1552 freeb(b);
1553 nexterror();
1554 }
1555 memmove(b->wp, p, i);
1556 poperror();
1557 b->wp += i;
1558
1559 tlsbwrite(c, b, offset);
1560
1561 p += i;
1562 }while(p < e);
1563 return n;
1564 case Qctl:
1565 break;
1566 default:
1567 error(Ebadusefd);
1568 return -1;
1569 }
1570
1571 cb = parsecmd(a, n);
1572 if(waserror()){
1573 free(cb);
1574 nexterror();
1575 }
1576 if(cb->nf < 1)
1577 error("short control request");
1578
1579 /* mutex with operations using what we're about to change */
1580 if(waserror()){
1581 qunlock(&tr->in.seclock);
1582 qunlock(&tr->out.seclock);
1583 nexterror();
1584 }
1585 qlock(&tr->in.seclock);
1586 qlock(&tr->out.seclock);
1587
1588 if(strcmp(cb->f[0], "fd") == 0){
1589 if(cb->nf != 3)
1590 error("usage: fd open-fd version");
1591 if(tr->c != nil)
1592 error(Einuse);
1593 i = strtol(cb->f[2], nil, 0);
1594 if(i < MinProtoVersion || i > MaxProtoVersion)
1595 error("unsupported version");
1596 tr->c = buftochan(cb->f[1]);
1597 tr->version = i;
1598 tlsSetState(tr, SHandshake, SClosed);
1599 }else if(strcmp(cb->f[0], "version") == 0){
1600 if(cb->nf != 2)
1601 error("usage: version vers");
1602 if(tr->c == nil)
1603 error("must set fd before version");
1604 if(tr->verset)
1605 error("version already set");
1606 i = strtol(cb->f[1], nil, 0);
1607 if(i < MinProtoVersion || i > MaxProtoVersion)
1608 error("unsupported version");
1609 if(i == SSL3Version)
1610 tr->packMac = sslPackMac;
1611 else
1612 tr->packMac = tlsPackMac;
1613 tr->verset = 1;
1614 tr->version = i;
1615 }else if(strcmp(cb->f[0], "secret") == 0){
1616 if(cb->nf != 5)
1617 error("usage: secret hashalg encalg isclient secretdata");
1618 if(tr->c == nil || !tr->verset)
1619 error("must set fd and version before secrets");
1620
1621 if(tr->in.new != nil){
1622 freeSec(tr->in.new);
1623 tr->in.new = nil;
1624 }
1625 if(tr->out.new != nil){
1626 freeSec(tr->out.new);
1627 tr->out.new = nil;
1628 }
1629
1630 ha = parsehashalg(cb->f[1]);
1631 ea = parseencalg(cb->f[2]);
1632
1633 p = cb->f[4];
1634 i = (strlen(p)*3)/2;
1635 x = smalloc(i);
1636 tos = nil;
1637 toc = nil;
1638 if(waserror()){
1639 freeSec(tos);
1640 freeSec(toc);
1641 free(x);
1642 nexterror();
1643 }
1644 i = dec64(x, i, p, strlen(p));
1645 if(i < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
1646 error("not enough secret data provided");
1647
1648 tos = smalloc(sizeof(Secret));
1649 toc = smalloc(sizeof(Secret));
1650 if(!ha->initkey || !ea->initkey)
1651 error("misimplemented secret algorithm");
1652 (*ha->initkey)(ha, tr->version, tos, &x[0]);
1653 (*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
1654 (*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
1655 (*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
1656
1657 if(!tos->mac || !tos->enc || !tos->dec
1658 || !toc->mac || !toc->enc || !toc->dec)
1659 error("missing algorithm implementations");
1660 if(strtol(cb->f[3], nil, 0) == 0){
1661 tr->in.new = tos;
1662 tr->out.new = toc;
1663 }else{
1664 tr->in.new = toc;
1665 tr->out.new = tos;
1666 }
1667 if(tr->version == SSL3Version){
1668 toc->unpad = sslunpad;
1669 tos->unpad = sslunpad;
1670 }else{
1671 toc->unpad = tlsunpad;
1672 tos->unpad = tlsunpad;
1673 }
1674 toc->encalg = ea->name;
1675 toc->hashalg = ha->name;
1676 tos->encalg = ea->name;
1677 tos->hashalg = ha->name;
1678
1679 free(x);
1680 poperror();
1681 }else if(strcmp(cb->f[0], "changecipher") == 0){
1682 if(cb->nf != 1)
1683 error("usage: changecipher");
1684 if(tr->out.new == nil)
1685 error("cannot change cipher spec without setting secret");
1686
1687 qunlock(&tr->in.seclock);
1688 qunlock(&tr->out.seclock);
1689 poperror();
1690 free(cb);
1691 poperror();
1692
1693 /*
1694 * the real work is done as the message is written
1695 * so the stream is encrypted in sync.
