4282 lines
130 KiB
JavaScript
4282 lines
130 KiB
JavaScript
/**
|
|
* A Javascript implementation of Transport Layer Security (TLS).
|
|
*
|
|
* @author Dave Longley
|
|
*
|
|
* Copyright (c) 2009-2014 Digital Bazaar, Inc.
|
|
*
|
|
* The TLS Handshake Protocol involves the following steps:
|
|
*
|
|
* - Exchange hello messages to agree on algorithms, exchange random values,
|
|
* and check for session resumption.
|
|
*
|
|
* - Exchange the necessary cryptographic parameters to allow the client and
|
|
* server to agree on a premaster secret.
|
|
*
|
|
* - Exchange certificates and cryptographic information to allow the client
|
|
* and server to authenticate themselves.
|
|
*
|
|
* - Generate a master secret from the premaster secret and exchanged random
|
|
* values.
|
|
*
|
|
* - Provide security parameters to the record layer.
|
|
*
|
|
* - Allow the client and server to verify that their peer has calculated the
|
|
* same security parameters and that the handshake occurred without tampering
|
|
* by an attacker.
|
|
*
|
|
* Up to 4 different messages may be sent during a key exchange. The server
|
|
* certificate, the server key exchange, the client certificate, and the
|
|
* client key exchange.
|
|
*
|
|
* A typical handshake (from the client's perspective).
|
|
*
|
|
* 1. Client sends ClientHello.
|
|
* 2. Client receives ServerHello.
|
|
* 3. Client receives optional Certificate.
|
|
* 4. Client receives optional ServerKeyExchange.
|
|
* 5. Client receives ServerHelloDone.
|
|
* 6. Client sends optional Certificate.
|
|
* 7. Client sends ClientKeyExchange.
|
|
* 8. Client sends optional CertificateVerify.
|
|
* 9. Client sends ChangeCipherSpec.
|
|
* 10. Client sends Finished.
|
|
* 11. Client receives ChangeCipherSpec.
|
|
* 12. Client receives Finished.
|
|
* 13. Client sends/receives application data.
|
|
*
|
|
* To reuse an existing session:
|
|
*
|
|
* 1. Client sends ClientHello with session ID for reuse.
|
|
* 2. Client receives ServerHello with same session ID if reusing.
|
|
* 3. Client receives ChangeCipherSpec message if reusing.
|
|
* 4. Client receives Finished.
|
|
* 5. Client sends ChangeCipherSpec.
|
|
* 6. Client sends Finished.
|
|
*
|
|
* Note: Client ignores HelloRequest if in the middle of a handshake.
|
|
*
|
|
* Record Layer:
|
|
*
|
|
* The record layer fragments information blocks into TLSPlaintext records
|
|
* carrying data in chunks of 2^14 bytes or less. Client message boundaries are
|
|
* not preserved in the record layer (i.e., multiple client messages of the
|
|
* same ContentType MAY be coalesced into a single TLSPlaintext record, or a
|
|
* single message MAY be fragmented across several records).
|
|
*
|
|
* struct {
|
|
* uint8 major;
|
|
* uint8 minor;
|
|
* } ProtocolVersion;
|
|
*
|
|
* struct {
|
|
* ContentType type;
|
|
* ProtocolVersion version;
|
|
* uint16 length;
|
|
* opaque fragment[TLSPlaintext.length];
|
|
* } TLSPlaintext;
|
|
*
|
|
* type:
|
|
* The higher-level protocol used to process the enclosed fragment.
|
|
*
|
|
* version:
|
|
* The version of the protocol being employed. TLS Version 1.2 uses version
|
|
* {3, 3}. TLS Version 1.0 uses version {3, 1}. Note that a client that
|
|
* supports multiple versions of TLS may not know what version will be
|
|
* employed before it receives the ServerHello.
|
|
*
|
|
* length:
|
|
* The length (in bytes) of the following TLSPlaintext.fragment. The length
|
|
* MUST NOT exceed 2^14 = 16384 bytes.
|
|
*
|
|
* fragment:
|
|
* The application data. This data is transparent and treated as an
|
|
* independent block to be dealt with by the higher-level protocol specified
|
|
* by the type field.
|
|
*
|
|
* Implementations MUST NOT send zero-length fragments of Handshake, Alert, or
|
|
* ChangeCipherSpec content types. Zero-length fragments of Application data
|
|
* MAY be sent as they are potentially useful as a traffic analysis
|
|
* countermeasure.
|
|
*
|
|
* Note: Data of different TLS record layer content types MAY be interleaved.
|
|
* Application data is generally of lower precedence for transmission than
|
|
* other content types. However, records MUST be delivered to the network in
|
|
* the same order as they are protected by the record layer. Recipients MUST
|
|
* receive and process interleaved application layer traffic during handshakes
|
|
* subsequent to the first one on a connection.
|
|
*
|
|
* struct {
|
|
* ContentType type; // same as TLSPlaintext.type
|
|
* ProtocolVersion version;// same as TLSPlaintext.version
|
|
* uint16 length;
|
|
* opaque fragment[TLSCompressed.length];
|
|
* } TLSCompressed;
|
|
*
|
|
* length:
|
|
* The length (in bytes) of the following TLSCompressed.fragment.
|
|
* The length MUST NOT exceed 2^14 + 1024.
|
|
*
|
|
* fragment:
|
|
* The compressed form of TLSPlaintext.fragment.
|
|
*
|
|
* Note: A CompressionMethod.null operation is an identity operation; no fields
|
|
* are altered. In this implementation, since no compression is supported,
|
|
* uncompressed records are always the same as compressed records.
|
|
*
|
|
* Encryption Information:
|
|
*
|
|
* The encryption and MAC functions translate a TLSCompressed structure into a
|
|
* TLSCiphertext. The decryption functions reverse the process. The MAC of the
|
|
* record also includes a sequence number so that missing, extra, or repeated
|
|
* messages are detectable.
|
|
*
|
|
* struct {
|
|
* ContentType type;
|
|
* ProtocolVersion version;
|
|
* uint16 length;
|
|
* select (SecurityParameters.cipher_type) {
|
|
* case stream: GenericStreamCipher;
|
|
* case block: GenericBlockCipher;
|
|
* case aead: GenericAEADCipher;
|
|
* } fragment;
|
|
* } TLSCiphertext;
|
|
*
|
|
* type:
|
|
* The type field is identical to TLSCompressed.type.
|
|
*
|
|
* version:
|
|
* The version field is identical to TLSCompressed.version.
|
|
*
|
|
* length:
|
|
* The length (in bytes) of the following TLSCiphertext.fragment.
|
|
* The length MUST NOT exceed 2^14 + 2048.
|
|
*
|
|
* fragment:
|
|
* The encrypted form of TLSCompressed.fragment, with the MAC.
|
|
*
|
|
* Note: Only CBC Block Ciphers are supported by this implementation.
|
|
*
|
|
* The TLSCompressed.fragment structures are converted to/from block
|
|
* TLSCiphertext.fragment structures.
|
|
*
|
|
* struct {
|
|
* opaque IV[SecurityParameters.record_iv_length];
|
|
* block-ciphered struct {
|
|
* opaque content[TLSCompressed.length];
|
|
* opaque MAC[SecurityParameters.mac_length];
|
|
* uint8 padding[GenericBlockCipher.padding_length];
|
|
* uint8 padding_length;
|
|
* };
|
|
* } GenericBlockCipher;
|
|
*
|
|
* The MAC is generated as described in Section 6.2.3.1.
|
|
*
|
|
* IV:
|
|
* The Initialization Vector (IV) SHOULD be chosen at random, and MUST be
|
|
* unpredictable. Note that in versions of TLS prior to 1.1, there was no
|
|
* IV field, and the last ciphertext block of the previous record (the "CBC
|
|
* residue") was used as the IV. This was changed to prevent the attacks
|
|
* described in [CBCATT]. For block ciphers, the IV length is of length
|
|
* SecurityParameters.record_iv_length, which is equal to the
|
|
* SecurityParameters.block_size.
|
|
*
|
|
* padding:
|
|
* Padding that is added to force the length of the plaintext to be an
|
|
* integral multiple of the block cipher's block length. The padding MAY be
|
|
* any length up to 255 bytes, as long as it results in the
|
|
* TLSCiphertext.length being an integral multiple of the block length.
|
|
* Lengths longer than necessary might be desirable to frustrate attacks on
|
|
* a protocol that are based on analysis of the lengths of exchanged
|
|
* messages. Each uint8 in the padding data vector MUST be filled with the
|
|
* padding length value. The receiver MUST check this padding and MUST use
|
|
* the bad_record_mac alert to indicate padding errors.
|
|
*
|
|
* padding_length:
|
|
* The padding length MUST be such that the total size of the
|
|
* GenericBlockCipher structure is a multiple of the cipher's block length.
|
|
* Legal values range from zero to 255, inclusive. This length specifies the
|
|
* length of the padding field exclusive of the padding_length field itself.
|
|
*
|
|
* The encrypted data length (TLSCiphertext.length) is one more than the sum of
|
|
* SecurityParameters.block_length, TLSCompressed.length,
|
|
* SecurityParameters.mac_length, and padding_length.
|
|
*
|
|
* Example: If the block length is 8 bytes, the content length
|
|
* (TLSCompressed.length) is 61 bytes, and the MAC length is 20 bytes, then the
|
|
* length before padding is 82 bytes (this does not include the IV. Thus, the
|
|
* padding length modulo 8 must be equal to 6 in order to make the total length
|
|
* an even multiple of 8 bytes (the block length). The padding length can be
|
|
* 6, 14, 22, and so on, through 254. If the padding length were the minimum
|
|
* necessary, 6, the padding would be 6 bytes, each containing the value 6.
|
|
* Thus, the last 8 octets of the GenericBlockCipher before block encryption
|
|
* would be xx 06 06 06 06 06 06 06, where xx is the last octet of the MAC.
|
|
*
|
|
* Note: With block ciphers in CBC mode (Cipher Block Chaining), it is critical
|
|
* that the entire plaintext of the record be known before any ciphertext is
|
|
* transmitted. Otherwise, it is possible for the attacker to mount the attack
|
|
* described in [CBCATT].
|
|
*
|
|
* Implementation note: Canvel et al. [CBCTIME] have demonstrated a timing
|
|
* attack on CBC padding based on the time required to compute the MAC. In
|
|
* order to defend against this attack, implementations MUST ensure that
|
|
* record processing time is essentially the same whether or not the padding
|
|
* is correct. In general, the best way to do this is to compute the MAC even
|
|
* if the padding is incorrect, and only then reject the packet. For instance,
|
|
* if the pad appears to be incorrect, the implementation might assume a
|
|
* zero-length pad and then compute the MAC. This leaves a small timing
|
|
* channel, since MAC performance depends, to some extent, on the size of the
|
|
* data fragment, but it is not believed to be large enough to be exploitable,
|
|
* due to the large block size of existing MACs and the small size of the
|
|
* timing signal.
|
|
*/
|
|
var forge = require('./forge');
|
|
require('./asn1');
|
|
require('./hmac');
|
|
require('./md5');
|
|
require('./pem');
|
|
require('./pki');
|
|
require('./random');
|
|
require('./sha1');
|
|
require('./util');
|
|
|
|
/**
|
|
* Generates pseudo random bytes by mixing the result of two hash functions,
|
|
* MD5 and SHA-1.
|
|
*
|
|
* prf_TLS1(secret, label, seed) =
|
|
* P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed);
|
|
*
|
|
* Each P_hash function functions as follows:
|
|
*
|
|
* P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
|
|
* HMAC_hash(secret, A(2) + seed) +
|
|
* HMAC_hash(secret, A(3) + seed) + ...
|
|
* A() is defined as:
|
|
* A(0) = seed
|
|
* A(i) = HMAC_hash(secret, A(i-1))
|
|
*
|
|
* The '+' operator denotes concatenation.
|
|
*
|
|
* As many iterations A(N) as are needed are performed to generate enough
|
|
* pseudo random byte output. If an iteration creates more data than is
|
|
* necessary, then it is truncated.
|
|
*
|
|
* Therefore:
|
|
* A(1) = HMAC_hash(secret, A(0))
|
|
* = HMAC_hash(secret, seed)
|
|
* A(2) = HMAC_hash(secret, A(1))
|
|
* = HMAC_hash(secret, HMAC_hash(secret, seed))
|
|
*
|
|
* Therefore:
|
|
* P_hash(secret, seed) =
|
|
* HMAC_hash(secret, HMAC_hash(secret, A(0)) + seed) +
|
|
* HMAC_hash(secret, HMAC_hash(secret, A(1)) + seed) +
|
|
* ...
|
|
*
|
|
* Therefore:
|
|
* P_hash(secret, seed) =
|
|
* HMAC_hash(secret, HMAC_hash(secret, seed) + seed) +
|
|
* HMAC_hash(secret, HMAC_hash(secret, HMAC_hash(secret, seed)) + seed) +
|
|
* ...
|
|
*
|
|
* @param secret the secret to use.
|
|
* @param label the label to use.
|
|
* @param seed the seed value to use.
|
|
* @param length the number of bytes to generate.
|
|
*
|
|
* @return the pseudo random bytes in a byte buffer.
|
|
*/
|
|
var prf_TLS1 = function(secret, label, seed, length) {
|
|
var rval = forge.util.createBuffer();
|
|
|
|
/* For TLS 1.0, the secret is split in half, into two secrets of equal
|
|
length. If the secret has an odd length then the last byte of the first
|
|
half will be the same as the first byte of the second. The length of the
|
|
two secrets is half of the secret rounded up. */
|
|
var idx = (secret.length >> 1);
|
|
var slen = idx + (secret.length & 1);
|
|
var s1 = secret.substr(0, slen);
|
|
var s2 = secret.substr(idx, slen);
|
|
var ai = forge.util.createBuffer();
|
|
var hmac = forge.hmac.create();
|
|
seed = label + seed;
|
|
|
|
// determine the number of iterations that must be performed to generate
|
|
// enough output bytes, md5 creates 16 byte hashes, sha1 creates 20
|
|
var md5itr = Math.ceil(length / 16);
|
|
var sha1itr = Math.ceil(length / 20);
|
|
|
|
// do md5 iterations
|
|
hmac.start('MD5', s1);
|
|
var md5bytes = forge.util.createBuffer();
|
|
ai.putBytes(seed);
|
|
for(var i = 0; i < md5itr; ++i) {
|
|
// HMAC_hash(secret, A(i-1))
|
|
hmac.start(null, null);
|
|
hmac.update(ai.getBytes());
|
|
ai.putBuffer(hmac.digest());
|
|
|
|
// HMAC_hash(secret, A(i) + seed)
|
|
hmac.start(null, null);
|
|
hmac.update(ai.bytes() + seed);
|
|
md5bytes.putBuffer(hmac.digest());
|
|
}
|
|
|
|
// do sha1 iterations
|
|
hmac.start('SHA1', s2);
|
|
var sha1bytes = forge.util.createBuffer();
|
|
ai.clear();
|
|
ai.putBytes(seed);
|
|
for(var i = 0; i < sha1itr; ++i) {
|
|
// HMAC_hash(secret, A(i-1))
|
|
hmac.start(null, null);
|
|
hmac.update(ai.getBytes());
|
|
ai.putBuffer(hmac.digest());
|
|
|
|
// HMAC_hash(secret, A(i) + seed)
|
|
hmac.start(null, null);
|
|
hmac.update(ai.bytes() + seed);
|
|
sha1bytes.putBuffer(hmac.digest());
|
|
}
|
|
|
|
// XOR the md5 bytes with the sha1 bytes
|
|
rval.putBytes(forge.util.xorBytes(
|
|
md5bytes.getBytes(), sha1bytes.getBytes(), length));
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Generates pseudo random bytes using a SHA256 algorithm. For TLS 1.2.
|
|
*
|
|
* @param secret the secret to use.
|
|
* @param label the label to use.
|
|
* @param seed the seed value to use.
|
|
* @param length the number of bytes to generate.
|
|
*
|
|
* @return the pseudo random bytes in a byte buffer.
|
|
*/
|
|
var prf_sha256 = function(secret, label, seed, length) {
|
|
// FIXME: implement me for TLS 1.2
|
|
};
|
|
|
|
/**
|
|
* Gets a MAC for a record using the SHA-1 hash algorithm.
|
|
*
|
|
* @param key the mac key.
|
|
* @param state the sequence number (array of two 32-bit integers).
|
|
* @param record the record.
|
|
*
|
|
* @return the sha-1 hash (20 bytes) for the given record.
|
|
*/
|
|
var hmac_sha1 = function(key, seqNum, record) {
|
|
/* MAC is computed like so:
|
|
HMAC_hash(
|
|
key, seqNum +
|
|
TLSCompressed.type +
|
|
TLSCompressed.version +
|
|
TLSCompressed.length +
|
|
TLSCompressed.fragment)
|
|
*/
|
|
var hmac = forge.hmac.create();
|
|
hmac.start('SHA1', key);
|
|
var b = forge.util.createBuffer();
|
|
b.putInt32(seqNum[0]);
|
|
b.putInt32(seqNum[1]);
|
|
b.putByte(record.type);
|
|
b.putByte(record.version.major);
|
|
b.putByte(record.version.minor);
|
|
b.putInt16(record.length);
|
|
b.putBytes(record.fragment.bytes());
|
|
hmac.update(b.getBytes());
|
|
return hmac.digest().getBytes();
|
|
};
|
|
|
|
/**
|
|
* Compresses the TLSPlaintext record into a TLSCompressed record using the
|
|
* deflate algorithm.
|
|
*
|
|
* @param c the TLS connection.
|
|
* @param record the TLSPlaintext record to compress.
|
|
* @param s the ConnectionState to use.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
var deflate = function(c, record, s) {
|
|
var rval = false;
|
|
|
|
try {
|
|
var bytes = c.deflate(record.fragment.getBytes());
|
|
record.fragment = forge.util.createBuffer(bytes);
|
|
record.length = bytes.length;
|
|
rval = true;
|
|
} catch(ex) {
|
|
// deflate error, fail out
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Decompresses the TLSCompressed record into a TLSPlaintext record using the
|
|
* deflate algorithm.
