shithub: riscv

Download patch

ref: b28f60cdd3d7efcb5699cb8360e1e50823238d1f
parent: df829e6c07ddc515fa6c00e4baa888dfaecbd26d
author: cinap_lenrek <[email protected]>
date: Thu Nov 15 14:32:53 EST 2012 

add C-Keens tls-client-auth

This patch adds client TLS authentication to libsec in compliance with
rfc 4346.

A new -c flag has been introduced for tlsclient allowing the user to
specify a certificate in pem(8) format which will be provided to the
server upon request.

A -D debug flag has been introduced to enable debugging output.

The patch has been tested against OpenSSL 0.9.7j 04 May 2006.

It exists today because of the great (debugging) help and insight
provided by Matthias Bauer.

TODOs:

- specification of a certain client key in factotum is not possible at
	the moment
- tlssrv should support this too

These will get added in another patch.

The first try to submit this patch failed due to a network error.
Sorry for the duplication!

Kind regards,

Christian


--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -24,6 +24,13 @@
 .PP
 .B tlsclient
 [
+.B -D
+]
+[
+.B -c
+.I cert.pem
+]
+[
 .B -t
 .I trustedkeys
 ]
@@ -69,6 +76,14 @@
 and then relays 
 between the network connection
 and standard input and output.
+The
+.B -D
+flag enables some debug output.
+Specifying a certificate in pem(8) format with the
+.B -c
+flag, causes the client to submit this certificate upon
+server's request. A corresponding key has to be present in
+.IR factotum(4).
 If the
 .B -t
 flag
--- a/sys/src/cmd/tlsclient.c
+++ b/sys/src/cmd/tlsclient.c
@@ -6,7 +6,7 @@
 void
 usage(void)
 {
-	fprint(2, "usage: tlsclient [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] dialstring\n");
+	fprint(2, "usage: tlsclient [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] dialstring\n");
 	exits("usage");
 }
 
@@ -21,18 +21,34 @@
 			break;
 }
 
+static int
+reporter(char *fmt, ...)
+{
+	va_list ap;
+	
+	va_start(ap, fmt);
+	fprint(2, "%s:  tls reports ", argv0);
+	vfprint(2, fmt, ap);
+	fprint(2, "\n");
+
+	va_end(ap);
+	return 0;
+}
+
 void
 main(int argc, char **argv)
 {
-	int fd, netfd;
+	int fd, netfd, debug;
 	uchar digest[20];
-	TLSconn conn;
-	char *addr, *file, *filex;
+	TLSconn *conn;
+	char *addr, *file, *filex, *ccert;
 	Thumbprint *thumb;
 
 	file = nil;
 	filex = nil;
 	thumb = nil;
+	ccert=nil;
+	debug=0;
 	ARGBEGIN{
 	case 't':
 		file = EARGF(usage());
@@ -40,6 +56,12 @@
 	case 'x':
 		filex = EARGF(usage());
 		break;
+	case 'D':
+		debug++;
+		break;
+	case 'c':
+		ccert = EARGF(usage());
+		break;
 	default:
 		usage();
 	}ARGEND
@@ -59,20 +81,24 @@
 	if((netfd = dial(addr, 0, 0, 0)) < 0)
 		sysfatal("dial %s: %r", addr);
 
-	memset(&conn, 0, sizeof conn);
-	fd = tlsClient(netfd, &conn);
+	conn = (TLSconn*)mallocz(sizeof *conn, 1);
+	if(ccert)
+		conn->cert = readcert(ccert, &conn->certlen);
+	if(debug)
+		conn->trace = reporter;
+	fd = tlsClient(netfd, conn);
 	if(fd < 0)
 		sysfatal("tlsclient: %r");
 	if(thumb){
-		if(conn.cert==nil || conn.certlen<=0)
+		if(conn->cert==nil || conn->certlen<=0)
 			sysfatal("server did not provide TLS certificate");
-		sha1(conn.cert, conn.certlen, digest, nil);
+		sha1(conn->cert, conn->certlen, digest, nil);
 		if(!okThumbprint(digest, thumb)){
 			fmtinstall('H', encodefmt);
 			sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
 		}
 	}
-	free(conn.cert);
+	free(conn->cert);
 	close(netfd);
 
 	rfork(RFNOTEG);
--- a/sys/src/libsec/port/tlshand.c
+++ b/sys/src/libsec/port/tlshand.c
@@ -112,6 +112,9 @@
 		struct {
 			Bytes *key;
 		} clientKeyExchange;
+ 		struct {
+ 			Bytes *signature;
+ 		} certificateVerify;		
 		Finished finished;
 	} u;
 } Msg;
@@ -249,8 +252,7 @@
 };
 
 static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain);
-static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
-
+static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen,  int (*trace)(char*fmt, ...));
 static void	msgClear(Msg *m);
 static char* msgPrint(char *buf, int n, Msg *m);
 static int	msgRecv(TlsConnection *c, Msg *m);
@@ -301,11 +303,15 @@
 static int get16(uchar *p);
 static Bytes* newbytes(int len);
 static Bytes* makebytes(uchar* buf, int len);
+static Bytes* mptobytes(mpint* big);
 static void freebytes(Bytes* b);
 static Ints* newints(int len);
 static Ints* makeints(int* buf, int len);
 static void freeints(Ints* b);
 
+/* x509.c */
+extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus);
+
 //================= client/server ========================
 