1696 */
1697 b = allocb(1);
1698 *b->wp++ = 1;
1699 tlsrecwrite(tr, RChangeCipherSpec, b);
1700 return n;
1701 }else if(strcmp(cb->f[0], "opened") == 0){
1702 if(cb->nf != 1)
1703 error("usage: opened");
1704 if(tr->in.sec == nil || tr->out.sec == nil)
1705 error("cipher must be configured before enabling data messages");
1706 lock(&tr->statelk);
1707 if(tr->state != SHandshake && tr->state != SOpen){
1708 unlock(&tr->statelk);
1709 error("cannot enable data messages");
1710 }
1711 tr->state = SOpen;
1712 unlock(&tr->statelk);
1713 tr->opened = 1;
1714 }else if(strcmp(cb->f[0], "alert") == 0){
1715 if(cb->nf != 2)
1716 error("usage: alert n");
1717 if(tr->c == nil)
1718 error("must set fd before sending alerts");
1719 i = strtol(cb->f[1], nil, 0);
1720
1721 qunlock(&tr->in.seclock);
1722 qunlock(&tr->out.seclock);
1723 poperror();
1724 free(cb);
1725 poperror();
1726
1727 sendAlert(tr, i);
1728
1729 if(m == ECloseNotify)
1730 tlsclosed(tr, SLClose);
1731
1732 return n;
1733 } else if(strcmp(cb->f[0], "debug") == 0){
1734 if(cb->nf == 2){
1735 if(strcmp(cb->f[1], "on") == 0)
1736 tr->debug = 1;
1737 else
1738 tr->debug = 0;
1739 } else
1740 tr->debug = 1;
1741 } else
1742 error(Ebadarg);
1743
1744 qunlock(&tr->in.seclock);
1745 qunlock(&tr->out.seclock);
1746 poperror();
1747 free(cb);
1748 poperror();
1749
1750 return n;
1751 }
1752
1753 static void
tlsinit(void)1754 tlsinit(void)
1755 {
1756 struct Encalg *e;
1757 struct Hashalg *h;
1758 int n;
1759 char *cp;
1760 static int already;
1761
1762 if(!already){
1763 // fmtinstall('H', encodefmt);
1764 already = 1;
1765 }
1766
1767 tlsdevs = smalloc(sizeof(TlsRec*) * maxtlsdevs);
1768 trnames = smalloc((sizeof *trnames) * maxtlsdevs);
1769
1770 n = 1;
1771 for(e = encrypttab; e->name != nil; e++)
1772 n += strlen(e->name) + 1;
1773 cp = encalgs = smalloc(n);
1774 for(e = encrypttab;;){
1775 strcpy(cp, e->name);
1776 cp += strlen(e->name);
1777 e++;
1778 if(e->name == nil)
1779 break;
1780 *cp++ = ' ';
1781 }
1782 *cp = 0;
1783
1784 n = 1;
1785 for(h = hashtab; h->name != nil; h++)
1786 n += strlen(h->name) + 1;
1787 cp = hashalgs = smalloc(n);
1788 for(h = hashtab;;){
1789 strcpy(cp, h->name);
1790 cp += strlen(h->name);
1791 h++;
1792 if(h->name == nil)
1793 break;
1794 *cp++ = ' ';
1795 }
1796 *cp = 0;
1797 }
1798
1799 Dev tlsdevtab = {
1800 'a',
1801 "tls",
1802
1803 devreset,
1804 tlsinit,
1805 devshutdown,
1806 tlsattach,
1807 tlswalk,
1808 tlsstat,
1809 tlsopen,
1810 devcreate,
1811 tlsclose,
1812 tlsread,
1813 tlsbread,
1814 tlswrite,
1815 tlsbwrite,
1816 devremove,
1817 tlswstat,
1818 };
1819
1820 /* get channel associated with an fd */
1821 static Chan*
buftochan(char * p)1822 buftochan(char *p)
1823 {
1824 Chan *c;
1825 int fd;
1826
1827 if(p == 0)
1828 error(Ebadarg);
1829 fd = strtoul(p, 0, 0);
1830 if(fd < 0)
1831 error(Ebadarg);
1832 c = fdtochan(fd, -1, 0, 1); /* error check and inc ref */
1833 return c;
1834 }
1835
1836 static void
sendAlert(TlsRec * tr,int err)1837 sendAlert(TlsRec *tr, int err)
1838 {
1839 Block *b;
1840 int i, fatal;
1841 char *msg;
1842
1843 if(tr->debug)pprint("sendAlert %d\n", err);
1844 fatal = 1;
1845 msg = "tls unknown alert";
1846 for(i=0; i < nelem(tlserrs); i++) {