|
|
*
|
|
* @param c the TLS connection.
|
|
* @param record the TLSCompressed record to decompress.
|
|
* @param s the ConnectionState to use.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
var inflate = function(c, record, s) {
|
|
var rval = false;
|
|
|
|
try {
|
|
var bytes = c.inflate(record.fragment.getBytes());
|
|
record.fragment = forge.util.createBuffer(bytes);
|
|
record.length = bytes.length;
|
|
rval = true;
|
|
} catch(ex) {
|
|
// inflate error, fail out
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Reads a TLS variable-length vector from a byte buffer.
|
|
*
|
|
* Variable-length vectors are defined by specifying a subrange of legal
|
|
* lengths, inclusively, using the notation <floor..ceiling>. When these are
|
|
* encoded, the actual length precedes the vector's contents in the byte
|
|
* stream. The length will be in the form of a number consuming as many bytes
|
|
* as required to hold the vector's specified maximum (ceiling) length. A
|
|
* variable-length vector with an actual length field of zero is referred to
|
|
* as an empty vector.
|
|
*
|
|
* @param b the byte buffer.
|
|
* @param lenBytes the number of bytes required to store the length.
|
|
*
|
|
* @return the resulting byte buffer.
|
|
*/
|
|
var readVector = function(b, lenBytes) {
|
|
var len = 0;
|
|
switch(lenBytes) {
|
|
case 1:
|
|
len = b.getByte();
|
|
break;
|
|
case 2:
|
|
len = b.getInt16();
|
|
break;
|
|
case 3:
|
|
len = b.getInt24();
|
|
break;
|
|
case 4:
|
|
len = b.getInt32();
|
|
break;
|
|
}
|
|
|
|
// read vector bytes into a new buffer
|
|
return forge.util.createBuffer(b.getBytes(len));
|
|
};
|
|
|
|
/**
|
|
* Writes a TLS variable-length vector to a byte buffer.
|
|
*
|
|
* @param b the byte buffer.
|
|
* @param lenBytes the number of bytes required to store the length.
|
|
* @param v the byte buffer vector.
|
|
*/
|
|
var writeVector = function(b, lenBytes, v) {
|
|
// encode length at the start of the vector, where the number of bytes for
|
|
// the length is the maximum number of bytes it would take to encode the
|
|
// vector's ceiling
|
|
b.putInt(v.length(), lenBytes << 3);
|
|
b.putBuffer(v);
|
|
};
|
|
|
|
/**
|
|
* The tls implementation.
|
|
*/
|
|
var tls = {};
|
|
|
|
/**
|
|
* Version: TLS 1.2 = 3.3, TLS 1.1 = 3.2, TLS 1.0 = 3.1. Both TLS 1.1 and
|
|
* TLS 1.2 were still too new (ie: openSSL didn't implement them) at the time
|
|
* of this implementation so TLS 1.0 was implemented instead.
|
|
*/
|
|
tls.Versions = {
|
|
TLS_1_0: {major: 3, minor: 1},
|
|
TLS_1_1: {major: 3, minor: 2},
|
|
TLS_1_2: {major: 3, minor: 3}
|
|
};
|
|
tls.SupportedVersions = [
|
|
tls.Versions.TLS_1_1,
|
|
tls.Versions.TLS_1_0
|
|
];
|
|
tls.Version = tls.SupportedVersions[0];
|
|
|
|
/**
|
|
* Maximum fragment size. True maximum is 16384, but we fragment before that
|
|
* to allow for unusual small increases during compression.
|
|
*/
|
|
tls.MaxFragment = 16384 - 1024;
|
|
|
|
/**
|
|
* Whether this entity is considered the "client" or "server".
|
|
* enum { server, client } ConnectionEnd;
|
|
*/
|
|
tls.ConnectionEnd = {
|
|
server: 0,
|
|
client: 1
|
|
};
|
|
|
|
/**
|
|
* Pseudo-random function algorithm used to generate keys from the master
|
|
* secret.
|
|
* enum { tls_prf_sha256 } PRFAlgorithm;
|
|
*/
|
|
tls.PRFAlgorithm = {
|
|
tls_prf_sha256: 0
|
|
};
|
|
|
|
/**
|
|
* Bulk encryption algorithms.
|
|
* enum { null, rc4, des3, aes } BulkCipherAlgorithm;
|
|
*/
|
|
tls.BulkCipherAlgorithm = {
|
|
none: null,
|
|
rc4: 0,
|
|
des3: 1,
|
|
aes: 2
|
|
};
|
|
|
|
/**
|
|
* Cipher types.
|
|
* enum { stream, block, aead } CipherType;
|
|
*/
|
|
tls.CipherType = {
|
|
stream: 0,
|
|
block: 1,
|
|
aead: 2
|
|
};
|
|
|
|
/**
|
|
* MAC (Message Authentication Code) algorithms.
|
|
* enum { null, hmac_md5, hmac_sha1, hmac_sha256,
|
|
* hmac_sha384, hmac_sha512} MACAlgorithm;
|
|
*/
|
|
tls.MACAlgorithm = {
|
|
none: null,
|
|
hmac_md5: 0,
|
|
hmac_sha1: 1,
|
|
hmac_sha256: 2,
|
|
hmac_sha384: 3,
|
|
hmac_sha512: 4
|
|
};
|
|
|
|
/**
|
|
* Compression algorithms.
|
|
* enum { null(0), deflate(1), (255) } CompressionMethod;
|
|
*/
|
|
tls.CompressionMethod = {
|
|
none: 0,
|
|
deflate: 1
|
|
};
|
|
|
|
/**
|
|
* TLS record content types.
|
|
* enum {
|
|
* change_cipher_spec(20), alert(21), handshake(22),
|
|
* application_data(23), (255)
|
|
* } ContentType;
|
|
*/
|
|
tls.ContentType = {
|
|
change_cipher_spec: 20,
|
|
alert: 21,
|
|
handshake: 22,
|
|
application_data: 23,
|
|
heartbeat: 24
|
|
};
|
|
|
|
/**
|
|
* TLS handshake types.
|
|
* enum {
|
|
* hello_request(0), client_hello(1), server_hello(2),
|
|
* certificate(11), server_key_exchange (12),
|
|
* certificate_request(13), server_hello_done(14),
|
|
* certificate_verify(15), client_key_exchange(16),
|
|
* finished(20), (255)
|
|
* } HandshakeType;
|
|
*/
|
|
tls.HandshakeType = {
|
|
hello_request: 0,
|
|
client_hello: 1,
|
|
server_hello: 2,
|
|
certificate: 11,
|
|
server_key_exchange: 12,
|
|
certificate_request: 13,
|
|
server_hello_done: 14,
|
|
certificate_verify: 15,
|
|
client_key_exchange: 16,
|
|
finished: 20
|
|
};
|
|
|
|
/**
|
|
* TLS Alert Protocol.
|
|
*
|
|
* enum { warning(1), fatal(2), (255) } AlertLevel;
|
|
*
|
|
* enum {
|
|
* close_notify(0),
|
|
* unexpected_message(10),
|
|
* bad_record_mac(20),
|
|
* decryption_failed(21),
|
|
* record_overflow(22),
|
|
* decompression_failure(30),
|
|
* handshake_failure(40),
|
|
* bad_certificate(42),
|
|
* unsupported_certificate(43),
|
|
* certificate_revoked(44),
|
|
* certificate_expired(45),
|
|
* certificate_unknown(46),
|
|
* illegal_parameter(47),
|
|
* unknown_ca(48),
|
|
* access_denied(49),
|
|
* decode_error(50),
|
|
* decrypt_error(51),
|
|
* export_restriction(60),
|
|
* protocol_version(70),
|
|
* insufficient_security(71),
|
|
* internal_error(80),
|
|
* user_canceled(90),
|
|
* no_renegotiation(100),
|
|
* (255)
|
|
* } AlertDescription;
|
|
*
|
|
* struct {
|
|
* AlertLevel level;
|
|
* AlertDescription description;
|
|
* } Alert;
|
|
*/
|
|
tls.Alert = {};
|
|
tls.Alert.Level = {
|
|
warning: 1,
|
|
fatal: 2
|
|
};
|
|
tls.Alert.Description = {
|
|
close_notify: 0,
|
|
unexpected_message: 10,
|
|
bad_record_mac: 20,
|
|
decryption_failed: 21,
|
|
record_overflow: 22,
|
|
decompression_failure: 30,
|
|
handshake_failure: 40,
|
|
bad_certificate: 42,
|
|
unsupported_certificate: 43,
|
|
certificate_revoked: 44,
|
|
certificate_expired: 45,
|
|
certificate_unknown: 46,
|
|
illegal_parameter: 47,
|
|
unknown_ca: 48,
|
|
access_denied: 49,
|
|
decode_error: 50,
|
|
decrypt_error: 51,
|
|
export_restriction: 60,
|
|
protocol_version: 70,
|
|
insufficient_security: 71,
|
|
internal_error: 80,
|
|
user_canceled: 90,
|
|
no_renegotiation: 100
|
|
};
|
|
|
|
/**
|
|
* TLS Heartbeat Message types.
|
|
* enum {
|
|
* heartbeat_request(1),
|
|
* heartbeat_response(2),
|
|
* (255)
|
|
* } HeartbeatMessageType;
|
|
*/
|
|
tls.HeartbeatMessageType = {
|
|
heartbeat_request: 1,
|
|
heartbeat_response: 2
|
|
};
|
|
|
|
/**
|
|
* Supported cipher suites.
|
|
*/
|
|
tls.CipherSuites = {};
|
|
|
|
/**
|
|
* Gets a supported cipher suite from its 2 byte ID.
|
|
*
|
|
* @param twoBytes two bytes in a string.
|
|
*
|
|
* @return the matching supported cipher suite or null.
|
|
*/
|
|
tls.getCipherSuite = function(twoBytes) {
|
|
var rval = null;
|
|
for(var key in tls.CipherSuites) {
|
|
var cs = tls.CipherSuites[key];
|
|
if(cs.id[0] === twoBytes.charCodeAt(0) &&
|
|
cs.id[1] === twoBytes.charCodeAt(1)) {
|
|
rval = cs;
|
|
break;
|
|
}
|
|
}
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Called when an unexpected record is encountered.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
*/
|
|
tls.handleUnexpected = function(c, record) {
|
|
// if connection is client and closed, ignore unexpected messages
|
|
var ignore = (!c.open && c.entity === tls.ConnectionEnd.client);
|
|
if(!ignore) {
|
|
c.error(c, {
|
|
message: 'Unexpected message. Received TLS record out of order.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.unexpected_message
|
|
}
|
|
});
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a HelloRequest record.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleHelloRequest = function(c, record, length) {
|
|
// ignore renegotiation requests from the server during a handshake, but
|
|
// if handshaking, send a warning alert that renegotation is denied
|
|
if(!c.handshaking && c.handshakes > 0) {
|
|
// send alert warning
|
|
tls.queue(c, tls.createAlert(c, {
|
|
level: tls.Alert.Level.warning,
|
|
description: tls.Alert.Description.no_renegotiation
|
|
}));
|
|
tls.flush(c);
|
|
}
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Parses a hello message from a ClientHello or ServerHello record.
|
|
*
|
|
* @param record the record to parse.
|
|
*
|
|
* @return the parsed message.
|
|
*/
|
|
tls.parseHelloMessage = function(c, record, length) {
|
|
var msg = null;
|
|
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
|
|
// minimum of 38 bytes in message
|
|
if(length < 38) {
|
|
c.error(c, {
|
|
message: client ?
|
|
'Invalid ServerHello message. Message too short.' :
|
|
'Invalid ClientHello message. Message too short.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.illegal_parameter
|
|
}
|
|
});
|
|
} else {
|
|
// use 'remaining' to calculate # of remaining bytes in the message
|
|
var b = record.fragment;
|
|
var remaining = b.length();
|
|
msg = {
|
|
version: {
|
|
major: b.getByte(),
|
|
minor: b.getByte()
|
|
},
|
|
random: forge.util.createBuffer(b.getBytes(32)),
|
|
session_id: readVector(b, 1),
|
|
extensions: []
|
|
};
|
|
if(client) {
|
|
msg.cipher_suite = b.getBytes(2);
|
|
msg.compression_method = b.getByte();
|
|
} else {
|
|
msg.cipher_suites = readVector(b, 2);
|
|
msg.compression_methods = readVector(b, 1);
|
|
}
|
|
|
|
// read extensions if there are any bytes left in the message
|
|
remaining = length - (remaining - b.length());
|
|
if(remaining > 0) {
|
|
// parse extensions
|
|
var exts = readVector(b, 2);
|
|
while(exts.length() > 0) {
|
|
msg.extensions.push({
|
|
type: [exts.getByte(), exts.getByte()],
|
|
data: readVector(exts, 2)
|
|
});
|
|
}
|
|
|
|
// TODO: make extension support modular
|
|
if(!client) {
|
|
for(var i = 0; i < msg.extensions.length; ++i) {
|
|
var ext = msg.extensions[i];
|
|
|
|
// support SNI extension
|
|
if(ext.type[0] === 0x00 && ext.type[1] === 0x00) {
|
|
// get server name list
|
|
var snl = readVector(ext.data, 2);
|
|
while(snl.length() > 0) {
|
|
// read server name type
|
|
var snType = snl.getByte();
|
|
|
|
// only HostName type (0x00) is known, break out if
|
|
// another type is detected
|
|
if(snType !== 0x00) {
|
|
break;
|
|
}
|
|
|
|
// add host name to server name list
|
|
c.session.extensions.server_name.serverNameList.push(
|
|
readVector(snl, 2).getBytes());
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// version already set, do not allow version change
|
|
if(c.session.version) {
|
|
if(msg.version.major !== c.session.version.major ||
|
|
msg.version.minor !== c.session.version.minor) {
|
|
return c.error(c, {
|
|
message: 'TLS version change is disallowed during renegotiation.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.protocol_version
|
|
}
|
|
});
|
|
}
|
|
}
|
|
|
|
// get the chosen (ServerHello) cipher suite
|
|
if(client) {
|
|
// FIXME: should be checking configured acceptable cipher suites
|
|
c.session.cipherSuite = tls.getCipherSuite(msg.cipher_suite);
|
|
} else {
|
|
// get a supported preferred (ClientHello) cipher suite
|
|
// choose the first supported cipher suite
|
|
var tmp = forge.util.createBuffer(msg.cipher_suites.bytes());
|
|
while(tmp.length() > 0) {
|
|
// FIXME: should be checking configured acceptable suites
|
|
// cipher suites take up 2 bytes
|
|
c.session.cipherSuite = tls.getCipherSuite(tmp.getBytes(2));
|
|
if(c.session.cipherSuite !== null) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
// cipher suite not supported
|
|
if(c.session.cipherSuite === null) {
|
|
return c.error(c, {
|
|
message: 'No cipher suites in common.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.handshake_failure
|
|
},
|
|
cipherSuite: forge.util.bytesToHex(msg.cipher_suite)
|
|
});
|
|
}
|
|
|
|
// TODO: handle compression methods
|
|
if(client) {
|
|
c.session.compressionMethod = msg.compression_method;
|
|
} else {
|
|
// no compression
|
|
c.session.compressionMethod = tls.CompressionMethod.none;
|
|
}
|
|
}
|
|
|
|
return msg;
|
|
};
|
|
|
|
/**
|
|
* Creates security parameters for the given connection based on the given
|
|
* hello message.
|
|
*
|
|
* @param c the TLS connection.
|
|
* @param msg the hello message.
|
|
*/
|
|
tls.createSecurityParameters = function(c, msg) {
|
|
/* Note: security params are from TLS 1.2, some values like prf_algorithm
|
|
are ignored for TLS 1.0/1.1 and the builtin as specified in the spec is
|
|
used. */
|
|
|
|
// TODO: handle other options from server when more supported
|
|
|
|
// get client and server randoms
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
var msgRandom = msg.random.bytes();
|
|
var cRandom = client ? c.session.sp.client_random : msgRandom;
|
|
var sRandom = client ? msgRandom : tls.createRandom().getBytes();
|
|
|
|
// create new security parameters
|
|
c.session.sp = {
|
|
entity: c.entity,
|
|
prf_algorithm: tls.PRFAlgorithm.tls_prf_sha256,
|
|
bulk_cipher_algorithm: null,
|
|
cipher_type: null,
|
|
enc_key_length: null,
|
|
block_length: null,
|
|
fixed_iv_length: null,
|
|
record_iv_length: null,
|
|
mac_algorithm: null,
|
|
mac_length: null,
|
|
mac_key_length: null,
|
|
compression_algorithm: c.session.compressionMethod,
|
|
pre_master_secret: null,
|
|
master_secret: null,
|
|
client_random: cRandom,
|
|
server_random: sRandom
|
|
};
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a ServerHello record.
|
|
*
|
|
* When a ServerHello message will be sent:
|
|
* The server will send this message in response to a client hello message
|
|
* when it was able to find an acceptable set of algorithms. If it cannot
|
|
* find such a match, it will respond with a handshake failure alert.
|
|
*
|
|
* uint24 length;
|
|
* struct {
|
|
* ProtocolVersion server_version;
|
|
* Random random;
|
|
* SessionID session_id;
|
|
* CipherSuite cipher_suite;
|
|
* CompressionMethod compression_method;
|
|
* select(extensions_present) {
|
|
* case false:
|
|
* struct {};
|
|
* case true:
|
|
* Extension extensions<0..2^16-1>;
|
|
* };
|
|
* } ServerHello;
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleServerHello = function(c, record, length) {
|
|
var msg = tls.parseHelloMessage(c, record, length);
|
|
if(c.fail) {
|
|
return;
|
|
}
|
|
|
|
// ensure server version is compatible
|
|
if(msg.version.minor <= c.version.minor) {
|
|
c.version.minor = msg.version.minor;
|
|
} else {
|
|
return c.error(c, {
|
|
message: 'Incompatible TLS version.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.protocol_version
|
|
}
|
|
});
|
|
}
|
|
|
|
// indicate session version has been set
|
|
c.session.version = c.version;
|
|
|
|
// get the session ID from the message
|
|
var sessionId = msg.session_id.bytes();
|
|
|
|
// if the session ID is not blank and matches the cached one, resume
|
|
// the session
|
|
if(sessionId.length > 0 && sessionId === c.session.id) {
|
|
// resuming session, expect a ChangeCipherSpec next
|
|
c.expect = SCC;
|
|
c.session.resuming = true;
|
|
|
|
// get new server random
|
|
c.session.sp.server_random = msg.random.bytes();
|
|
} else {
|
|
// not resuming, expect a server Certificate message next
|
|
c.expect = SCE;
|
|
c.session.resuming = false;
|
|
|
|
// create new security parameters
|
|
tls.createSecurityParameters(c, msg);
|
|
}
|
|
|
|
// set new session ID
|
|
c.session.id = sessionId;
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a server receives a ClientHello record.