 //	push TLS onto fd, returning new (application) file descriptor
@@ -398,7 +404,7 @@
 		return -1;
 	}
 	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
-	tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
+	tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->cert, conn->certlen, conn->trace);
 	close(hand);
 	close(ctl);
 	close(fd);
@@ -602,7 +608,7 @@
 }
 
 static TlsConnection *
-tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
+tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, int (*trace)(char*fmt, ...))
 {
 	TlsConnection *c;
 	Msg m;
@@ -609,6 +615,7 @@
 	uchar kd[MaxKeyData], *epm;
 	char *secrets;
 	int creq, nepm, rv;
+	mpint *signedMP, *paddedHashes; 
 
 	if(!initCiphers())
 		return nil;
@@ -719,7 +726,9 @@
 	}
 
 	if(creq) {
-		/* send a zero length certificate */
+ 		m.u.certificate.ncert = 1;
+ 		m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
+ 		m.u.certificate.certs[0] = makebytes(cert, certlen);		
 		m.tag = HCertificate;
 		if(!msgSend(c, &m, AFlush))
 			goto Err;
@@ -735,10 +744,55 @@
 		tlsError(c, EHandshakeFailure, "can't set secret: %r");
 		goto Err;
 	}
+	 
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
 	msgClear(&m);
 
+ 	/* CertificateVerify */
+ 	/*XXX I should only send this when it is not DH right? 
+ 		Also we need to know which TLS key 
+		we have to use in case there are more than one*/
+ 	if(cert) {
+ 		m.tag = HCertificateVerify;
+ 		uchar hshashes[MD5dlen+SHA1dlen]; /* content of signature */
+		MD5state	hsmd5_save;
+		SHAstate	hssha1_save;
+	
+		/* save the state for the Finish message */
+
+		hsmd5_save = c->hsmd5;
+		hssha1_save = c->hssha1;
+ 		md5(nil, 0, hshashes, &c->hsmd5);
+		sha1(nil, 0, hshashes+MD5dlen, &c->hssha1);
+	
+		c->hsmd5 = hsmd5_save;
+		c->hssha1 = hssha1_save;
+
+ 		c->sec->rpc = factotum_rsa_open(cert, certlen);
+ 		if(c->sec->rpc == nil){
+ 			tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
+ 			goto Err;
+ 		}
+		c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
+		
+		paddedHashes = pkcs1padbuf(hshashes, 36, c->sec->rsapub->n);
+		signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
+ 		m.u.certificateVerify.signature = mptobytes(signedMP);
+		free(signedMP);
+
+		if(m.u.certificateVerify.signature == nil){
+			msgClear(&m);	
+			goto Err;
+		}
+
+		if(!msgSend(c, &m, AFlush)){
+ 			msgClear(&m);
+ 			goto Err;
+ 		}
+ 		msgClear(&m);
+ 	} 
+
 	/* change cipher spec */
 	if(fprint(c->ctl, "changecipher") < 0){
 		tlsError(c, EInternalError, "can't enable cipher: %r");
@@ -892,6 +946,12 @@
 			p += m->u.certificate.certs[i]->len;
 		}
 		break;
+ 	case HCertificateVerify:
+		put16(p, m->u.certificateVerify.signature->len);
+		p += 2;
+ 		memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
+ 		p += m->u.certificateVerify.signature->len;
+ 		break;	
 	case HClientKeyExchange:
 		n = m->u.clientKeyExchange.key->len;
 		if(c->version != SSL3Version){
@@ -1116,7 +1176,7 @@
 		nn = get24(p);
 		p += 3;
 		n -= 3;
-		if(n != nn)
+		if(nn == 0 && n > 0)
 			goto Short;
 		/* certs */
 		i = 0;
@@ -1142,7 +1202,7 @@
 		nn = p[0];
 		p += 1;
 		n -= 1;
-		if(nn < 1 || nn > n)
+		if(nn > n)
 			goto Short;
 		m->u.certificateRequest.types = makebytes(p, nn);
 		p += nn;
@@ -1250,6 +1310,9 @@
 			freebytes(m->u.certificateRequest.cas[i]);
 		free(m->u.certificateRequest.cas);
 		break;
+ 	case HCertificateVerify:
+ 		freebytes(m->u.certificateVerify.signature);
+ 		break;
 	case HServerHelloDone:
 		break;
 	case HClientKeyExchange:
@@ -1343,6 +1406,10 @@
 		for(i=0; i<m->u.certificateRequest.nca; i++)
 			bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
 		break;
+ 	case HCertificateVerify:
+ 		bs = seprint(bs, be, "HCertificateVerify\n");
+ 		bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
+ 		break;	
 	case HServerHelloDone:
 		bs = seprint(bs, be, "ServerHelloDone\n");
 		break;
--- a/sys/src/libsec/port/x509.c
+++ b/sys/src/libsec/port/x509.c
@@ -2036,8 +2036,8 @@
 	return nil;
 }
 
-static mpint*
-pkcs1pad(Bytes *b, mpint *modulus)
+mpint*
+pkcs1padbuf(uchar *buf, int len, mpint *modulus)
 {
 	int n = (mpsignif(modulus)+7)/8;
 	int pm1, i;
@@ -2044,7 +2044,7 @@
 	uchar *p;
 	mpint *mp;
 
-	pm1 = n - 1 - b->len;
+	pm1 = n - 1 - len;
 	p = (uchar*)emalloc(n);
 	p[0] = 0;
 	p[1] = 1;
@@ -2051,10 +2051,16 @@
 	for(i = 2; i < pm1; i++)
 		p[i] = 0xFF;
 	p[pm1] = 0;
-	memcpy(&p[pm1+1], b->data, b->len);
+	memcpy(&p[pm1+1], buf, len);
 	mp = betomp(p, n, nil);
 	free(p);
 	return mp;
+}
+
+static mpint*
+pkcs1pad(Bytes *b, mpint *modulus)
+{
+	return pkcs1padbuf(b->data, b->len, modulus);
 }
 
 RSApriv*