1847 if(tlserrs[i].err == err) {
1848 msg = tlserrs[i].msg;
1849 if(tr->version == SSL3Version)
1850 err = tlserrs[i].sslerr;
1851 else
1852 err = tlserrs[i].tlserr;
1853 fatal = tlserrs[i].fatal;
1854 break;
1855 }
1856 }
1857
1858 if(!waserror()){
1859 b = allocb(2);
1860 *b->wp++ = fatal + 1;
1861 *b->wp++ = err;
1862 if(fatal)
1863 tlsSetState(tr, SAlert, SOpen|SHandshake|SRClose);
1864 tlsrecwrite(tr, RAlert, b);
1865 poperror();
1866 }
1867 if(fatal)
1868 tlsError(tr, msg);
1869 }
1870
1871 static void
tlsError(TlsRec * tr,char * msg)1872 tlsError(TlsRec *tr, char *msg)
1873 {
1874 int s;
1875
1876 if(tr->debug)pprint("tleError %s\n", msg);
1877 lock(&tr->statelk);
1878 s = tr->state;
1879 tr->state = SError;
1880 if(s != SError){
1881 strncpy(tr->err, msg, ERRMAX - 1);
1882 tr->err[ERRMAX - 1] = '\0';
1883 }
1884 unlock(&tr->statelk);
1885 if(s != SError)
1886 alertHand(tr, msg);
1887 }
1888
1889 static void
tlsSetState(TlsRec * tr,int new,int old)1890 tlsSetState(TlsRec *tr, int new, int old)
1891 {
1892 lock(&tr->statelk);
1893 if(tr->state & old)
1894 tr->state = new;
1895 unlock(&tr->statelk);
1896 }
1897
1898 /* hand up a digest connection */
1899 static void
tlshangup(TlsRec * tr)1900 tlshangup(TlsRec *tr)
1901 {
1902 Block *b;
1903
1904 qlock(&tr->in.io);
1905 for(b = tr->processed; b; b = tr->processed){
1906 tr->processed = b->next;
1907 freeb(b);
1908 }
1909 if(tr->unprocessed != nil){
1910 freeb(tr->unprocessed);
1911 tr->unprocessed = nil;
1912 }
1913 qunlock(&tr->in.io);
1914
1915 tlsSetState(tr, SClosed, ~0);
1916 }
1917
1918 static TlsRec*
newtls(Chan * ch)1919 newtls(Chan *ch)
1920 {
1921 TlsRec **pp, **ep, **np;
1922 char **nmp;
1923 int t, newmax;
1924
1925 if(waserror()) {
1926 unlock(&tdlock);
1927 nexterror();
1928 }
1929 lock(&tdlock);
1930 ep = &tlsdevs[maxtlsdevs];
1931 for(pp = tlsdevs; pp < ep; pp++)
1932 if(*pp == nil)
1933 break;
1934 if(pp >= ep) {
1935 if(maxtlsdevs >= MaxTlsDevs) {
1936 unlock(&tdlock);
1937 poperror();
1938 return nil;
1939 }
1940 newmax = 2 * maxtlsdevs;
1941 if(newmax > MaxTlsDevs)
1942 newmax = MaxTlsDevs;
1943 np = smalloc(sizeof(TlsRec*) * newmax);
1944 memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
1945 tlsdevs = np;
1946 pp = &tlsdevs[maxtlsdevs];
1947 memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
1948
1949 nmp = smalloc(sizeof *nmp * newmax);
1950 memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
1951 trnames = nmp;
1952
1953 maxtlsdevs = newmax;
1954 }
1955 *pp = mktlsrec();
1956 if(pp - tlsdevs >= tdhiwat)
1957 tdhiwat++;
1958 t = TYPE(ch->qid);
1959 if(t == Qclonus)
1960 t = Qctl;
1961 ch->qid.path = QID(pp - tlsdevs, t);
1962 ch->qid.vers = 0;
1963 unlock(&tdlock);
1964 poperror();
1965 return *pp;
1966 }
1967
1968 static TlsRec *
mktlsrec(void)1969 mktlsrec(void)
1970 {
1971 TlsRec *tr;
1972
1973 tr = mallocz(sizeof(*tr), 1);
1974 if(tr == nil)
1975 error(Enomem);
1976 tr->state = SClosed;
1977 tr->ref = 1;
1978 kstrdup(&tr->user, up->user);
1979 tr->perm = 0660;
1980 return tr;
1981 }
1982
1983 static char*
tlsstate(int s)1984 tlsstate(int s)
1985 {
1986 switch(s){
1987 case SHandshake:
1988 return "Handshaking";
1989 case SOpen:
1990 return "Established";
1991 case SRClose:
1992 return "RemoteClosed";
1993 case SLClose:
1994 return "LocalClosed";
1995 case SAlert:
1996 return "Alerting";
1997 case SError:
1998 return "Errored";
1999 case SClosed:
2000 return "Closed";
2001 }
2002 return "Unknown";
2003 }
2004
2005 static void
freeSec(Secret * s)2006 freeSec(Secret *s)
2007 {
2008 if(s != nil){
2009 free(s->enckey);
2010 free(s);
2011 }
2012 }
2013
2014 static int
noenc(Secret *,uchar *,int n)2015 noenc(Secret *, uchar *, int n)
2016 {
2017 return n;
2018 }
2019
2020 static int
rc4enc(Secret * sec,uchar * buf,int n)2021 rc4enc(Secret *sec, uchar *buf, int n)
2022 {
2023 rc4(sec->enckey, buf, n);
2024 return n;
2025 }
2026
2027 static int
tlsunpad(uchar * buf,int n,int block)2028 tlsunpad(uchar *buf, int n, int block)
2029 {
2030 int pad, nn;
2031
2032 pad = buf[n - 1];
2033 nn = n - 1 - pad;
2034 if(nn <= 0 || n % block)
2035 return -1;
2036 while(--n > nn)
2037 if(pad != buf[n - 1])
2038 return -1;
2039 return nn;
2040 }
2041
2042 static int
sslunpad(uchar * buf,int n,int block)2043 sslunpad(uchar *buf, int n, int block)
2044 {
2045 int pad, nn;
2046
2047 pad = buf[n - 1];
2048 nn = n - 1 - pad;
2049 if(nn <= 0 || n % block)
2050 return -1;
2051 return nn;
2052 }
2053
2054 static int
blockpad(uchar * buf,int n,int block)2055 blockpad(uchar *buf, int n, int block)
2056 {
2057 int pad, nn;
2058
2059 nn = n + block;
2060 nn -= nn % block;
2061 pad = nn - (n + 1);
2062 while(n < nn)
2063 buf[n++] = pad;
2064 return nn;
2065 }
2066
2067 static int
des3enc(Secret * sec,uchar * buf,int n)2068 des3enc(Secret *sec, uchar *buf, int n)
2069 {
2070 n = blockpad(buf, n, 8);
2071 des3CBCencrypt(buf, n, sec->enckey);
2072 return n;
2073 }
2074
2075 static int
des3dec(Secret * sec,uchar * buf,int n)2076 des3dec(Secret *sec, uchar *buf, int n)
2077 {
2078 des3CBCdecrypt(buf, n, sec->enckey);
2079 return (*sec->unpad)(buf, n, 8);
2080 }
2081
2082 static int
aesenc(Secret * sec,uchar * buf,int n)2083 aesenc(Secret *sec, uchar *buf, int n)
2084 {
2085 n = blockpad(buf, n, 16);
2086 aesCBCencrypt(buf, n, sec->enckey);
2087 return n;
2088 }
2089
2090 static int
aesdec(Secret * sec,uchar * buf,int n)2091 aesdec(Secret *sec, uchar *buf, int n)
2092 {
2093 aesCBCdecrypt(buf, n, sec->enckey);
2094 return (*sec->unpad)(buf, n, 16);
2095 }
2096
2097 static DigestState*
nomac(uchar *,ulong,uchar *,ulong,uchar *,DigestState *)2098 nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
2099 {
2100 return nil;
2101 }
2102
2103 /*
2104 * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
2105 */
2106 static DigestState*
sslmac_x(uchar * p,ulong len,uchar * key,ulong klen,uchar * digest,DigestState * s,DigestState * (* x)(uchar *,ulong,uchar *,DigestState *),int xlen,int padlen)2107 sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
2108 DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
2109 {
2110 int i;
2111 uchar pad[48], innerdigest[20];
2112
2113 if(xlen > sizeof(innerdigest)
2114 || padlen > sizeof(pad))
2115 return nil;
2116
2117 if(klen>64)
2118 return nil;
2119
2120 /* first time through */
2121 if(s == nil){
2122 for(i=0; i<padlen; i++)
2123 pad[i] = 0x36;
2124 s = (*x)(key, klen, nil, nil);
2125 s = (*x)(pad, padlen, nil, s);
2126 if(s == nil)