|
|
*
|
|
* When a ClientHello message will be sent:
|
|
* When a client first connects to a server it is required to send the
|
|
* client hello as its first message. The client can also send a client
|
|
* hello in response to a hello request or on its own initiative in order
|
|
* to renegotiate the security parameters in an existing connection.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleClientHello = function(c, record, length) {
|
|
var msg = tls.parseHelloMessage(c, record, length);
|
|
if(c.fail) {
|
|
return;
|
|
}
|
|
|
|
// get the session ID from the message
|
|
var sessionId = msg.session_id.bytes();
|
|
|
|
// see if the given session ID is in the cache
|
|
var session = null;
|
|
if(c.sessionCache) {
|
|
session = c.sessionCache.getSession(sessionId);
|
|
if(session === null) {
|
|
// session ID not found
|
|
sessionId = '';
|
|
} else if(session.version.major !== msg.version.major ||
|
|
session.version.minor > msg.version.minor) {
|
|
// if session version is incompatible with client version, do not resume
|
|
session = null;
|
|
sessionId = '';
|
|
}
|
|
}
|
|
|
|
// no session found to resume, generate a new session ID
|
|
if(sessionId.length === 0) {
|
|
sessionId = forge.random.getBytes(32);
|
|
}
|
|
|
|
// update session
|
|
c.session.id = sessionId;
|
|
c.session.clientHelloVersion = msg.version;
|
|
c.session.sp = {};
|
|
if(session) {
|
|
// use version and security parameters from resumed session
|
|
c.version = c.session.version = session.version;
|
|
c.session.sp = session.sp;
|
|
} else {
|
|
// use highest compatible minor version
|
|
var version;
|
|
for(var i = 1; i < tls.SupportedVersions.length; ++i) {
|
|
version = tls.SupportedVersions[i];
|
|
if(version.minor <= msg.version.minor) {
|
|
break;
|
|
}
|
|
}
|
|
c.version = {major: version.major, minor: version.minor};
|
|
c.session.version = c.version;
|
|
}
|
|
|
|
// if a session is set, resume it
|
|
if(session !== null) {
|
|
// resuming session, expect a ChangeCipherSpec next
|
|
c.expect = CCC;
|
|
c.session.resuming = true;
|
|
|
|
// get new client random
|
|
c.session.sp.client_random = msg.random.bytes();
|
|
} else {
|
|
// not resuming, expect a Certificate or ClientKeyExchange
|
|
c.expect = (c.verifyClient !== false) ? CCE : CKE;
|
|
c.session.resuming = false;
|
|
|
|
// create new security parameters
|
|
tls.createSecurityParameters(c, msg);
|
|
}
|
|
|
|
// connection now open
|
|
c.open = true;
|
|
|
|
// queue server hello
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createServerHello(c)
|
|
}));
|
|
|
|
if(c.session.resuming) {
|
|
// queue change cipher spec message
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.change_cipher_spec,
|
|
data: tls.createChangeCipherSpec()
|
|
}));
|
|
|
|
// create pending state
|
|
c.state.pending = tls.createConnectionState(c);
|
|
|
|
// change current write state to pending write state
|
|
c.state.current.write = c.state.pending.write;
|
|
|
|
// queue finished
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createFinished(c)
|
|
}));
|
|
} else {
|
|
// queue server certificate
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createCertificate(c)
|
|
}));
|
|
|
|
if(!c.fail) {
|
|
// queue server key exchange
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createServerKeyExchange(c)
|
|
}));
|
|
|
|
// request client certificate if set
|
|
if(c.verifyClient !== false) {
|
|
// queue certificate request
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createCertificateRequest(c)
|
|
}));
|
|
}
|
|
|
|
// queue server hello done
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createServerHelloDone(c)
|
|
}));
|
|
}
|
|
}
|
|
|
|
// send records
|
|
tls.flush(c);
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a Certificate record.
|
|
*
|
|
* When this message will be sent:
|
|
* The server must send a certificate whenever the agreed-upon key exchange
|
|
* method is not an anonymous one. This message will always immediately
|
|
* follow the server hello message.
|
|
*
|
|
* Meaning of this message:
|
|
* The certificate type must be appropriate for the selected cipher suite's
|
|
* key exchange algorithm, and is generally an X.509v3 certificate. It must
|
|
* contain a key which matches the key exchange method, as follows. Unless
|
|
* otherwise specified, the signing algorithm for the certificate must be
|
|
* the same as the algorithm for the certificate key. Unless otherwise
|
|
* specified, the public key may be of any length.
|
|
*
|
|
* opaque ASN.1Cert<1..2^24-1>;
|
|
* struct {
|
|
* ASN.1Cert certificate_list<1..2^24-1>;
|
|
* } Certificate;
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleCertificate = function(c, record, length) {
|
|
// minimum of 3 bytes in message
|
|
if(length < 3) {
|
|
return c.error(c, {
|
|
message: 'Invalid Certificate message. Message too short.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.illegal_parameter
|
|
}
|
|
});
|
|
}
|
|
|
|
var b = record.fragment;
|
|
var msg = {
|
|
certificate_list: readVector(b, 3)
|
|
};
|
|
|
|
/* The sender's certificate will be first in the list (chain), each
|
|
subsequent one that follows will certify the previous one, but root
|
|
certificates (self-signed) that specify the certificate authority may
|
|
be omitted under the assumption that clients must already possess it. */
|
|
var cert, asn1;
|
|
var certs = [];
|
|
try {
|
|
while(msg.certificate_list.length() > 0) {
|
|
// each entry in msg.certificate_list is a vector with 3 len bytes
|
|
cert = readVector(msg.certificate_list, 3);
|
|
asn1 = forge.asn1.fromDer(cert);
|
|
cert = forge.pki.certificateFromAsn1(asn1, true);
|
|
certs.push(cert);
|
|
}
|
|
} catch(ex) {
|
|
return c.error(c, {
|
|
message: 'Could not parse certificate list.',
|
|
cause: ex,
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.bad_certificate
|
|
}
|
|
});
|
|
}
|
|
|
|
// ensure at least 1 certificate was provided if in client-mode
|
|
// or if verifyClient was set to true to require a certificate
|
|
// (as opposed to 'optional')
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
if((client || c.verifyClient === true) && certs.length === 0) {
|
|
// error, no certificate
|
|
c.error(c, {
|
|
message: client ?
|
|
'No server certificate provided.' :
|
|
'No client certificate provided.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.illegal_parameter
|
|
}
|
|
});
|
|
} else if(certs.length === 0) {
|
|
// no certs to verify
|
|
// expect a ServerKeyExchange or ClientKeyExchange message next
|
|
c.expect = client ? SKE : CKE;
|
|
} else {
|
|
// save certificate in session
|
|
if(client) {
|
|
c.session.serverCertificate = certs[0];
|
|
} else {
|
|
c.session.clientCertificate = certs[0];
|
|
}
|
|
|
|
if(tls.verifyCertificateChain(c, certs)) {
|
|
// expect a ServerKeyExchange or ClientKeyExchange message next
|
|
c.expect = client ? SKE : CKE;
|
|
}
|
|
}
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a ServerKeyExchange record.
|
|
*
|
|
* When this message will be sent:
|
|
* This message will be sent immediately after the server certificate
|
|
* message (or the server hello message, if this is an anonymous
|
|
* negotiation).
|
|
*
|
|
* The server key exchange message is sent by the server only when the
|
|
* server certificate message (if sent) does not contain enough data to
|
|
* allow the client to exchange a premaster secret.
|
|
*
|
|
* Meaning of this message:
|
|
* This message conveys cryptographic information to allow the client to
|
|
* communicate the premaster secret: either an RSA public key to encrypt
|
|
* the premaster secret with, or a Diffie-Hellman public key with which the
|
|
* client can complete a key exchange (with the result being the premaster
|
|
* secret.)
|
|
*
|
|
* enum {
|
|
* dhe_dss, dhe_rsa, dh_anon, rsa, dh_dss, dh_rsa
|
|
* } KeyExchangeAlgorithm;
|
|
*
|
|
* struct {
|
|
* opaque dh_p<1..2^16-1>;
|
|
* opaque dh_g<1..2^16-1>;
|
|
* opaque dh_Ys<1..2^16-1>;
|
|
* } ServerDHParams;
|
|
*
|
|
* struct {
|
|
* select(KeyExchangeAlgorithm) {
|
|
* case dh_anon:
|
|
* ServerDHParams params;
|
|
* case dhe_dss:
|
|
* case dhe_rsa:
|
|
* ServerDHParams params;
|
|
* digitally-signed struct {
|
|
* opaque client_random[32];
|
|
* opaque server_random[32];
|
|
* ServerDHParams params;
|
|
* } signed_params;
|
|
* case rsa:
|
|
* case dh_dss:
|
|
* case dh_rsa:
|
|
* struct {};
|
|
* };
|
|
* } ServerKeyExchange;
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleServerKeyExchange = function(c, record, length) {
|
|
// this implementation only supports RSA, no Diffie-Hellman support
|
|
// so any length > 0 is invalid
|
|
if(length > 0) {
|
|
return c.error(c, {
|
|
message: 'Invalid key parameters. Only RSA is supported.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.unsupported_certificate
|
|
}
|
|
});
|
|
}
|
|
|
|
// expect an optional CertificateRequest message next
|
|
c.expect = SCR;
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a ClientKeyExchange record.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleClientKeyExchange = function(c, record, length) {
|
|
// this implementation only supports RSA, no Diffie-Hellman support
|
|
// so any length < 48 is invalid
|
|
if(length < 48) {
|
|
return c.error(c, {
|
|
message: 'Invalid key parameters. Only RSA is supported.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.unsupported_certificate
|
|
}
|
|
});
|
|
}
|
|
|
|
var b = record.fragment;
|
|
var msg = {
|
|
enc_pre_master_secret: readVector(b, 2).getBytes()
|
|
};
|
|
|
|
// do rsa decryption
|
|
var privateKey = null;
|
|
if(c.getPrivateKey) {
|
|
try {
|
|
privateKey = c.getPrivateKey(c, c.session.serverCertificate);
|
|
privateKey = forge.pki.privateKeyFromPem(privateKey);
|
|
} catch(ex) {
|
|
c.error(c, {
|
|
message: 'Could not get private key.',
|
|
cause: ex,
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.internal_error
|
|
}
|
|
});
|
|
}
|
|
}
|
|
|
|
if(privateKey === null) {
|
|
return c.error(c, {
|
|
message: 'No private key set.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.internal_error
|
|
}
|
|
});
|
|
}
|
|
|
|
try {
|
|
// decrypt 48-byte pre-master secret
|
|
var sp = c.session.sp;
|
|
sp.pre_master_secret = privateKey.decrypt(msg.enc_pre_master_secret);
|
|
|
|
// ensure client hello version matches first 2 bytes
|
|
var version = c.session.clientHelloVersion;
|
|
if(version.major !== sp.pre_master_secret.charCodeAt(0) ||
|
|
version.minor !== sp.pre_master_secret.charCodeAt(1)) {
|
|
// error, do not send alert (see BLEI attack below)
|
|
throw new Error('TLS version rollback attack detected.');
|
|
}
|
|
} catch(ex) {
|
|
/* Note: Daniel Bleichenbacher [BLEI] can be used to attack a
|
|
TLS server which is using PKCS#1 encoded RSA, so instead of
|
|
failing here, we generate 48 random bytes and use that as
|
|
the pre-master secret. */
|
|
sp.pre_master_secret = forge.random.getBytes(48);
|
|
}
|
|
|
|
// expect a CertificateVerify message if a Certificate was received that
|
|
// does not have fixed Diffie-Hellman params, otherwise expect
|
|
// ChangeCipherSpec
|
|
c.expect = CCC;
|
|
if(c.session.clientCertificate !== null) {
|
|
// only RSA support, so expect CertificateVerify
|
|
// TODO: support Diffie-Hellman
|
|
c.expect = CCV;
|
|
}
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a CertificateRequest record.
|
|
*
|
|
* When this message will be sent:
|
|
* A non-anonymous server can optionally request a certificate from the
|
|
* client, if appropriate for the selected cipher suite. This message, if
|
|
* sent, will immediately follow the Server Key Exchange message (if it is
|
|
* sent; otherwise, the Server Certificate message).
|
|
*
|
|
* enum {
|
|
* rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
|
|
* rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
|
|
* fortezza_dms_RESERVED(20), (255)
|
|
* } ClientCertificateType;
|
|
*
|
|
* opaque DistinguishedName<1..2^16-1>;
|
|
*
|
|
* struct {
|
|
* ClientCertificateType certificate_types<1..2^8-1>;
|
|
* SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
|
|
* DistinguishedName certificate_authorities<0..2^16-1>;
|
|
* } CertificateRequest;
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleCertificateRequest = function(c, record, length) {
|
|
// minimum of 3 bytes in message
|
|
if(length < 3) {
|
|
return c.error(c, {
|
|
message: 'Invalid CertificateRequest. Message too short.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.illegal_parameter
|
|
}
|
|
});
|
|
}
|
|
|
|
// TODO: TLS 1.2+ has different format including
|
|
// SignatureAndHashAlgorithm after cert types
|
|
var b = record.fragment;
|
|
var msg = {
|
|
certificate_types: readVector(b, 1),
|
|
certificate_authorities: readVector(b, 2)
|
|
};
|
|
|
|
// save certificate request in session
|
|
c.session.certificateRequest = msg;
|
|
|
|
// expect a ServerHelloDone message next
|
|
c.expect = SHD;
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a server receives a CertificateVerify record.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleCertificateVerify = function(c, record, length) {
|
|
if(length < 2) {
|
|
return c.error(c, {
|
|
message: 'Invalid CertificateVerify. Message too short.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.illegal_parameter
|
|
}
|
|
});
|
|
}
|
|
|
|
// rewind to get full bytes for message so it can be manually
|
|
// digested below (special case for CertificateVerify messages because
|
|
// they must be digested *after* handling as opposed to all others)
|
|
var b = record.fragment;
|
|
b.read -= 4;
|
|
var msgBytes = b.bytes();
|
|
b.read += 4;
|
|
|
|
var msg = {
|
|
signature: readVector(b, 2).getBytes()
|
|
};
|
|
|
|
// TODO: add support for DSA
|
|
|
|
// generate data to verify
|
|
var verify = forge.util.createBuffer();
|
|
verify.putBuffer(c.session.md5.digest());
|
|
verify.putBuffer(c.session.sha1.digest());
|
|
verify = verify.getBytes();
|
|
|
|
try {
|
|
var cert = c.session.clientCertificate;
|
|
/*b = forge.pki.rsa.decrypt(
|
|
msg.signature, cert.publicKey, true, verify.length);
|
|
if(b !== verify) {*/
|
|
if(!cert.publicKey.verify(verify, msg.signature, 'NONE')) {
|
|
throw new Error('CertificateVerify signature does not match.');
|
|
}
|
|
|
|
// digest message now that it has been handled
|
|
c.session.md5.update(msgBytes);
|
|
c.session.sha1.update(msgBytes);
|
|
} catch(ex) {
|
|
return c.error(c, {
|
|
message: 'Bad signature in CertificateVerify.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.handshake_failure
|
|
}
|
|
});
|
|
}
|
|
|
|
// expect ChangeCipherSpec
|
|
c.expect = CCC;
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a client receives a ServerHelloDone record.
|
|
*
|
|
* When this message will be sent:
|
|
* The server hello done message is sent by the server to indicate the end
|
|
* of the server hello and associated messages. After sending this message
|
|
* the server will wait for a client response.
|
|
*
|
|
* Meaning of this message:
|
|
* This message means that the server is done sending messages to support
|
|
* the key exchange, and the client can proceed with its phase of the key
|
|
* exchange.
|
|
*
|
|
* Upon receipt of the server hello done message the client should verify
|
|
* that the server provided a valid certificate if required and check that
|
|
* the server hello parameters are acceptable.
