shithub: riscv

Download patch

ref: 9f50ee06f3a78af3767ec061f4647b5446c8619e
parent: ada54defbcb037f8858b475f90ef215b7d1b44a6
author: cinap_lenrek <[email protected]>
date: Wed Sep 23 12:57:25 EDT 2015

libsec: implement client certificate authentication for tls1.2

we used to negotiate tls1.1 for client cert authentication because the
signature generation was not implemented for tls1.2. this is now fixed
and tls1.2 can be negotiated with client certs.

--- a/sys/src/libsec/port/tlshand.c
+++ b/sys/src/libsec/port/tlshand.c
@@ -130,6 +130,7 @@
 		} certificate;
 		struct {
 			Bytes *types;
+			Ints *sigalgs;
 			int nca;
 			Bytes **cas;
 		} certificateRequest;
@@ -146,6 +147,7 @@
 			int curve;
 		} serverKeyExchange;
 		struct {
+			int sigalg;
 			Bytes *signature;
 		} certificateVerify;		
 		Finished finished;
@@ -387,6 +389,7 @@
 /* x509.c */
 extern mpint*	pkcs1padbuf(uchar *buf, int len, mpint *modulus);
 extern int	pkcs1decryptsignature(uchar *sig, int siglen, RSApub *pk, uchar **pbuf);
+extern int	X509encodesignature_sha256(uchar digest[SHA2_256dlen], uchar *buf, int len);
 
 //================= client/server ========================
 
@@ -1024,7 +1027,6 @@
 	uchar kd[MaxKeyData];
 	char *secrets;
 	int creq, dhx, rv, cipher;
-	mpint *signedMP, *paddedHashes;
 	Bytes *epm;
 
 	if(!initCiphers())
@@ -1033,10 +1035,6 @@
 	c = emalloc(sizeof(TlsConnection));
 	c->version = ProtocolVersion;
 
-	// client certificate signature not implemented for TLS1.2
-	if(cert != nil && certlen > 0 && c->version >= TLS12Version)
-		c->version = TLS11Version;
-
 	c->ctl = ctl;
 	c->hand = hand;
 	c->trace = trace;
@@ -1201,15 +1199,11 @@
 
 	/* certificate verify */
 	if(creq && cert != nil && certlen > 0) {
-		uchar hshashes[MD5dlen+SHA1dlen]; /* content of signature */
+		mpint *signedMP, *paddedHashes;
 		HandshakeHash hsave;
+		uchar buf[512];
+		int buflen;
 
-		/* save the state for the Finish message */
-		hsave = c->handhash;
-		md5(nil, 0, hshashes, &c->handhash.md5);
-		sha1(nil, 0, hshashes+MD5dlen, &c->handhash.sha1);
-		c->handhash = hsave;
-
 		c->sec->rpc = factotum_rsa_open(cert, certlen);
 		if(c->sec->rpc == nil){
 			tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
@@ -1221,7 +1215,22 @@
 			goto Err;
 		}
 
-		paddedHashes = pkcs1padbuf(hshashes, MD5dlen+SHA1dlen, c->sec->rsapub->n);
+		/* save the state for the Finish message */
+		hsave = c->handhash;
+		if(c->version >= TLS12Version){
+			uchar digest[SHA2_256dlen];
+
+			m.u.certificateVerify.sigalg = 0x0401;	/* RSA SHA256 */
+			sha2_256(nil, 0, digest, &c->handhash.sha2_256);
+			buflen = X509encodesignature_sha256(digest, buf, sizeof(buf));
+		} else {
+			md5(nil, 0, buf, &c->handhash.md5);
+			sha1(nil, 0, buf+MD5dlen, &c->handhash.sha1);
+			buflen = MD5dlen+SHA1dlen;
+		}
+		c->handhash = hsave;
+		
+		paddedHashes = pkcs1padbuf(buf, buflen, c->sec->rsapub->n);
 		signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
 		if(signedMP == nil){
 			tlsError(c, EHandshakeFailure, "factotum_rsa_decrypt: %r");
@@ -1410,6 +1419,10 @@
 		}
 		break;
 	case HCertificateVerify:
+		if(m->u.certificateVerify.sigalg != 0){
+			put16(p, m->u.certificateVerify.sigalg);
+			p += 2;
+		}
 		put16(p, m->u.certificateVerify.signature->len);
 		p += 2;
 		memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
@@ -1684,14 +1697,16 @@
 		p += nn;
 		n -= nn;
 		if(c->version >= TLS12Version){
-			/* skip supported_signature_algorithms */
 			if(n < 2)
 				goto Short;
 			nn = get16(p);
 			p += 2;
 			n -= 2;
-			if(nn > n)
+			if(nn & 1)
 				goto Short;
+			m->u.certificateRequest.sigalgs = newints(nn>>1);
+			for(i = 0; i < nn; i += 2)
+				m->u.certificateRequest.sigalgs->data[i >> 1] = get16(&p[i]);
 			p += nn;
 			n -= nn;
 
@@ -1861,6 +1876,7 @@
 		break;
 	case HCertificateRequest:
 		freebytes(m->u.certificateRequest.types);
+		freeints(m->u.certificateRequest.sigalgs);
 		for(i=0; i<m->u.certificateRequest.nca; i++)
 			freebytes(m->u.certificateRequest.cas[i]);
 		free(m->u.certificateRequest.cas);
@@ -1969,6 +1985,8 @@
 	case HCertificateRequest:
 		bs = seprint(bs, be, "CertificateRequest\n");
 		bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
+		if(m->u.certificateRequest.sigalgs != nil)
+			bs = intsPrint(bs, be, "\tsigalgs: ", m->u.certificateRequest.sigalgs, "\n");
 		bs = seprint(bs, be, "\tcertificateauthorities\n");
 		for(i=0; i<m->u.certificateRequest.nca; i++)
 			bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
@@ -1975,6 +1993,8 @@
 		break;
 	case HCertificateVerify:
 		bs = seprint(bs, be, "HCertificateVerify\n");
+		if(m->u.certificateVerify.sigalg != 0)
+			bs = seprint(bs, be, "\tsigalg: %.4x\n", m->u.certificateVerify.sigalg);
 		bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
 		break;	
 	case HServerHelloDone:
--- a/sys/src/libsec/port/x509.c
+++ b/sys/src/libsec/port/x509.c
@@ -2496,6 +2496,31 @@
 	return mkseq(el);
 }
 
+int
+X509encodesignature_sha256(uchar digest[SHA2_256dlen], uchar *buf, int len)
+{
+	Bytes *sigbytes;
+	Elem sig;
+	int err;
+
+	sig = mkseq(
+		mkel(mkalg(ALG_sha256),
+		mkel(mkoctet(digest, SHA2_256dlen),
+		nil)));
+	err = encode(sig, &sigbytes);
+	freevalfields(&sig.val);
+	if(err != ASN_OK)
+		return -1;
+	if(len < sigbytes->len){
+		freebytes(sigbytes);
+		return -1;
+	}
+	len = sigbytes->len;
+	memmove(buf, sigbytes->data, len);
+	freebytes(sigbytes);
+
+	return len;
+}
 
 uchar*
 X509gen(RSApriv *priv, char *subj, ulong valid[2], int *certlen)