2127 return nil;
2128 }
2129
2130 s = (*x)(p, len, nil, s);
2131 if(digest == nil)
2132 return s;
2133
2134 /* last time through */
2135 for(i=0; i<padlen; i++)
2136 pad[i] = 0x5c;
2137 (*x)(nil, 0, innerdigest, s);
2138 s = (*x)(key, klen, nil, nil);
2139 s = (*x)(pad, padlen, nil, s);
2140 (*x)(innerdigest, xlen, digest, s);
2141 return nil;
2142 }
2143
2144 static DigestState*
sslmac_sha1(uchar * p,ulong len,uchar * key,ulong klen,uchar * digest,DigestState * s)2145 sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2146 {
2147 return sslmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen, 40);
2148 }
2149
2150 static DigestState*
sslmac_md5(uchar * p,ulong len,uchar * key,ulong klen,uchar * digest,DigestState * s)2151 sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2152 {
2153 return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
2154 }
2155
2156 static void
sslPackMac(Secret * sec,uchar * mackey,uchar * seq,uchar * header,uchar * body,int len,uchar * mac)2157 sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2158 {
2159 DigestState *s;
2160 uchar buf[11];
2161
2162 memmove(buf, seq, 8);
2163 buf[8] = header[0];
2164 buf[9] = header[3];
2165 buf[10] = header[4];
2166
2167 s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
2168 (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2169 }
2170
2171 static void
tlsPackMac(Secret * sec,uchar * mackey,uchar * seq,uchar * header,uchar * body,int len,uchar * mac)2172 tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2173 {
2174 DigestState *s;
2175 uchar buf[13];
2176
2177 memmove(buf, seq, 8);
2178 memmove(&buf[8], header, 5);
2179
2180 s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
2181 (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2182 }
2183
2184 static void
put32(uchar * p,u32int x)2185 put32(uchar *p, u32int x)
2186 {
2187 p[0] = x>>24;
2188 p[1] = x>>16;
2189 p[2] = x>>8;
2190 p[3] = x;
2191 }
2192
2193 static void
put64(uchar * p,vlong x)2194 put64(uchar *p, vlong x)
2195 {
2196 put32(p, (u32int)(x >> 32));
2197 put32(p+4, (u32int)x);
2198 }
2199
2200 static void
put24(uchar * p,int x)2201 put24(uchar *p, int x)
2202 {
2203 p[0] = x>>16;
2204 p[1] = x>>8;
2205 p[2] = x;
2206 }
2207
2208 static void
put16(uchar * p,int x)2209 put16(uchar *p, int x)
2210 {
2211 p[0] = x>>8;
2212 p[1] = x;
2213 }
2214
2215 static u32int
get32(uchar * p)2216 get32(uchar *p)
2217 {
2218 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2219 }
2220
2221 static int
get16(uchar * p)2222 get16(uchar *p)
2223 {
2224 return (p[0]<<8)|p[1];
2225 }
2226
2227 static char *charmap = "0123456789abcdef";
2228
2229 static void
pdump(int len,void * a,char * tag)2230 pdump(int len, void *a, char *tag)
2231 {
2232 uchar *p;
2233 int i;
2234 char buf[65+32];
2235 char *q;
2236
2237 p = a;
2238 strcpy(buf, tag);
2239 while(len > 0){
2240 q = buf + strlen(tag);
2241 for(i = 0; len > 0 && i < 32; i++){
2242 if(*p >= ' ' && *p < 0x7f){
2243 *q++ = ' ';
2244 *q++ = *p;
2245 } else {
2246 *q++ = charmap[*p>>4];
2247 *q++ = charmap[*p & 0xf];
2248 }
2249 len--;
2250 p++;
2251 }
2252 *q = 0;
2253
2254 if(len > 0)
2255 pprint("%s...\n", buf);
2256 else
2257 pprint("%s\n", buf);
2258 }
2259 }
2260