|
|
*
|
|
* struct {} ServerHelloDone;
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleServerHelloDone = function(c, record, length) {
|
|
// len must be 0 bytes
|
|
if(length > 0) {
|
|
return c.error(c, {
|
|
message: 'Invalid ServerHelloDone message. Invalid length.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.record_overflow
|
|
}
|
|
});
|
|
}
|
|
|
|
if(c.serverCertificate === null) {
|
|
// no server certificate was provided
|
|
var error = {
|
|
message: 'No server certificate provided. Not enough security.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.insufficient_security
|
|
}
|
|
};
|
|
|
|
// call application callback
|
|
var depth = 0;
|
|
var ret = c.verify(c, error.alert.description, depth, []);
|
|
if(ret !== true) {
|
|
// check for custom alert info
|
|
if(ret || ret === 0) {
|
|
// set custom message and alert description
|
|
if(typeof ret === 'object' && !forge.util.isArray(ret)) {
|
|
if(ret.message) {
|
|
error.message = ret.message;
|
|
}
|
|
if(ret.alert) {
|
|
error.alert.description = ret.alert;
|
|
}
|
|
} else if(typeof ret === 'number') {
|
|
// set custom alert description
|
|
error.alert.description = ret;
|
|
}
|
|
}
|
|
|
|
// send error
|
|
return c.error(c, error);
|
|
}
|
|
}
|
|
|
|
// create client certificate message if requested
|
|
if(c.session.certificateRequest !== null) {
|
|
record = tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createCertificate(c)
|
|
});
|
|
tls.queue(c, record);
|
|
}
|
|
|
|
// create client key exchange message
|
|
record = tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createClientKeyExchange(c)
|
|
});
|
|
tls.queue(c, record);
|
|
|
|
// expect no messages until the following callback has been called
|
|
c.expect = SER;
|
|
|
|
// create callback to handle client signature (for client-certs)
|
|
var callback = function(c, signature) {
|
|
if(c.session.certificateRequest !== null &&
|
|
c.session.clientCertificate !== null) {
|
|
// create certificate verify message
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createCertificateVerify(c, signature)
|
|
}));
|
|
}
|
|
|
|
// create change cipher spec message
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.change_cipher_spec,
|
|
data: tls.createChangeCipherSpec()
|
|
}));
|
|
|
|
// create pending state
|
|
c.state.pending = tls.createConnectionState(c);
|
|
|
|
// change current write state to pending write state
|
|
c.state.current.write = c.state.pending.write;
|
|
|
|
// create finished message
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createFinished(c)
|
|
}));
|
|
|
|
// expect a server ChangeCipherSpec message next
|
|
c.expect = SCC;
|
|
|
|
// send records
|
|
tls.flush(c);
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
// if there is no certificate request or no client certificate, do
|
|
// callback immediately
|
|
if(c.session.certificateRequest === null ||
|
|
c.session.clientCertificate === null) {
|
|
return callback(c, null);
|
|
}
|
|
|
|
// otherwise get the client signature
|
|
tls.getClientSignature(c, callback);
|
|
};
|
|
|
|
/**
|
|
* Called when a ChangeCipherSpec record is received.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
*/
|
|
tls.handleChangeCipherSpec = function(c, record) {
|
|
if(record.fragment.getByte() !== 0x01) {
|
|
return c.error(c, {
|
|
message: 'Invalid ChangeCipherSpec message received.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.illegal_parameter
|
|
}
|
|
});
|
|
}
|
|
|
|
// create pending state if:
|
|
// 1. Resuming session in client mode OR
|
|
// 2. NOT resuming session in server mode
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
if((c.session.resuming && client) || (!c.session.resuming && !client)) {
|
|
c.state.pending = tls.createConnectionState(c);
|
|
}
|
|
|
|
// change current read state to pending read state
|
|
c.state.current.read = c.state.pending.read;
|
|
|
|
// clear pending state if:
|
|
// 1. NOT resuming session in client mode OR
|
|
// 2. resuming a session in server mode
|
|
if((!c.session.resuming && client) || (c.session.resuming && !client)) {
|
|
c.state.pending = null;
|
|
}
|
|
|
|
// expect a Finished record next
|
|
c.expect = client ? SFI : CFI;
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a Finished record is received.
|
|
*
|
|
* When this message will be sent:
|
|
* A finished message is always sent immediately after a change
|
|
* cipher spec message to verify that the key exchange and
|
|
* authentication processes were successful. It is essential that a
|
|
* change cipher spec message be received between the other
|
|
* handshake messages and the Finished message.
|
|
*
|
|
* Meaning of this message:
|
|
* The finished message is the first protected with the just-
|
|
* negotiated algorithms, keys, and secrets. Recipients of finished
|
|
* messages must verify that the contents are correct. Once a side
|
|
* has sent its Finished message and received and validated the
|
|
* Finished message from its peer, it may begin to send and receive
|
|
* application data over the connection.
|
|
*
|
|
* struct {
|
|
* opaque verify_data[verify_data_length];
|
|
* } Finished;
|
|
*
|
|
* verify_data
|
|
* PRF(master_secret, finished_label, Hash(handshake_messages))
|
|
* [0..verify_data_length-1];
|
|
*
|
|
* finished_label
|
|
* For Finished messages sent by the client, the string
|
|
* "client finished". For Finished messages sent by the server, the
|
|
* string "server finished".
|
|
*
|
|
* verify_data_length depends on the cipher suite. If it is not specified
|
|
* by the cipher suite, then it is 12. Versions of TLS < 1.2 always used
|
|
* 12 bytes.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
* @param length the length of the handshake message.
|
|
*/
|
|
tls.handleFinished = function(c, record, length) {
|
|
// rewind to get full bytes for message so it can be manually
|
|
// digested below (special case for Finished messages because they
|
|
// must be digested *after* handling as opposed to all others)
|
|
var b = record.fragment;
|
|
b.read -= 4;
|
|
var msgBytes = b.bytes();
|
|
b.read += 4;
|
|
|
|
// message contains only verify_data
|
|
var vd = record.fragment.getBytes();
|
|
|
|
// ensure verify data is correct
|
|
b = forge.util.createBuffer();
|
|
b.putBuffer(c.session.md5.digest());
|
|
b.putBuffer(c.session.sha1.digest());
|
|
|
|
// set label based on entity type
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
var label = client ? 'server finished' : 'client finished';
|
|
|
|
// TODO: determine prf function and verify length for TLS 1.2
|
|
var sp = c.session.sp;
|
|
var vdl = 12;
|
|
var prf = prf_TLS1;
|
|
b = prf(sp.master_secret, label, b.getBytes(), vdl);
|
|
if(b.getBytes() !== vd) {
|
|
return c.error(c, {
|
|
message: 'Invalid verify_data in Finished message.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.decrypt_error
|
|
}
|
|
});
|
|
}
|
|
|
|
// digest finished message now that it has been handled
|
|
c.session.md5.update(msgBytes);
|
|
c.session.sha1.update(msgBytes);
|
|
|
|
// resuming session as client or NOT resuming session as server
|
|
if((c.session.resuming && client) || (!c.session.resuming && !client)) {
|
|
// create change cipher spec message
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.change_cipher_spec,
|
|
data: tls.createChangeCipherSpec()
|
|
}));
|
|
|
|
// change current write state to pending write state, clear pending
|
|
c.state.current.write = c.state.pending.write;
|
|
c.state.pending = null;
|
|
|
|
// create finished message
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createFinished(c)
|
|
}));
|
|
}
|
|
|
|
// expect application data next
|
|
c.expect = client ? SAD : CAD;
|
|
|
|
// handshake complete
|
|
c.handshaking = false;
|
|
++c.handshakes;
|
|
|
|
// save access to peer certificate
|
|
c.peerCertificate = client ?
|
|
c.session.serverCertificate : c.session.clientCertificate;
|
|
|
|
// send records
|
|
tls.flush(c);
|
|
|
|
// now connected
|
|
c.isConnected = true;
|
|
c.connected(c);
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when an Alert record is received.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
*/
|
|
tls.handleAlert = function(c, record) {
|
|
// read alert
|
|
var b = record.fragment;
|
|
var alert = {
|
|
level: b.getByte(),
|
|
description: b.getByte()
|
|
};
|
|
|
|
// TODO: consider using a table?
|
|
// get appropriate message
|
|
var msg;
|
|
switch(alert.description) {
|
|
case tls.Alert.Description.close_notify:
|
|
msg = 'Connection closed.';
|
|
break;
|
|
case tls.Alert.Description.unexpected_message:
|
|
msg = 'Unexpected message.';
|
|
break;
|
|
case tls.Alert.Description.bad_record_mac:
|
|
msg = 'Bad record MAC.';
|
|
break;
|
|
case tls.Alert.Description.decryption_failed:
|
|
msg = 'Decryption failed.';
|
|
break;
|
|
case tls.Alert.Description.record_overflow:
|
|
msg = 'Record overflow.';
|
|
break;
|
|
case tls.Alert.Description.decompression_failure:
|
|
msg = 'Decompression failed.';
|
|
break;
|
|
case tls.Alert.Description.handshake_failure:
|
|
msg = 'Handshake failure.';
|
|
break;
|
|
case tls.Alert.Description.bad_certificate:
|
|
msg = 'Bad certificate.';
|
|
break;
|
|
case tls.Alert.Description.unsupported_certificate:
|
|
msg = 'Unsupported certificate.';
|
|
break;
|
|
case tls.Alert.Description.certificate_revoked:
|
|
msg = 'Certificate revoked.';
|
|
break;
|
|
case tls.Alert.Description.certificate_expired:
|
|
msg = 'Certificate expired.';
|
|
break;
|
|
case tls.Alert.Description.certificate_unknown:
|
|
msg = 'Certificate unknown.';
|
|
break;
|
|
case tls.Alert.Description.illegal_parameter:
|
|
msg = 'Illegal parameter.';
|
|
break;
|
|
case tls.Alert.Description.unknown_ca:
|
|
msg = 'Unknown certificate authority.';
|
|
break;
|
|
case tls.Alert.Description.access_denied:
|
|
msg = 'Access denied.';
|
|
break;
|
|
case tls.Alert.Description.decode_error:
|
|
msg = 'Decode error.';
|
|
break;
|
|
case tls.Alert.Description.decrypt_error:
|
|
msg = 'Decrypt error.';
|
|
break;
|
|
case tls.Alert.Description.export_restriction:
|
|
msg = 'Export restriction.';
|
|
break;
|
|
case tls.Alert.Description.protocol_version:
|
|
msg = 'Unsupported protocol version.';
|
|
break;
|
|
case tls.Alert.Description.insufficient_security:
|
|
msg = 'Insufficient security.';
|
|
break;
|
|
case tls.Alert.Description.internal_error:
|
|
msg = 'Internal error.';
|
|
break;
|
|
case tls.Alert.Description.user_canceled:
|
|
msg = 'User canceled.';
|
|
break;
|
|
case tls.Alert.Description.no_renegotiation:
|
|
msg = 'Renegotiation not supported.';
|
|
break;
|
|
default:
|
|
msg = 'Unknown error.';
|
|
break;
|
|
}
|
|
|
|
// close connection on close_notify, not an error
|
|
if(alert.description === tls.Alert.Description.close_notify) {
|
|
return c.close();
|
|
}
|
|
|
|
// call error handler
|
|
c.error(c, {
|
|
message: msg,
|
|
send: false,
|
|
// origin is the opposite end
|
|
origin: (c.entity === tls.ConnectionEnd.client) ? 'server' : 'client',
|
|
alert: alert
|
|
});
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a Handshake record is received.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
*/
|
|
tls.handleHandshake = function(c, record) {
|
|
// get the handshake type and message length
|
|
var b = record.fragment;
|
|
var type = b.getByte();
|
|
var length = b.getInt24();
|
|
|
|
// see if the record fragment doesn't yet contain the full message
|
|
if(length > b.length()) {
|
|
// cache the record, clear its fragment, and reset the buffer read
|
|
// pointer before the type and length were read
|
|
c.fragmented = record;
|
|
record.fragment = forge.util.createBuffer();
|
|
b.read -= 4;
|
|
|
|
// continue
|
|
return c.process();
|
|
}
|
|
|
|
// full message now available, clear cache, reset read pointer to
|
|
// before type and length
|
|
c.fragmented = null;
|
|
b.read -= 4;
|
|
|
|
// save the handshake bytes for digestion after handler is found
|
|
// (include type and length of handshake msg)
|
|
var bytes = b.bytes(length + 4);
|
|
|
|
// restore read pointer
|
|
b.read += 4;
|
|
|
|
// handle expected message
|
|
if(type in hsTable[c.entity][c.expect]) {
|
|
// initialize server session
|
|
if(c.entity === tls.ConnectionEnd.server && !c.open && !c.fail) {
|
|
c.handshaking = true;
|
|
c.session = {
|
|
version: null,
|
|
extensions: {
|
|
server_name: {
|
|
serverNameList: []
|
|
}
|
|
},
|
|
cipherSuite: null,
|
|
compressionMethod: null,
|
|
serverCertificate: null,
|
|
clientCertificate: null,
|
|
md5: forge.md.md5.create(),
|
|
sha1: forge.md.sha1.create()
|
|
};
|
|
}
|
|
|
|
/* Update handshake messages digest. Finished and CertificateVerify
|
|
messages are not digested here. They can't be digested as part of
|
|
the verify_data that they contain. These messages are manually
|
|
digested in their handlers. HelloRequest messages are simply never
|
|
included in the handshake message digest according to spec. */
|
|
if(type !== tls.HandshakeType.hello_request &&
|
|
type !== tls.HandshakeType.certificate_verify &&
|
|
type !== tls.HandshakeType.finished) {
|
|
c.session.md5.update(bytes);
|
|
c.session.sha1.update(bytes);
|
|
}
|
|
|
|
// handle specific handshake type record
|
|
hsTable[c.entity][c.expect][type](c, record, length);
|
|
} else {
|
|
// unexpected record
|
|
tls.handleUnexpected(c, record);
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Called when an ApplicationData record is received.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
*/
|
|
tls.handleApplicationData = function(c, record) {
|
|
// buffer data, notify that its ready
|
|
c.data.putBuffer(record.fragment);
|
|
c.dataReady(c);
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* Called when a Heartbeat record is received.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record.
|
|
*/
|
|
tls.handleHeartbeat = function(c, record) {
|
|
// get the heartbeat type and payload
|
|
var b = record.fragment;
|
|
var type = b.getByte();
|
|
var length = b.getInt16();
|
|
var payload = b.getBytes(length);
|
|
|
|
if(type === tls.HeartbeatMessageType.heartbeat_request) {
|
|
// discard request during handshake or if length is too large
|
|
if(c.handshaking || length > payload.length) {
|
|
// continue
|
|
return c.process();
|
|
}
|
|
// retransmit payload
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.heartbeat,
|
|
data: tls.createHeartbeat(
|
|
tls.HeartbeatMessageType.heartbeat_response, payload)
|
|
}));
|
|
tls.flush(c);
|
|
} else if(type === tls.HeartbeatMessageType.heartbeat_response) {
|
|
// check payload against expected payload, discard heartbeat if no match
|
|
if(payload !== c.expectedHeartbeatPayload) {
|
|
// continue
|
|
return c.process();
|
|
}
|
|
|
|
// notify that a valid heartbeat was received
|
|
if(c.heartbeatReceived) {
|
|
c.heartbeatReceived(c, forge.util.createBuffer(payload));
|
|
}
|
|
}
|
|
|
|
// continue
|
|
c.process();
|
|
};
|
|
|
|
/**
|
|
* The transistional state tables for receiving TLS records. It maps the
|
|
* current TLS engine state and a received record to a function to handle the
|
|
* record and update the state.
|
|
*
|
|
* For instance, if the current state is SHE, then the TLS engine is expecting
|
|
* a ServerHello record. Once a record is received, the handler function is
|
|
* looked up using the state SHE and the record's content type.
|
|
*
|
|
* The resulting function will either be an error handler or a record handler.
|
|
* The function will take whatever action is appropriate and update the state
|
|
* for the next record.
|
|
*
|
|
* The states are all based on possible server record types. Note that the
|
|
* client will never specifically expect to receive a HelloRequest or an alert
|
|
* from the server so there is no state that reflects this. These messages may
|
|
* occur at any time.
|
|
*
|
|
* There are two tables for mapping states because there is a second tier of
|
|
* types for handshake messages. Once a record with a content type of handshake
|
|
* is received, the handshake record handler will look up the handshake type in
|
|
* the secondary map to get its appropriate handler.
|
|
*
|
|
* Valid message orders are as follows:
|
|
*
|
|
* =======================FULL HANDSHAKE======================
|
|
* Client Server
|
|
*
|
|
* ClientHello -------->
|
|
* ServerHello
|
|
* Certificate*
|
|
* ServerKeyExchange*
|
|
* CertificateRequest*
|
|
* <-------- ServerHelloDone
|
|
* Certificate*
|
|
* ClientKeyExchange
|
|
* CertificateVerify*
|
|
* [ChangeCipherSpec]
|
|
* Finished -------->
|
|
* [ChangeCipherSpec]
|
|
* <-------- Finished
|
|
* Application Data <-------> Application Data
|
|
*
|
|
* =====================SESSION RESUMPTION=====================
|
|
* Client Server
|
|
*
|
|
* ClientHello -------->
|
|
* ServerHello
|
|
* [ChangeCipherSpec]
|
|
* <-------- Finished
|
|
* [ChangeCipherSpec]
|
|
* Finished -------->
|
|
* Application Data <-------> Application Data
|
|
*/
|
|
// client expect states (indicate which records are expected to be received)
|
|
var SHE = 0; // rcv server hello
|
|
var SCE = 1; // rcv server certificate
|
|
var SKE = 2; // rcv server key exchange
|
|
var SCR = 3; // rcv certificate request
|
|
var SHD = 4; // rcv server hello done
|
|
var SCC = 5; // rcv change cipher spec
|
|
var SFI = 6; // rcv finished
|
|
var SAD = 7; // rcv application data
|
|
var SER = 8; // not expecting any messages at this point
|
|
|
|
// server expect states
|
|
var CHE = 0; // rcv client hello
|
|
var CCE = 1; // rcv client certificate
|
|
var CKE = 2; // rcv client key exchange
|
|
var CCV = 3; // rcv certificate verify
|
|
var CCC = 4; // rcv change cipher spec
|
|
var CFI = 5; // rcv finished
|
|
var CAD = 6; // rcv application data
|
|
var CER = 7; // not expecting any messages at this point
|
|
|
|
// map client current expect state and content type to function
|
|
var __ = tls.handleUnexpected;
|
|
var R0 = tls.handleChangeCipherSpec;
|
|
var R1 = tls.handleAlert;
|
|
var R2 = tls.handleHandshake;
|
|
var R3 = tls.handleApplicationData;
|
|
var R4 = tls.handleHeartbeat;
|
|
var ctTable = [];
|
|
ctTable[tls.ConnectionEnd.client] = [
|
|
// CC,AL,HS,AD,HB
|
|
/*SHE*/[__,R1,R2,__,R4],
|
|
/*SCE*/[__,R1,R2,__,R4],
|
|
/*SKE*/[__,R1,R2,__,R4],
|
|
/*SCR*/[__,R1,R2,__,R4],
|
|
/*SHD*/[__,R1,R2,__,R4],
|
|
/*SCC*/[R0,R1,__,__,R4],
|
|
/*SFI*/[__,R1,R2,__,R4],
|
|
/*SAD*/[__,R1,R2,R3,R4],
|
|
/*SER*/[__,R1,R2,__,R4]
|
|
];
|
|
|
|
// map server current expect state and content type to function
|
|
ctTable[tls.ConnectionEnd.server] = [
|
|
// CC,AL,HS,AD
|
|
/*CHE*/[__,R1,R2,__,R4],
|
|
/*CCE*/[__,R1,R2,__,R4],
|
|
/*CKE*/[__,R1,R2,__,R4],
|
|
/*CCV*/[__,R1,R2,__,R4],
|
|
/*CCC*/[R0,R1,__,__,R4],
|
|
/*CFI*/[__,R1,R2,__,R4],
|
|
/*CAD*/[__,R1,R2,R3,R4],
|
|
/*CER*/[__,R1,R2,__,R4]
|
|
];
|
|
|
|
// map client current expect state and handshake type to function
|
|
var H0 = tls.handleHelloRequest;
|
|
var H1 = tls.handleServerHello;
|
|
var H2 = tls.handleCertificate;
|
|
var H3 = tls.handleServerKeyExchange;
|
|
var H4 = tls.handleCertificateRequest;
|
|
var H5 = tls.handleServerHelloDone;
|
|
var H6 = tls.handleFinished;
|
|
var hsTable = [];
|
|
hsTable[tls.ConnectionEnd.client] = [
|
|
// HR,01,SH,03,04,05,06,07,08,09,10,SC,SK,CR,HD,15,CK,17,18,19,FI
|
|
/*SHE*/[__,__,H1,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__],
|
|
/*SCE*/[H0,__,__,__,__,__,__,__,__,__,__,H2,H3,H4,H5,__,__,__,__,__,__],
|
|
/*SKE*/[H0,__,__,__,__,__,__,__,__,__,__,__,H3,H4,H5,__,__,__,__,__,__],
|
|
/*SCR*/[H0,__,__,__,__,__,__,__,__,__,__,__,__,H4,H5,__,__,__,__,__,__],
|
|
/*SHD*/[H0,__,__,__,__,__,__,__,__,__,__,__,__,__,H5,__,__,__,__,__,__],
|
|
/*SCC*/[H0,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__],
|
|
/*SFI*/[H0,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,H6],
|
|
/*SAD*/[H0,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__],
|
|
/*SER*/[H0,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__]
|
|
];
|
|
|
|
// map server current expect state and handshake type to function
|
|
// Note: CAD[CH] does not map to FB because renegotation is prohibited
|
|
var H7 = tls.handleClientHello;
|
|
var H8 = tls.handleClientKeyExchange;
|
|
var H9 = tls.handleCertificateVerify;
|
|
hsTable[tls.ConnectionEnd.server] = [
|
|
// 01,CH,02,03,04,05,06,07,08,09,10,CC,12,13,14,CV,CK,17,18,19,FI
|
|
/*CHE*/[__,H7,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__],
|
|
/*CCE*/[__,__,__,__,__,__,__,__,__,__,__,H2,__,__,__,__,__,__,__,__,__],
|
|
/*CKE*/[__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,H8,__,__,__,__],
|
|
/*CCV*/[__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,H9,__,__,__,__,__],
|
|
/*CCC*/[__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__],
|
|
/*CFI*/[__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,H6],
|
|
/*CAD*/[__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__],
|
|
/*CER*/[__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__,__]
|
|
];
|
|
|
|
/**
|
|
* Generates the master_secret and keys using the given security parameters.
|
|
*
|
|
* The security parameters for a TLS connection state are defined as such:
|
|
*
|
|
* struct {
|
|
* ConnectionEnd entity;
|
|
* PRFAlgorithm prf_algorithm;
|
|
* BulkCipherAlgorithm bulk_cipher_algorithm;
|
|
* CipherType cipher_type;
|
|
* uint8 enc_key_length;
|
|
* uint8 block_length;
|
|
* uint8 fixed_iv_length;
|
|
* uint8 record_iv_length;
|
|
* MACAlgorithm mac_algorithm;
|
|
* uint8 mac_length;
|
|
* uint8 mac_key_length;
|
|
* CompressionMethod compression_algorithm;
|
|
* opaque master_secret[48];
|
|
* opaque client_random[32];
|
|
* opaque server_random[32];
|
|
* } SecurityParameters;
|
|
*
|
|
* Note that this definition is from TLS 1.2. In TLS 1.0 some of these
|
|
* parameters are ignored because, for instance, the PRFAlgorithm is a
|
|
* builtin-fixed algorithm combining iterations of MD5 and SHA-1 in TLS 1.0.
|
|
*
|
|
* The Record Protocol requires an algorithm to generate keys required by the
|
|
* current connection state.
|
|
*
|
|
* The master secret is expanded into a sequence of secure bytes, which is then
|
|
* split to a client write MAC key, a server write MAC key, a client write
|
|
* encryption key, and a server write encryption key. In TLS 1.0 a client write
|
|
* IV and server write IV are also generated. Each of these is generated from
|
|
* the byte sequence in that order. Unused values are empty. In TLS 1.2, some
|
|
* AEAD ciphers may additionally require a client write IV and a server write
|
|
* IV (see Section 6.2.3.3).
|
|
*
|
|
* When keys, MAC keys, and IVs are generated, the master secret is used as an
|
|
* entropy source.
|
|
*
|
|
* To generate the key material, compute:
|
|
*
|
|
* master_secret = PRF(pre_master_secret, "master secret",
|
|
* ClientHello.random + ServerHello.random)
|
|
*
|
|
* key_block = PRF(SecurityParameters.master_secret,
|
|
* "key expansion",
|
|
* SecurityParameters.server_random +
|
|
* SecurityParameters.client_random);
|
|
*
|
|
* until enough output has been generated. Then, the key_block is
|
|
* partitioned as follows:
|
|
*
|
|
* client_write_MAC_key[SecurityParameters.mac_key_length]
|
|
* server_write_MAC_key[SecurityParameters.mac_key_length]
|
|
* client_write_key[SecurityParameters.enc_key_length]
|
|
* server_write_key[SecurityParameters.enc_key_length]
|
|
* client_write_IV[SecurityParameters.fixed_iv_length]
|
|
* server_write_IV[SecurityParameters.fixed_iv_length]
|
|
*
|
|
* In TLS 1.2, the client_write_IV and server_write_IV are only generated for
|
|
* implicit nonce techniques as described in Section 3.2.1 of [AEAD]. This
|
|
* implementation uses TLS 1.0 so IVs are generated.
|
|
*
|
|
* Implementation note: The currently defined cipher suite which requires the
|
|
* most material is AES_256_CBC_SHA256. It requires 2 x 32 byte keys and 2 x 32
|
|
* byte MAC keys, for a total 128 bytes of key material. In TLS 1.0 it also
|
|
* requires 2 x 16 byte IVs, so it actually takes 160 bytes of key material.
|
|
*
|
|
* @param c the connection.
|
|
* @param sp the security parameters to use.
|
|
*
|
|
* @return the security keys.
|
|
*/
|
|
tls.generateKeys = function(c, sp) {
|
|
// TLS_RSA_WITH_AES_128_CBC_SHA (required to be compliant with TLS 1.2) &
|
|
// TLS_RSA_WITH_AES_256_CBC_SHA are the only cipher suites implemented
|
|
// at present
|
|
|
|
// TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is required to be compliant with
|
|
// TLS 1.0 but we don't care right now because AES is better and we have
|
|
// an implementation for it
|
|
|
|
// TODO: TLS 1.2 implementation
|
|
/*
|
|
// determine the PRF
|
|
var prf;
|
|
switch(sp.prf_algorithm) {
|
|
case tls.PRFAlgorithm.tls_prf_sha256:
|
|
prf = prf_sha256;
|
|
break;
|
|
default:
|
|
// should never happen
|
|
throw new Error('Invalid PRF');
|
|
}
|
|
*/
|
|
|
|
// TLS 1.0/1.1 implementation
|
|
var prf = prf_TLS1;
|
|
|
|
// concatenate server and client random
|
|
var random = sp.client_random + sp.server_random;
|
|
|
|
// only create master secret if session is new
|
|
if(!c.session.resuming) {
|
|
// create master secret, clean up pre-master secret
|
|
sp.master_secret = prf(
|
|
sp.pre_master_secret, 'master secret', random, 48).bytes();
|
|
sp.pre_master_secret = null;
|
|
}
|
|
|
|
// generate the amount of key material needed
|
|
random = sp.server_random + sp.client_random;
|
|
var length = 2 * sp.mac_key_length + 2 * sp.enc_key_length;
|
|
|
|
// include IV for TLS/1.0
|
|
var tls10 = (c.version.major === tls.Versions.TLS_1_0.major &&
|
|
c.version.minor === tls.Versions.TLS_1_0.minor);
|
|
if(tls10) {
|
|
length += 2 * sp.fixed_iv_length;
|
|
}
|
|
var km = prf(sp.master_secret, 'key expansion', random, length);
|
|
|
|
// split the key material into the MAC and encryption keys
|
|
var rval = {
|
|
client_write_MAC_key: km.getBytes(sp.mac_key_length),
|
|
server_write_MAC_key: km.getBytes(sp.mac_key_length),
|
|
client_write_key: km.getBytes(sp.enc_key_length),
|
|
server_write_key: km.getBytes(sp.enc_key_length)
|
|
};
|
|
|
|
// include TLS 1.0 IVs
|
|
if(tls10) {
|
|
rval.client_write_IV = km.getBytes(sp.fixed_iv_length);
|
|
rval.server_write_IV = km.getBytes(sp.fixed_iv_length);
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a new initialized TLS connection state. A connection state has
|
|
* a read mode and a write mode.
|
|
*
|
|
* compression state:
|
|
* The current state of the compression algorithm.
|
|
*
|
|
* cipher state:
|
|
* The current state of the encryption algorithm. This will consist of the
|
|
* scheduled key for that connection. For stream ciphers, this will also
|
|
* contain whatever state information is necessary to allow the stream to
|
|
* continue to encrypt or decrypt data.
|
|
*
|
|
* MAC key:
|
|
* The MAC key for the connection.
|
|
*
|
|
* sequence number:
|
|
* Each connection state contains a sequence number, which is maintained
|
|
* separately for read and write states. The sequence number MUST be set to
|
|
* zero whenever a connection state is made the active state. Sequence
|
|
* numbers are of type uint64 and may not exceed 2^64-1. Sequence numbers do
|
|
* not wrap. If a TLS implementation would need to wrap a sequence number,
|
|
* it must renegotiate instead. A sequence number is incremented after each
|
|
* record: specifically, the first record transmitted under a particular
|
|
* connection state MUST use sequence number 0.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the new initialized TLS connection state.
|
|
*/
|
|
tls.createConnectionState = function(c) {
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
|
|
var createMode = function() {
|
|
var mode = {
|
|
// two 32-bit numbers, first is most significant
|
|
sequenceNumber: [0, 0],
|
|
macKey: null,
|
|
macLength: 0,
|
|
macFunction: null,
|
|
cipherState: null,
|
|
cipherFunction: function(record) {return true;},
|
|
compressionState: null,
|
|
compressFunction: function(record) {return true;},
|
|
updateSequenceNumber: function() {
|
|
if(mode.sequenceNumber[1] === 0xFFFFFFFF) {
|
|
mode.sequenceNumber[1] = 0;
|
|
++mode.sequenceNumber[0];
|
|
} else {
|
|
++mode.sequenceNumber[1];
|
|
}
|
|
}
|
|
};
|
|
return mode;
|
|
};
|
|
var state = {
|
|
read: createMode(),
|
|
write: createMode()
|
|
};
|
|
|
|
// update function in read mode will decrypt then decompress a record
|
|
state.read.update = function(c, record) {
|
|
if(!state.read.cipherFunction(record, state.read)) {
|
|
c.error(c, {
|
|
message: 'Could not decrypt record or bad MAC.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
// doesn't matter if decryption failed or MAC was
|
|
// invalid, return the same error so as not to reveal
|
|
// which one occurred
|
|
description: tls.Alert.Description.bad_record_mac
|
|
}
|
|
});
|
|
} else if(!state.read.compressFunction(c, record, state.read)) {
|
|
c.error(c, {
|
|
message: 'Could not decompress record.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.decompression_failure
|
|
}
|
|
});
|
|
}
|
|
return !c.fail;
|
|
};
|
|
|
|
// update function in write mode will compress then encrypt a record
|
|
state.write.update = function(c, record) {
|
|
if(!state.write.compressFunction(c, record, state.write)) {
|
|
// error, but do not send alert since it would require
|
|
// compression as well
|
|
c.error(c, {
|
|
message: 'Could not compress record.',
|
|
send: false,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.internal_error
|
|
}
|
|
});
|
|
} else if(!state.write.cipherFunction(record, state.write)) {
|
|
// error, but do not send alert since it would require
|
|
// encryption as well
|
|
c.error(c, {
|
|
message: 'Could not encrypt record.',
|
|
send: false,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.internal_error
|
|
}
|
|
});
|
|
}
|
|
return !c.fail;
|
|
};
|
|
|
|
// handle security parameters
|
|
if(c.session) {
|
|
var sp = c.session.sp;
|
|
c.session.cipherSuite.initSecurityParameters(sp);
|
|
|
|
// generate keys
|
|
sp.keys = tls.generateKeys(c, sp);
|
|
state.read.macKey = client ?
|
|
sp.keys.server_write_MAC_key : sp.keys.client_write_MAC_key;
|
|
state.write.macKey = client ?
|
|
sp.keys.client_write_MAC_key : sp.keys.server_write_MAC_key;
|
|
|
|
// cipher suite setup
|
|
c.session.cipherSuite.initConnectionState(state, c, sp);
|
|
|
|
// compression setup
|
|
switch(sp.compression_algorithm) {
|
|
case tls.CompressionMethod.none:
|
|
break;
|
|
case tls.CompressionMethod.deflate:
|
|
state.read.compressFunction = inflate;
|
|
state.write.compressFunction = deflate;
|
|
break;
|
|
default:
|
|
throw new Error('Unsupported compression algorithm.');
|
|
}
|
|
}
|
|
|
|
return state;
|
|
};
|
|
|
|
/**
|
|
* Creates a Random structure.
|
|
*
|
|
* struct {
|
|
* uint32 gmt_unix_time;
|
|
* opaque random_bytes[28];
|
|
* } Random;
|
|
*
|
|
* gmt_unix_time:
|
|
* The current time and date in standard UNIX 32-bit format (seconds since
|
|
* the midnight starting Jan 1, 1970, UTC, ignoring leap seconds) according
|
|
* to the sender's internal clock. Clocks are not required to be set
|
|
* correctly by the basic TLS protocol; higher-level or application
|
|
* protocols may define additional requirements. Note that, for historical
|
|
* reasons, the data element is named using GMT, the predecessor of the
|
|
* current worldwide time base, UTC.
|
|
* random_bytes:
|
|
* 28 bytes generated by a secure random number generator.
|
|
*
|
|
* @return the Random structure as a byte array.
|
|
*/
|
|
tls.createRandom = function() {
|
|
// get UTC milliseconds
|
|
var d = new Date();
|
|
var utc = +d + d.getTimezoneOffset() * 60000;
|
|
var rval = forge.util.createBuffer();
|
|
rval.putInt32(utc);
|
|
rval.putBytes(forge.random.getBytes(28));
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a TLS record with the given type and data.
|
|
*
|
|
* @param c the connection.
|
|
* @param options:
|
|
* type: the record type.
|
|
* data: the plain text data in a byte buffer.
|
|
*
|
|
* @return the created record.
|
|
*/
|
|
tls.createRecord = function(c, options) {
|
|
if(!options.data) {
|
|
return null;
|
|
}
|
|
var record = {
|
|
type: options.type,
|
|
version: {
|
|
major: c.version.major,
|
|
minor: c.version.minor
|
|
},
|
|
length: options.data.length(),
|
|
fragment: options.data
|
|
};
|
|
return record;
|
|
};
|
|
|
|
/**
|
|
* Creates a TLS alert record.
|
|
*
|
|
* @param c the connection.
|
|
* @param alert:
|
|
* level: the TLS alert level.
|
|
* description: the TLS alert description.
|
|
*
|
|
* @return the created alert record.
|
|
*/
|
|
tls.createAlert = function(c, alert) {
|
|
var b = forge.util.createBuffer();
|
|
b.putByte(alert.level);
|
|
b.putByte(alert.description);
|
|
return tls.createRecord(c, {
|
|
type: tls.ContentType.alert,
|
|
data: b
|
|
});
|
|
};
|
|
|
|
/* The structure of a TLS handshake message.
|
|
*
|
|
* struct {
|
|
* HandshakeType msg_type; // handshake type
|
|
* uint24 length; // bytes in message
|
|
* select(HandshakeType) {
|
|
* case hello_request: HelloRequest;
|
|
* case client_hello: ClientHello;
|
|
* case server_hello: ServerHello;
|
|
* case certificate: Certificate;
|
|
* case server_key_exchange: ServerKeyExchange;
|
|
* case certificate_request: CertificateRequest;
|
|
* case server_hello_done: ServerHelloDone;
|
|
* case certificate_verify: CertificateVerify;
|
|
* case client_key_exchange: ClientKeyExchange;
|
|
* case finished: Finished;
|
|
* } body;
|
|
* } Handshake;
|
|
*/
|
|
|
|
/**
|
|
* Creates a ClientHello message.
|
|
*
|
|
* opaque SessionID<0..32>;
|
|
* enum { null(0), deflate(1), (255) } CompressionMethod;
|
|
* uint8 CipherSuite[2];
|
|
*
|
|
* struct {
|
|
* ProtocolVersion client_version;
|
|
* Random random;
|
|
* SessionID session_id;
|
|
* CipherSuite cipher_suites<2..2^16-2>;
|
|
* CompressionMethod compression_methods<1..2^8-1>;
|
|
* select(extensions_present) {
|
|
* case false:
|
|
* struct {};
|
|
* case true:
|
|
* Extension extensions<0..2^16-1>;
|
|
* };
|
|
* } ClientHello;
|
|
*
|
|
* The extension format for extended client hellos and server hellos is:
|
|
*
|
|
* struct {
|
|
* ExtensionType extension_type;
|
|
* opaque extension_data<0..2^16-1>;
|
|
* } Extension;
|
|
*
|
|
* Here:
|
|
*
|
|
* - "extension_type" identifies the particular extension type.
|
|
* - "extension_data" contains information specific to the particular
|
|
* extension type.
|
|
*
|
|
* The extension types defined in this document are:
|
|
*
|
|
* enum {
|
|
* server_name(0), max_fragment_length(1),
|
|
* client_certificate_url(2), trusted_ca_keys(3),
|
|
* truncated_hmac(4), status_request(5), (65535)
|
|
* } ExtensionType;
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the ClientHello byte buffer.
|
|
*/
|
|
tls.createClientHello = function(c) {
|
|
// save hello version
|
|
c.session.clientHelloVersion = {
|
|
major: c.version.major,
|
|
minor: c.version.minor
|
|
};
|
|
|
|
// create supported cipher suites
|
|
var cipherSuites = forge.util.createBuffer();
|
|
for(var i = 0; i < c.cipherSuites.length; ++i) {
|
|
var cs = c.cipherSuites[i];
|
|
cipherSuites.putByte(cs.id[0]);
|
|
cipherSuites.putByte(cs.id[1]);
|
|
}
|
|
var cSuites = cipherSuites.length();
|
|
|
|
// create supported compression methods, null always supported, but
|
|
// also support deflate if connection has inflate and deflate methods
|
|
var compressionMethods = forge.util.createBuffer();
|
|
compressionMethods.putByte(tls.CompressionMethod.none);
|
|
// FIXME: deflate support disabled until issues with raw deflate data
|
|
// without zlib headers are resolved
|
|
/*
|
|
if(c.inflate !== null && c.deflate !== null) {
|
|
compressionMethods.putByte(tls.CompressionMethod.deflate);
|
|
}
|
|
*/
|
|
var cMethods = compressionMethods.length();
|
|
|
|
// create TLS SNI (server name indication) extension if virtual host
|
|
// has been specified, see RFC 3546
|
|
var extensions = forge.util.createBuffer();
|
|
if(c.virtualHost) {
|
|
// create extension struct
|
|
var ext = forge.util.createBuffer();
|
|
ext.putByte(0x00); // type server_name (ExtensionType is 2 bytes)
|
|
ext.putByte(0x00);
|
|
|
|
/* In order to provide the server name, clients MAY include an
|
|
* extension of type "server_name" in the (extended) client hello.
|
|
* The "extension_data" field of this extension SHALL contain
|
|
* "ServerNameList" where:
|
|
*
|
|
* struct {
|
|
* NameType name_type;
|
|
* select(name_type) {
|
|
* case host_name: HostName;
|
|
* } name;
|
|
* } ServerName;
|
|
*
|
|
* enum {
|
|
* host_name(0), (255)
|
|
* } NameType;
|
|
*
|
|
* opaque HostName<1..2^16-1>;
|
|
*
|
|
* struct {
|
|
* ServerName server_name_list<1..2^16-1>
|
|
* } ServerNameList;
|
|
*/
|
|
var serverName = forge.util.createBuffer();
|
|
serverName.putByte(0x00); // type host_name
|
|
writeVector(serverName, 2, forge.util.createBuffer(c.virtualHost));
|
|
|
|
// ServerNameList is in extension_data
|
|
var snList = forge.util.createBuffer();
|
|
writeVector(snList, 2, serverName);
|
|
writeVector(ext, 2, snList);
|
|
extensions.putBuffer(ext);
|
|
}
|
|
var extLength = extensions.length();
|
|
if(extLength > 0) {
|
|
// add extension vector length
|
|
extLength += 2;
|
|
}
|
|
|
|
// determine length of the handshake message
|
|
// cipher suites and compression methods size will need to be
|
|
// updated if more get added to the list
|
|
var sessionId = c.session.id;
|
|
var length =
|
|
sessionId.length + 1 + // session ID vector
|
|
2 + // version (major + minor)
|
|
4 + 28 + // random time and random bytes
|
|
2 + cSuites + // cipher suites vector
|
|
1 + cMethods + // compression methods vector
|
|
extLength; // extensions vector
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.client_hello);
|
|
rval.putInt24(length); // handshake length
|
|
rval.putByte(c.version.major); // major version
|
|
rval.putByte(c.version.minor); // minor version
|
|
rval.putBytes(c.session.sp.client_random); // random time + bytes
|
|
writeVector(rval, 1, forge.util.createBuffer(sessionId));
|
|
writeVector(rval, 2, cipherSuites);
|
|
writeVector(rval, 1, compressionMethods);
|
|
if(extLength > 0) {
|
|
writeVector(rval, 2, extensions);
|
|
}
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a ServerHello message.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the ServerHello byte buffer.
|
|
*/
|
|
tls.createServerHello = function(c) {
|
|
// determine length of the handshake message
|
|
var sessionId = c.session.id;
|
|
var length =
|
|
sessionId.length + 1 + // session ID vector
|
|
2 + // version (major + minor)
|
|
4 + 28 + // random time and random bytes
|
|
2 + // chosen cipher suite
|
|
1; // chosen compression method
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.server_hello);
|
|
rval.putInt24(length); // handshake length
|
|
rval.putByte(c.version.major); // major version
|
|
rval.putByte(c.version.minor); // minor version
|
|
rval.putBytes(c.session.sp.server_random); // random time + bytes
|
|
writeVector(rval, 1, forge.util.createBuffer(sessionId));
|
|
rval.putByte(c.session.cipherSuite.id[0]);
|
|
rval.putByte(c.session.cipherSuite.id[1]);
|
|
rval.putByte(c.session.compressionMethod);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a Certificate message.
|
|
*
|
|
* When this message will be sent:
|
|
* This is the first message the client can send after receiving a server
|
|
* hello done message and the first message the server can send after
|
|
* sending a ServerHello. This client message is only sent if the server
|
|
* requests a certificate. If no suitable certificate is available, the
|
|
* client should send a certificate message containing no certificates. If
|
|
* client authentication is required by the server for the handshake to
|
|
* continue, it may respond with a fatal handshake failure alert.
|
|
*
|
|
* opaque ASN.1Cert<1..2^24-1>;
|
|
*
|
|
* struct {
|
|
* ASN.1Cert certificate_list<0..2^24-1>;
|
|
* } Certificate;
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the Certificate byte buffer.
|
|
*/
|
|
tls.createCertificate = function(c) {
|
|
// TODO: check certificate request to ensure types are supported
|
|
|
|
// get a certificate (a certificate as a PEM string)
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
var cert = null;
|
|
if(c.getCertificate) {
|
|
var hint;
|
|
if(client) {
|
|
hint = c.session.certificateRequest;
|
|
} else {
|
|
hint = c.session.extensions.server_name.serverNameList;
|
|
}
|
|
cert = c.getCertificate(c, hint);
|
|
}
|
|
|
|
// buffer to hold certificate list
|
|
var certList = forge.util.createBuffer();
|
|
if(cert !== null) {
|
|
try {
|
|
// normalize cert to a chain of certificates
|
|
if(!forge.util.isArray(cert)) {
|
|
cert = [cert];
|
|
}
|
|
var asn1 = null;
|
|
for(var i = 0; i < cert.length; ++i) {
|
|
var msg = forge.pem.decode(cert[i])[0];
|
|
if(msg.type !== 'CERTIFICATE' &&
|
|
msg.type !== 'X509 CERTIFICATE' &&
|
|
msg.type !== 'TRUSTED CERTIFICATE') {
|
|
var error = new Error('Could not convert certificate from PEM; PEM ' +
|
|
'header type is not "CERTIFICATE", "X509 CERTIFICATE", or ' +
|
|
'"TRUSTED CERTIFICATE".');
|
|
error.headerType = msg.type;
|
|
throw error;
|
|
}
|
|
if(msg.procType && msg.procType.type === 'ENCRYPTED') {
|
|
throw new Error('Could not convert certificate from PEM; PEM is encrypted.');
|
|
}
|
|
|
|
var der = forge.util.createBuffer(msg.body);
|
|
if(asn1 === null) {
|
|
asn1 = forge.asn1.fromDer(der.bytes(), false);
|
|
}
|
|
|
|
// certificate entry is itself a vector with 3 length bytes
|
|
var certBuffer = forge.util.createBuffer();
|
|
writeVector(certBuffer, 3, der);
|
|
|
|
// add cert vector to cert list vector
|
|
certList.putBuffer(certBuffer);
|
|
}
|
|
|
|
// save certificate
|
|
cert = forge.pki.certificateFromAsn1(asn1);
|
|
if(client) {
|
|
c.session.clientCertificate = cert;
|
|
} else {
|
|
c.session.serverCertificate = cert;
|
|
}
|
|
} catch(ex) {
|
|
return c.error(c, {
|
|
message: 'Could not send certificate list.',
|
|
cause: ex,
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.bad_certificate
|
|
}
|
|
});
|
|
}
|
|
}
|
|
|
|
// determine length of the handshake message
|
|
var length = 3 + certList.length(); // cert list vector
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.certificate);
|
|
rval.putInt24(length);
|
|
writeVector(rval, 3, certList);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a ClientKeyExchange message.
|
|
*
|
|
* When this message will be sent:
|
|
* This message is always sent by the client. It will immediately follow the
|
|
* client certificate message, if it is sent. Otherwise it will be the first
|
|
* message sent by the client after it receives the server hello done
|
|
* message.
|
|
*
|
|
* Meaning of this message:
|
|
* With this message, the premaster secret is set, either though direct
|
|
* transmission of the RSA-encrypted secret, or by the transmission of
|
|
* Diffie-Hellman parameters which will allow each side to agree upon the
|
|
* same premaster secret. When the key exchange method is DH_RSA or DH_DSS,
|
|
* client certification has been requested, and the client was able to
|
|
* respond with a certificate which contained a Diffie-Hellman public key
|
|
* whose parameters (group and generator) matched those specified by the
|
|
* server in its certificate, this message will not contain any data.
|
|
*
|
|
* Meaning of this message:
|
|
* If RSA is being used for key agreement and authentication, the client
|
|
* generates a 48-byte premaster secret, encrypts it using the public key
|
|
* from the server's certificate or the temporary RSA key provided in a
|
|
* server key exchange message, and sends the result in an encrypted
|
|
* premaster secret message. This structure is a variant of the client
|
|
* key exchange message, not a message in itself.
|
|
*
|
|
* struct {
|
|
* select(KeyExchangeAlgorithm) {
|
|
* case rsa: EncryptedPreMasterSecret;
|
|
* case diffie_hellman: ClientDiffieHellmanPublic;
|
|
* } exchange_keys;
|
|
* } ClientKeyExchange;
|
|
*
|
|
* struct {
|
|
* ProtocolVersion client_version;
|
|
* opaque random[46];
|
|
* } PreMasterSecret;
|
|
*
|
|
* struct {
|
|
* public-key-encrypted PreMasterSecret pre_master_secret;
|
|
* } EncryptedPreMasterSecret;
|
|
*
|
|
* A public-key-encrypted element is encoded as a vector <0..2^16-1>.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the ClientKeyExchange byte buffer.
|
|
*/
|
|
tls.createClientKeyExchange = function(c) {
|
|
// create buffer to encrypt
|
|
var b = forge.util.createBuffer();
|
|
|
|
// add highest client-supported protocol to help server avoid version
|
|
// rollback attacks
|
|
b.putByte(c.session.clientHelloVersion.major);
|
|
b.putByte(c.session.clientHelloVersion.minor);
|
|
|
|
// generate and add 46 random bytes
|
|
b.putBytes(forge.random.getBytes(46));
|
|
|
|
// save pre-master secret
|
|
var sp = c.session.sp;
|
|
sp.pre_master_secret = b.getBytes();
|
|
|
|
// RSA-encrypt the pre-master secret
|
|
var key = c.session.serverCertificate.publicKey;
|
|
b = key.encrypt(sp.pre_master_secret);
|
|
|
|
/* Note: The encrypted pre-master secret will be stored in a
|
|
public-key-encrypted opaque vector that has the length prefixed using
|
|
2 bytes, so include those 2 bytes in the handshake message length. This
|
|
is done as a minor optimization instead of calling writeVector(). */
|
|
|
|
// determine length of the handshake message
|
|
var length = b.length + 2;
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.client_key_exchange);
|
|
rval.putInt24(length);
|
|
// add vector length bytes
|
|
rval.putInt16(b.length);
|
|
rval.putBytes(b);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a ServerKeyExchange message.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the ServerKeyExchange byte buffer.
|
|
*/
|
|
tls.createServerKeyExchange = function(c) {
|
|
// this implementation only supports RSA, no Diffie-Hellman support,
|
|
// so this record is empty
|
|
|
|
// determine length of the handshake message
|
|
var length = 0;
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
if(length > 0) {
|
|
rval.putByte(tls.HandshakeType.server_key_exchange);
|
|
rval.putInt24(length);
|
|
}
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Gets the signed data used to verify a client-side certificate. See
|
|
* tls.createCertificateVerify() for details.
|
|
*
|
|
* @param c the connection.
|
|
* @param callback the callback to call once the signed data is ready.
|
|
*/
|
|
tls.getClientSignature = function(c, callback) {
|
|
// generate data to RSA encrypt
|
|
var b = forge.util.createBuffer();
|
|
b.putBuffer(c.session.md5.digest());
|
|
b.putBuffer(c.session.sha1.digest());
|
|
b = b.getBytes();
|
|
|
|
// create default signing function as necessary
|
|
c.getSignature = c.getSignature || function(c, b, callback) {
|
|
// do rsa encryption, call callback
|
|
var privateKey = null;
|
|
if(c.getPrivateKey) {
|
|
try {
|
|
privateKey = c.getPrivateKey(c, c.session.clientCertificate);
|
|
privateKey = forge.pki.privateKeyFromPem(privateKey);
|
|
} catch(ex) {
|
|
c.error(c, {
|
|
message: 'Could not get private key.',
|
|
cause: ex,
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.internal_error
|
|
}
|
|
});
|
|
}
|
|
}
|
|
if(privateKey === null) {
|
|
c.error(c, {
|
|
message: 'No private key set.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.internal_error
|
|
}
|
|
});
|
|
} else {
|
|
b = privateKey.sign(b, null);
|
|
}
|
|
callback(c, b);
|
|
};
|
|
|
|
// get client signature
|
|
c.getSignature(c, b, callback);
|
|
};
|
|
|
|
/**
|
|
* Creates a CertificateVerify message.
|
|
*
|
|
* Meaning of this message:
|
|
* This structure conveys the client's Diffie-Hellman public value
|
|
* (Yc) if it was not already included in the client's certificate.
|
|
* The encoding used for Yc is determined by the enumerated
|
|
* PublicValueEncoding. This structure is a variant of the client
|
|
* key exchange message, not a message in itself.
|
|
*
|
|
* When this message will be sent:
|
|
* This message is used to provide explicit verification of a client
|
|
* certificate. This message is only sent following a client
|
|
* certificate that has signing capability (i.e. all certificates
|
|
* except those containing fixed Diffie-Hellman parameters). When
|
|
* sent, it will immediately follow the client key exchange message.
|
|
*
|
|
* struct {
|
|
* Signature signature;
|
|
* } CertificateVerify;
|
|
*
|
|
* CertificateVerify.signature.md5_hash
|
|
* MD5(handshake_messages);
|
|
*
|
|
* Certificate.signature.sha_hash
|
|
* SHA(handshake_messages);
|
|
*
|
|
* Here handshake_messages refers to all handshake messages sent or
|
|
* received starting at client hello up to but not including this
|
|
* message, including the type and length fields of the handshake
|
|
* messages.
|
|
*
|
|
* select(SignatureAlgorithm) {
|
|
* case anonymous: struct { };
|
|
* case rsa:
|
|
* digitally-signed struct {
|
|
* opaque md5_hash[16];
|
|
* opaque sha_hash[20];
|
|
* };
|
|
* case dsa:
|
|
* digitally-signed struct {
|
|
* opaque sha_hash[20];
|
|
* };
|
|
* } Signature;
|
|
*
|
|
* In digital signing, one-way hash functions are used as input for a
|
|
* signing algorithm. A digitally-signed element is encoded as an opaque
|
|
* vector <0..2^16-1>, where the length is specified by the signing
|
|
* algorithm and key.
|
|
*
|
|
* In RSA signing, a 36-byte structure of two hashes (one SHA and one
|
|
* MD5) is signed (encrypted with the private key). It is encoded with
|
|
* PKCS #1 block type 0 or type 1 as described in [PKCS1].
|
|
*
|
|
* In DSS, the 20 bytes of the SHA hash are run directly through the
|
|
* Digital Signing Algorithm with no additional hashing.
|
|
*
|
|
* @param c the connection.
|
|
* @param signature the signature to include in the message.
|
|
*
|
|
* @return the CertificateVerify byte buffer.
|
|
*/
|
|
tls.createCertificateVerify = function(c, signature) {
|
|
/* Note: The signature will be stored in a "digitally-signed" opaque
|
|
vector that has the length prefixed using 2 bytes, so include those
|
|
2 bytes in the handshake message length. This is done as a minor
|
|
optimization instead of calling writeVector(). */
|
|
|
|
// determine length of the handshake message
|
|
var length = signature.length + 2;
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.certificate_verify);
|
|
rval.putInt24(length);
|
|
// add vector length bytes
|
|
rval.putInt16(signature.length);
|
|
rval.putBytes(signature);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a CertificateRequest message.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the CertificateRequest byte buffer.
|
|
*/
|
|
tls.createCertificateRequest = function(c) {
|
|
// TODO: support other certificate types
|
|
var certTypes = forge.util.createBuffer();
|
|
|
|
// common RSA certificate type
|
|
certTypes.putByte(0x01);
|
|
|
|
// add distinguished names from CA store
|
|
var cAs = forge.util.createBuffer();
|
|
for(var key in c.caStore.certs) {
|
|
var cert = c.caStore.certs[key];
|
|
var dn = forge.pki.distinguishedNameToAsn1(cert.subject);
|
|
var byteBuffer = forge.asn1.toDer(dn);
|
|
cAs.putInt16(byteBuffer.length());
|
|
cAs.putBuffer(byteBuffer);
|
|
}
|
|
|
|
// TODO: TLS 1.2+ has a different format
|
|
|
|
// determine length of the handshake message
|
|
var length =
|
|
1 + certTypes.length() +
|
|
2 + cAs.length();
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.certificate_request);
|
|
rval.putInt24(length);
|
|
writeVector(rval, 1, certTypes);
|
|
writeVector(rval, 2, cAs);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a ServerHelloDone message.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the ServerHelloDone byte buffer.
|
|
*/
|
|
tls.createServerHelloDone = function(c) {
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.server_hello_done);
|
|
rval.putInt24(0);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a ChangeCipherSpec message.
|
|
*
|
|
* The change cipher spec protocol exists to signal transitions in
|
|
* ciphering strategies. The protocol consists of a single message,
|
|
* which is encrypted and compressed under the current (not the pending)
|
|
* connection state. The message consists of a single byte of value 1.
|
|
*
|
|
* struct {
|
|
* enum { change_cipher_spec(1), (255) } type;
|
|
* } ChangeCipherSpec;
|
|
*
|
|
* @return the ChangeCipherSpec byte buffer.
|
|
*/
|
|
tls.createChangeCipherSpec = function() {
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(0x01);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a Finished message.
|
|
*
|
|
* struct {
|
|
* opaque verify_data[12];
|
|
* } Finished;
|
|
*
|
|
* verify_data
|
|
* PRF(master_secret, finished_label, MD5(handshake_messages) +
|
|
* SHA-1(handshake_messages)) [0..11];
|
|
*
|
|
* finished_label
|
|
* For Finished messages sent by the client, the string "client
|
|
* finished". For Finished messages sent by the server, the
|
|
* string "server finished".
|
|
*
|
|
* handshake_messages
|
|
* All of the data from all handshake messages up to but not
|
|
* including this message. This is only data visible at the
|
|
* handshake layer and does not include record layer headers.
|
|
* This is the concatenation of all the Handshake structures as
|
|
* defined in 7.4 exchanged thus far.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return the Finished byte buffer.
|
|
*/
|
|
tls.createFinished = function(c) {
|
|
// generate verify_data
|
|
var b = forge.util.createBuffer();
|
|
b.putBuffer(c.session.md5.digest());
|
|
b.putBuffer(c.session.sha1.digest());
|
|
|
|
// TODO: determine prf function and verify length for TLS 1.2
|
|
var client = (c.entity === tls.ConnectionEnd.client);
|
|
var sp = c.session.sp;
|
|
var vdl = 12;
|
|
var prf = prf_TLS1;
|
|
var label = client ? 'client finished' : 'server finished';
|
|
b = prf(sp.master_secret, label, b.getBytes(), vdl);
|
|
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(tls.HandshakeType.finished);
|
|
rval.putInt24(b.length());
|
|
rval.putBuffer(b);
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a HeartbeatMessage (See RFC 6520).
|
|
*
|
|
* struct {
|
|
* HeartbeatMessageType type;
|
|
* uint16 payload_length;
|
|
* opaque payload[HeartbeatMessage.payload_length];
|
|
* opaque padding[padding_length];
|
|
* } HeartbeatMessage;
|
|
*
|
|
* The total length of a HeartbeatMessage MUST NOT exceed 2^14 or
|
|
* max_fragment_length when negotiated as defined in [RFC6066].
|
|
*
|
|
* type: The message type, either heartbeat_request or heartbeat_response.
|
|
*
|
|
* payload_length: The length of the payload.
|
|
*
|
|
* payload: The payload consists of arbitrary content.
|
|
*
|
|
* padding: The padding is random content that MUST be ignored by the
|
|
* receiver. The length of a HeartbeatMessage is TLSPlaintext.length
|
|
* for TLS and DTLSPlaintext.length for DTLS. Furthermore, the
|
|
* length of the type field is 1 byte, and the length of the
|
|
* payload_length is 2. Therefore, the padding_length is
|
|
* TLSPlaintext.length - payload_length - 3 for TLS and
|
|
* DTLSPlaintext.length - payload_length - 3 for DTLS. The
|
|
* padding_length MUST be at least 16.
|
|
*
|
|
* The sender of a HeartbeatMessage MUST use a random padding of at
|
|
* least 16 bytes. The padding of a received HeartbeatMessage message
|
|
* MUST be ignored.
|
|
*
|
|
* If the payload_length of a received HeartbeatMessage is too large,
|
|
* the received HeartbeatMessage MUST be discarded silently.
|
|
*
|
|
* @param c the connection.
|
|
* @param type the tls.HeartbeatMessageType.
|
|
* @param payload the heartbeat data to send as the payload.
|
|
* @param [payloadLength] the payload length to use, defaults to the
|
|
* actual payload length.
|
|
*
|
|
* @return the HeartbeatRequest byte buffer.
|
|
*/
|
|
tls.createHeartbeat = function(type, payload, payloadLength) {
|
|
if(typeof payloadLength === 'undefined') {
|
|
payloadLength = payload.length;
|
|
}
|
|
// build record fragment
|
|
var rval = forge.util.createBuffer();
|
|
rval.putByte(type); // heartbeat message type
|
|
rval.putInt16(payloadLength); // payload length
|
|
rval.putBytes(payload); // payload
|
|
// padding
|
|
var plaintextLength = rval.length();
|
|
var paddingLength = Math.max(16, plaintextLength - payloadLength - 3);
|
|
rval.putBytes(forge.random.getBytes(paddingLength));
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Fragments, compresses, encrypts, and queues a record for delivery.
|
|
*
|
|
* @param c the connection.
|
|
* @param record the record to queue.
|
|
*/
|
|
tls.queue = function(c, record) {
|
|
// error during record creation
|
|
if(!record) {
|
|
return;
|
|
}
|
|
|
|
if(record.fragment.length() === 0) {
|
|
if(record.type === tls.ContentType.handshake ||
|
|
record.type === tls.ContentType.alert ||
|
|
record.type === tls.ContentType.change_cipher_spec) {
|
|
// Empty handshake, alert of change cipher spec messages are not allowed per the TLS specification and should not be sent.
|
|
return;
|
|
}
|
|
}
|
|
|
|
// if the record is a handshake record, update handshake hashes
|
|
if(record.type === tls.ContentType.handshake) {
|
|
var bytes = record.fragment.bytes();
|
|
c.session.md5.update(bytes);
|
|
c.session.sha1.update(bytes);
|
|
bytes = null;
|
|
}
|
|
|
|
// handle record fragmentation
|
|
var records;
|
|
if(record.fragment.length() <= tls.MaxFragment) {
|
|
records = [record];
|
|
} else {
|
|
// fragment data as long as it is too long
|
|
records = [];
|
|
var data = record.fragment.bytes();
|
|
while(data.length > tls.MaxFragment) {
|
|
records.push(tls.createRecord(c, {
|
|
type: record.type,
|
|
data: forge.util.createBuffer(data.slice(0, tls.MaxFragment))
|
|
}));
|
|
data = data.slice(tls.MaxFragment);
|
|
}
|
|
// add last record
|
|
if(data.length > 0) {
|
|
records.push(tls.createRecord(c, {
|
|
type: record.type,
|
|
data: forge.util.createBuffer(data)
|
|
}));
|
|
}
|
|
}
|
|
|
|
// compress and encrypt all fragmented records
|
|
for(var i = 0; i < records.length && !c.fail; ++i) {
|
|
// update the record using current write state
|
|
var rec = records[i];
|
|
var s = c.state.current.write;
|
|
if(s.update(c, rec)) {
|
|
// store record
|
|
c.records.push(rec);
|
|
}
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Flushes all queued records to the output buffer and calls the
|
|
* tlsDataReady() handler on the given connection.
|
|
*
|
|
* @param c the connection.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
tls.flush = function(c) {
|
|
for(var i = 0; i < c.records.length; ++i) {
|
|
var record = c.records[i];
|
|
|
|
// add record header and fragment
|
|
c.tlsData.putByte(record.type);
|
|
c.tlsData.putByte(record.version.major);
|
|
c.tlsData.putByte(record.version.minor);
|
|
c.tlsData.putInt16(record.fragment.length());
|
|
c.tlsData.putBuffer(c.records[i].fragment);
|
|
}
|
|
c.records = [];
|
|
return c.tlsDataReady(c);
|
|
};
|
|
|
|
/**
|
|
* Maps a pki.certificateError to a tls.Alert.Description.
|
|
*
|
|
* @param error the error to map.
|
|
*
|
|
* @return the alert description.
|
|
*/
|
|
var _certErrorToAlertDesc = function(error) {
|
|
switch(error) {
|
|
case true:
|
|
return true;
|
|
case forge.pki.certificateError.bad_certificate:
|
|
return tls.Alert.Description.bad_certificate;
|
|
case forge.pki.certificateError.unsupported_certificate:
|
|
return tls.Alert.Description.unsupported_certificate;
|
|
case forge.pki.certificateError.certificate_revoked:
|
|
return tls.Alert.Description.certificate_revoked;
|
|
case forge.pki.certificateError.certificate_expired:
|
|
return tls.Alert.Description.certificate_expired;
|
|
case forge.pki.certificateError.certificate_unknown:
|
|
return tls.Alert.Description.certificate_unknown;
|
|
case forge.pki.certificateError.unknown_ca:
|
|
return tls.Alert.Description.unknown_ca;
|
|
default:
|
|
return tls.Alert.Description.bad_certificate;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Maps a tls.Alert.Description to a pki.certificateError.
|
|
*
|
|
* @param desc the alert description.
|
|
*
|
|
* @return the certificate error.
|
|
*/
|
|
var _alertDescToCertError = function(desc) {
|
|
switch(desc) {
|
|
case true:
|
|
return true;
|
|
case tls.Alert.Description.bad_certificate:
|
|
return forge.pki.certificateError.bad_certificate;
|
|
case tls.Alert.Description.unsupported_certificate:
|
|
return forge.pki.certificateError.unsupported_certificate;
|
|
case tls.Alert.Description.certificate_revoked:
|
|
return forge.pki.certificateError.certificate_revoked;
|
|
case tls.Alert.Description.certificate_expired:
|
|
return forge.pki.certificateError.certificate_expired;
|
|
case tls.Alert.Description.certificate_unknown:
|
|
return forge.pki.certificateError.certificate_unknown;
|
|
case tls.Alert.Description.unknown_ca:
|
|
return forge.pki.certificateError.unknown_ca;
|
|
default:
|
|
return forge.pki.certificateError.bad_certificate;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Verifies a certificate chain against the given connection's
|
|
* Certificate Authority store.
|
|
*
|
|
* @param c the TLS connection.
|
|
* @param chain the certificate chain to verify, with the root or highest
|
|
* authority at the end.
|
|
*
|
|
* @return true if successful, false if not.
|
|
*/
|
|
tls.verifyCertificateChain = function(c, chain) {
|
|
try {
|
|
// Make a copy of c.verifyOptions so that we can modify options.verify
|
|
// without modifying c.verifyOptions.
|
|
var options = {};
|
|
for (var key in c.verifyOptions) {
|
|
options[key] = c.verifyOptions[key];
|
|
}
|
|
|
|
options.verify = function(vfd, depth, chain) {
|
|
// convert pki.certificateError to tls alert description
|
|
var desc = _certErrorToAlertDesc(vfd);
|
|
|
|
// call application callback
|
|
var ret = c.verify(c, vfd, depth, chain);
|
|
if(ret !== true) {
|
|
if(typeof ret === 'object' && !forge.util.isArray(ret)) {
|
|
// throw custom error
|
|
var error = new Error('The application rejected the certificate.');
|
|
error.send = true;
|
|
error.alert = {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.bad_certificate
|
|
};
|
|
if(ret.message) {
|
|
error.message = ret.message;
|
|
}
|
|
if(ret.alert) {
|
|
error.alert.description = ret.alert;
|
|
}
|
|
throw error;
|
|
}
|
|
|
|
// convert tls alert description to pki.certificateError
|
|
if(ret !== vfd) {
|
|
ret = _alertDescToCertError(ret);
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
};
|
|
|
|
// verify chain
|
|
forge.pki.verifyCertificateChain(c.caStore, chain, options);
|
|
} catch(ex) {
|
|
// build tls error if not already customized
|
|
var err = ex;
|
|
if(typeof err !== 'object' || forge.util.isArray(err)) {
|
|
err = {
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: _certErrorToAlertDesc(ex)
|
|
}
|
|
};
|
|
}
|
|
if(!('send' in err)) {
|
|
err.send = true;
|
|
}
|
|
if(!('alert' in err)) {
|
|
err.alert = {
|
|
level: tls.Alert.Level.fatal,
|
|
description: _certErrorToAlertDesc(err.error)
|
|
};
|
|
}
|
|
|
|
// send error
|
|
c.error(c, err);
|
|
}
|
|
|
|
return !c.fail;
|
|
};
|
|
|
|
/**
|
|
* Creates a new TLS session cache.
|
|
*
|
|
* @param cache optional map of session ID to cached session.
|
|
* @param capacity the maximum size for the cache (default: 100).
|
|
*
|
|
* @return the new TLS session cache.
|
|
*/
|
|
tls.createSessionCache = function(cache, capacity) {
|
|
var rval = null;
|
|
|
|
// assume input is already a session cache object
|
|
if(cache && cache.getSession && cache.setSession && cache.order) {
|
|
rval = cache;
|
|
} else {
|
|
// create cache
|
|
rval = {};
|
|
rval.cache = cache || {};
|
|
rval.capacity = Math.max(capacity || 100, 1);
|
|
rval.order = [];
|
|
|
|
// store order for sessions, delete session overflow
|
|
for(var key in cache) {
|
|
if(rval.order.length <= capacity) {
|
|
rval.order.push(key);
|
|
} else {
|
|
delete cache[key];
|
|
}
|
|
}
|
|
|
|
// get a session from a session ID (or get any session)
|
|
rval.getSession = function(sessionId) {
|
|
var session = null;
|
|
var key = null;
|
|
|
|
// if session ID provided, use it
|
|
if(sessionId) {
|
|
key = forge.util.bytesToHex(sessionId);
|
|
} else if(rval.order.length > 0) {
|
|
// get first session from cache
|
|
key = rval.order[0];
|
|
}
|
|
|
|
if(key !== null && key in rval.cache) {
|
|
// get cached session and remove from cache
|
|
session = rval.cache[key];
|
|
delete rval.cache[key];
|
|
for(var i in rval.order) {
|
|
if(rval.order[i] === key) {
|
|
rval.order.splice(i, 1);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return session;
|
|
};
|
|
|
|
// set a session in the cache
|
|
rval.setSession = function(sessionId, session) {
|
|
// remove session from cache if at capacity
|
|
if(rval.order.length === rval.capacity) {
|
|
var key = rval.order.shift();
|
|
delete rval.cache[key];
|
|
}
|
|
// add session to cache
|
|
var key = forge.util.bytesToHex(sessionId);
|
|
rval.order.push(key);
|
|
rval.cache[key] = session;
|
|
};
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Creates a new TLS connection.
|
|
*
|
|
* See public createConnection() docs for more details.
|
|
*
|
|
* @param options the options for this connection.
|
|
*
|
|
* @return the new TLS connection.
|
|
*/
|
|
tls.createConnection = function(options) {
|
|
var caStore = null;
|
|
if(options.caStore) {
|
|
// if CA store is an array, convert it to a CA store object
|
|
if(forge.util.isArray(options.caStore)) {
|
|
caStore = forge.pki.createCaStore(options.caStore);
|
|
} else {
|
|
caStore = options.caStore;
|
|
}
|
|
} else {
|
|
// create empty CA store
|
|
caStore = forge.pki.createCaStore();
|
|
}
|
|
|
|
// setup default cipher suites
|
|
var cipherSuites = options.cipherSuites || null;
|
|
if(cipherSuites === null) {
|
|
cipherSuites = [];
|
|
for(var key in tls.CipherSuites) {
|
|
cipherSuites.push(tls.CipherSuites[key]);
|
|
}
|
|
}
|
|
|
|
// set default entity
|
|
var entity = (options.server || false) ?
|
|
tls.ConnectionEnd.server : tls.ConnectionEnd.client;
|
|
|
|
// create session cache if requested
|
|
var sessionCache = options.sessionCache ?
|
|
tls.createSessionCache(options.sessionCache) : null;
|
|
|
|
// create TLS connection
|
|
var c = {
|
|
version: {major: tls.Version.major, minor: tls.Version.minor},
|
|
entity: entity,
|
|
sessionId: options.sessionId,
|
|
caStore: caStore,
|
|
sessionCache: sessionCache,
|
|
cipherSuites: cipherSuites,
|
|
connected: options.connected,
|
|
virtualHost: options.virtualHost || null,
|
|
verifyClient: options.verifyClient || false,
|
|
verify: options.verify || function(cn, vfd, dpth, cts) {return vfd;},
|
|
verifyOptions: options.verifyOptions || {},
|
|
getCertificate: options.getCertificate || null,
|
|
getPrivateKey: options.getPrivateKey || null,
|
|
getSignature: options.getSignature || null,
|
|
input: forge.util.createBuffer(),
|
|
tlsData: forge.util.createBuffer(),
|
|
data: forge.util.createBuffer(),
|
|
tlsDataReady: options.tlsDataReady,
|
|
dataReady: options.dataReady,
|
|
heartbeatReceived: options.heartbeatReceived,
|
|
closed: options.closed,
|
|
error: function(c, ex) {
|
|
// set origin if not set
|
|
ex.origin = ex.origin ||
|
|
((c.entity === tls.ConnectionEnd.client) ? 'client' : 'server');
|
|
|
|
// send TLS alert
|
|
if(ex.send) {
|
|
tls.queue(c, tls.createAlert(c, ex.alert));
|
|
tls.flush(c);
|
|
}
|
|
|
|
// error is fatal by default
|
|
var fatal = (ex.fatal !== false);
|
|
if(fatal) {
|
|
// set fail flag
|
|
c.fail = true;
|
|
}
|
|
|
|
// call error handler first
|
|
options.error(c, ex);
|
|
|
|
if(fatal) {
|
|
// fatal error, close connection, do not clear fail
|
|
c.close(false);
|
|
}
|
|
},
|
|
deflate: options.deflate || null,
|
|
inflate: options.inflate || null
|
|
};
|
|
|
|
/**
|
|
* Resets a closed TLS connection for reuse. Called in c.close().
|
|
*
|
|
* @param clearFail true to clear the fail flag (default: true).
|
|
*/
|
|
c.reset = function(clearFail) {
|
|
c.version = {major: tls.Version.major, minor: tls.Version.minor};
|
|
c.record = null;
|
|
c.session = null;
|
|
c.peerCertificate = null;
|
|
c.state = {
|
|
pending: null,
|
|
current: null
|
|
};
|
|
c.expect = (c.entity === tls.ConnectionEnd.client) ? SHE : CHE;
|
|
c.fragmented = null;
|
|
c.records = [];
|
|
c.open = false;
|
|
c.handshakes = 0;
|
|
c.handshaking = false;
|
|
c.isConnected = false;
|
|
c.fail = !(clearFail || typeof(clearFail) === 'undefined');
|
|
c.input.clear();
|
|
c.tlsData.clear();
|
|
c.data.clear();
|
|
c.state.current = tls.createConnectionState(c);
|
|
};
|
|
|
|
// do initial reset of connection
|
|
c.reset();
|
|
|
|
/**
|
|
* Updates the current TLS engine state based on the given record.
|
|
*
|
|
* @param c the TLS connection.
|
|
* @param record the TLS record to act on.
|
|
*/
|
|
var _update = function(c, record) {
|
|
// get record handler (align type in table by subtracting lowest)
|
|
var aligned = record.type - tls.ContentType.change_cipher_spec;
|
|
var handlers = ctTable[c.entity][c.expect];
|
|
if(aligned in handlers) {
|
|
handlers[aligned](c, record);
|
|
} else {
|
|
// unexpected record
|
|
tls.handleUnexpected(c, record);
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Reads the record header and initializes the next record on the given
|
|
* connection.
|
|
*
|
|
* @param c the TLS connection with the next record.
|
|
*
|
|
* @return 0 if the input data could be processed, otherwise the
|
|
* number of bytes required for data to be processed.
|
|
*/
|
|
var _readRecordHeader = function(c) {
|
|
var rval = 0;
|
|
|
|
// get input buffer and its length
|
|
var b = c.input;
|
|
var len = b.length();
|
|
|
|
// need at least 5 bytes to initialize a record
|
|
if(len < 5) {
|
|
rval = 5 - len;
|
|
} else {
|
|
// enough bytes for header
|
|
// initialize record
|
|
c.record = {
|
|
type: b.getByte(),
|
|
version: {
|
|
major: b.getByte(),
|
|
minor: b.getByte()
|
|
},
|
|
length: b.getInt16(),
|
|
fragment: forge.util.createBuffer(),
|
|
ready: false
|
|
};
|
|
|
|
// check record version
|
|
var compatibleVersion = (c.record.version.major === c.version.major);
|
|
if(compatibleVersion && c.session && c.session.version) {
|
|
// session version already set, require same minor version
|
|
compatibleVersion = (c.record.version.minor === c.version.minor);
|
|
}
|
|
if(!compatibleVersion) {
|
|
c.error(c, {
|
|
message: 'Incompatible TLS version.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description: tls.Alert.Description.protocol_version
|
|
}
|
|
});
|
|
}
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Reads the next record's contents and appends its message to any
|
|
* previously fragmented message.
|
|
*
|
|
* @param c the TLS connection with the next record.
|
|
*
|
|
* @return 0 if the input data could be processed, otherwise the
|
|
* number of bytes required for data to be processed.
|
|
*/
|
|
var _readRecord = function(c) {
|
|
var rval = 0;
|
|
|
|
// ensure there is enough input data to get the entire record
|
|
var b = c.input;
|
|
var len = b.length();
|
|
if(len < c.record.length) {
|
|
// not enough data yet, return how much is required
|
|
rval = c.record.length - len;
|
|
} else {
|
|
// there is enough data to parse the pending record
|
|
// fill record fragment and compact input buffer
|
|
c.record.fragment.putBytes(b.getBytes(c.record.length));
|
|
b.compact();
|
|
|
|
// update record using current read state
|
|
var s = c.state.current.read;
|
|
if(s.update(c, c.record)) {
|
|
// see if there is a previously fragmented message that the
|
|
// new record's message fragment should be appended to
|
|
if(c.fragmented !== null) {
|
|
// if the record type matches a previously fragmented
|
|
// record, append the record fragment to it
|
|
if(c.fragmented.type === c.record.type) {
|
|
// concatenate record fragments
|
|
c.fragmented.fragment.putBuffer(c.record.fragment);
|
|
c.record = c.fragmented;
|
|
} else {
|
|
// error, invalid fragmented record
|
|
c.error(c, {
|
|
message: 'Invalid fragmented record.',
|
|
send: true,
|
|
alert: {
|
|
level: tls.Alert.Level.fatal,
|
|
description:
|
|
tls.Alert.Description.unexpected_message
|
|
}
|
|
});
|
|
}
|
|
}
|
|
|
|
// record is now ready
|
|
c.record.ready = true;
|
|
}
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Performs a handshake using the TLS Handshake Protocol, as a client.
|
|
*
|
|
* This method should only be called if the connection is in client mode.
|
|
*
|
|
* @param sessionId the session ID to use, null to start a new one.
|
|
*/
|
|
c.handshake = function(sessionId) {
|
|
// error to call this in non-client mode
|
|
if(c.entity !== tls.ConnectionEnd.client) {
|
|
// not fatal error
|
|
c.error(c, {
|
|
message: 'Cannot initiate handshake as a server.',
|
|
fatal: false
|
|
});
|
|
} else if(c.handshaking) {
|
|
// handshake is already in progress, fail but not fatal error
|
|
c.error(c, {
|
|
message: 'Handshake already in progress.',
|
|
fatal: false
|
|
});
|
|
} else {
|
|
// clear fail flag on reuse
|
|
if(c.fail && !c.open && c.handshakes === 0) {
|
|
c.fail = false;
|
|
}
|
|
|
|
// now handshaking
|
|
c.handshaking = true;
|
|
|
|
// default to blank (new session)
|
|
sessionId = sessionId || '';
|
|
|
|
// if a session ID was specified, try to find it in the cache
|
|
var session = null;
|
|
if(sessionId.length > 0) {
|
|
if(c.sessionCache) {
|
|
session = c.sessionCache.getSession(sessionId);
|
|
}
|
|
|
|
// matching session not found in cache, clear session ID
|
|
if(session === null) {
|
|
sessionId = '';
|
|
}
|
|
}
|
|
|
|
// no session given, grab a session from the cache, if available
|
|
if(sessionId.length === 0 && c.sessionCache) {
|
|
session = c.sessionCache.getSession();
|
|
if(session !== null) {
|
|
sessionId = session.id;
|
|
}
|
|
}
|
|
|
|
// set up session
|
|
c.session = {
|
|
id: sessionId,
|
|
version: null,
|
|
cipherSuite: null,
|
|
compressionMethod: null,
|
|
serverCertificate: null,
|
|
certificateRequest: null,
|
|
clientCertificate: null,
|
|
sp: {},
|
|
md5: forge.md.md5.create(),
|
|
sha1: forge.md.sha1.create()
|
|
};
|
|
|
|
// use existing session information
|
|
if(session) {
|
|
// only update version on connection, session version not yet set
|
|
c.version = session.version;
|
|
c.session.sp = session.sp;
|
|
}
|
|
|
|
// generate new client random
|
|
c.session.sp.client_random = tls.createRandom().getBytes();
|
|
|
|
// connection now open
|
|
c.open = true;
|
|
|
|
// send hello
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.handshake,
|
|
data: tls.createClientHello(c)
|
|
}));
|
|
tls.flush(c);
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Called when TLS protocol data has been received from somewhere and should
|
|
* be processed by the TLS engine.
|
|
*
|
|
* @param data the TLS protocol data, as a string, to process.
|
|
*
|
|
* @return 0 if the data could be processed, otherwise the number of bytes
|
|
* required for data to be processed.
|
|
*/
|
|
c.process = function(data) {
|
|
var rval = 0;
|
|
|
|
// buffer input data
|
|
if(data) {
|
|
c.input.putBytes(data);
|
|
}
|
|
|
|
// process next record if no failure, process will be called after
|
|
// each record is handled (since handling can be asynchronous)
|
|
if(!c.fail) {
|
|
// reset record if ready and now empty
|
|
if(c.record !== null &&
|
|
c.record.ready && c.record.fragment.isEmpty()) {
|
|
c.record = null;
|
|
}
|
|
|
|
// if there is no pending record, try to read record header
|
|
if(c.record === null) {
|
|
rval = _readRecordHeader(c);
|
|
}
|
|
|
|
// read the next record (if record not yet ready)
|
|
if(!c.fail && c.record !== null && !c.record.ready) {
|
|
rval = _readRecord(c);
|
|
}
|
|
|
|
// record ready to be handled, update engine state
|
|
if(!c.fail && c.record !== null && c.record.ready) {
|
|
_update(c, c.record);
|
|
}
|
|
}
|
|
|
|
return rval;
|
|
};
|
|
|
|
/**
|
|
* Requests that application data be packaged into a TLS record. The
|
|
* tlsDataReady handler will be called when the TLS record(s) have been
|
|
* prepared.
|
|
*
|
|
* @param data the application data, as a raw 'binary' encoded string, to
|
|
* be sent; to send utf-16/utf-8 string data, use the return value
|
|
* of util.encodeUtf8(str).
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
c.prepare = function(data) {
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.application_data,
|
|
data: forge.util.createBuffer(data)
|
|
}));
|
|
return tls.flush(c);
|
|
};
|
|
|
|
/**
|
|
* Requests that a heartbeat request be packaged into a TLS record for
|
|
* transmission. The tlsDataReady handler will be called when TLS record(s)
|
|
* have been prepared.
|
|
*
|
|
* When a heartbeat response has been received, the heartbeatReceived
|
|
* handler will be called with the matching payload. This handler can
|
|
* be used to clear a retransmission timer, etc.
|
|
*
|
|
* @param payload the heartbeat data to send as the payload in the message.
|
|
* @param [payloadLength] the payload length to use, defaults to the
|
|
* actual payload length.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
c.prepareHeartbeatRequest = function(payload, payloadLength) {
|
|
if(payload instanceof forge.util.ByteBuffer) {
|
|
payload = payload.bytes();
|
|
}
|
|
if(typeof payloadLength === 'undefined') {
|
|
payloadLength = payload.length;
|
|
}
|
|
c.expectedHeartbeatPayload = payload;
|
|
tls.queue(c, tls.createRecord(c, {
|
|
type: tls.ContentType.heartbeat,
|
|
data: tls.createHeartbeat(
|
|
tls.HeartbeatMessageType.heartbeat_request, payload, payloadLength)
|
|
}));
|
|
return tls.flush(c);
|
|
};
|
|
|
|
/**
|
|
* Closes the connection (sends a close_notify alert).
|
|
*
|
|
* @param clearFail true to clear the fail flag (default: true).
|
|
*/
|
|
c.close = function(clearFail) {
|
|
// save session if connection didn't fail
|
|
if(!c.fail && c.sessionCache && c.session) {
|
|
// only need to preserve session ID, version, and security params
|
|
var session = {
|
|
id: c.session.id,
|
|
version: c.session.version,
|
|
sp: c.session.sp
|
|
};
|
|
session.sp.keys = null;
|
|
c.sessionCache.setSession(session.id, session);
|
|
}
|
|
|
|
if(c.open) {
|
|
// connection no longer open, clear input
|
|
c.open = false;
|
|
c.input.clear();
|
|
|
|
// if connected or handshaking, send an alert
|
|
if(c.isConnected || c.handshaking) {
|
|
c.isConnected = c.handshaking = false;
|
|
|
|
// send close_notify alert
|
|
tls.queue(c, tls.createAlert(c, {
|
|
level: tls.Alert.Level.warning,
|
|
description: tls.Alert.Description.close_notify
|
|
}));
|
|
tls.flush(c);
|
|
}
|
|
|
|
// call handler
|
|
c.closed(c);
|
|
}
|
|
|
|
// reset TLS connection, do not clear fail flag
|
|
c.reset(clearFail);
|
|
};
|
|
|
|
return c;
|
|
};
|
|
|
|
/* TLS API */
|
|
module.exports = forge.tls = forge.tls || {};
|
|
|
|
// expose non-functions
|
|
for(var key in tls) {
|
|
if(typeof tls[key] !== 'function') {
|
|
forge.tls[key] = tls[key];
|
|
}
|
|
}
|
|
|
|
// expose prf_tls1 for testing
|
|
forge.tls.prf_tls1 = prf_TLS1;
|
|
|
|
// expose sha1 hmac method
|
|
forge.tls.hmac_sha1 = hmac_sha1;
|
|
|
|
// expose session cache creation
|
|
forge.tls.createSessionCache = tls.createSessionCache;
|
|
|
|
/**
|
|
* Creates a new TLS connection. This does not make any assumptions about the
|
|
* transport layer that TLS is working on top of, ie: it does not assume there
|
|
* is a TCP/IP connection or establish one. A TLS connection is totally
|
|
* abstracted away from the layer is runs on top of, it merely establishes a
|
|
* secure channel between a client" and a "server".
|
|
*
|
|
* A TLS connection contains 4 connection states: pending read and write, and
|
|
* current read and write.
|
|
*
|
|
* At initialization, the current read and write states will be null. Only once
|
|
* the security parameters have been set and the keys have been generated can
|
|
* the pending states be converted into current states. Current states will be
|
|
* updated for each record processed.
|
|
*
|
|
* A custom certificate verify callback may be provided to check information
|
|
* like the common name on the server's certificate. It will be called for
|
|
* every certificate in the chain. It has the following signature:
|
|
*
|
|
* variable func(c, certs, index, preVerify)
|
|
* Where:
|
|
* c The TLS connection
|
|
* verified Set to true if certificate was verified, otherwise the alert
|
|
* tls.Alert.Description for why the certificate failed.
|
|
* depth The current index in the chain, where 0 is the server's cert.
|
|
* certs The certificate chain, *NOTE* if the server was anonymous then
|
|
* the chain will be empty.
|
|
*
|
|
* The function returns true on success and on failure either the appropriate
|
|
* tls.Alert.Description or an object with 'alert' set to the appropriate
|
|
* tls.Alert.Description and 'message' set to a custom error message. If true
|
|
* is not returned then the connection will abort using, in order of
|
|
* availability, first the returned alert description, second the preVerify
|
|
* alert description, and lastly the default 'bad_certificate'.
|
|
*
|
|
* There are three callbacks that can be used to make use of client-side
|
|
* certificates where each takes the TLS connection as the first parameter:
|
|
*
|
|
* getCertificate(conn, hint)
|
|
* The second parameter is a hint as to which certificate should be
|
|
* returned. If the connection entity is a client, then the hint will be
|
|
* the CertificateRequest message from the server that is part of the
|
|
* TLS protocol. If the connection entity is a server, then it will be
|
|
* the servername list provided via an SNI extension the ClientHello, if
|
|
* one was provided (empty array if not). The hint can be examined to
|
|
* determine which certificate to use (advanced). Most implementations
|
|
* will just return a certificate. The return value must be a
|
|
* PEM-formatted certificate or an array of PEM-formatted certificates
|
|
* that constitute a certificate chain, with the first in the array/chain
|
|
* being the client's certificate.
|
|
* getPrivateKey(conn, certificate)
|
|
* The second parameter is an forge.pki X.509 certificate object that
|
|
* is associated with the requested private key. The return value must
|
|
* be a PEM-formatted private key.
|
|
* getSignature(conn, bytes, callback)
|
|
* This callback can be used instead of getPrivateKey if the private key
|
|
* is not directly accessible in javascript or should not be. For
|
|
* instance, a secure external web service could provide the signature
|
|
* in exchange for appropriate credentials. The second parameter is a
|
|
* string of bytes to be signed that are part of the TLS protocol. These
|
|
* bytes are used to verify that the private key for the previously
|
|
* provided client-side certificate is accessible to the client. The
|
|
* callback is a function that takes 2 parameters, the TLS connection
|
|
* and the RSA encrypted (signed) bytes as a string. This callback must
|
|
* be called once the signature is ready.
|
|
*
|
|
* @param options the options for this connection:
|
|
* server: true if the connection is server-side, false for client.
|
|
* sessionId: a session ID to reuse, null for a new connection.
|
|
* caStore: an array of certificates to trust.
|
|
* sessionCache: a session cache to use.
|
|
* cipherSuites: an optional array of cipher suites to use,
|
|
* see tls.CipherSuites.
|
|
* connected: function(conn) called when the first handshake completes.
|
|
* virtualHost: the virtual server name to use in a TLS SNI extension.
|
|
* verifyClient: true to require a client certificate in server mode,
|
|
* 'optional' to request one, false not to (default: false).
|
|
* verify: a handler used to custom verify certificates in the chain.
|
|
* verifyOptions: an object with options for the certificate chain validation.
|
|
* See documentation of pki.verifyCertificateChain for possible options.
|
|
* verifyOptions.verify is ignored. If you wish to specify a verify handler
|
|
* use the verify key.
|
|
* getCertificate: an optional callback used to get a certificate or
|
|
* a chain of certificates (as an array).
|
|
* getPrivateKey: an optional callback used to get a private key.
|
|
* getSignature: an optional callback used to get a signature.
|
|
* tlsDataReady: function(conn) called when TLS protocol data has been
|
|
* prepared and is ready to be used (typically sent over a socket
|
|
* connection to its destination), read from conn.tlsData buffer.
|
|
* dataReady: function(conn) called when application data has
|
|
* been parsed from a TLS record and should be consumed by the
|
|
* application, read from conn.data buffer.
|
|
* closed: function(conn) called when the connection has been closed.
|
|
* error: function(conn, error) called when there was an error.
|
|
* deflate: function(inBytes) if provided, will deflate TLS records using
|
|
* the deflate algorithm if the server supports it.
|
|
* inflate: function(inBytes) if provided, will inflate TLS records using
|
|
* the deflate algorithm if the server supports it.
|
|
*
|
|
* @return the new TLS connection.
|
|
*/
|
|
forge.tls.createConnection = tls.createConnection;
|