when converting mpint to bytes, always pad it to the size of
the modulus (RSA,DHE,ECDHE). mptobytes() now takes a byte len
parameter which the caller usually calculates from the group
modulus using mpsignif(). this bug sometimes caused "bad record mac"
after the handshake.
use a shared buffer, given that msgSend()/msgRecv() don't overlap
we can use the first half for sending, and the top half for
receiving, shifting down as neccesary. the space beween sendp and
recvp is free.
explicitely check for overflow in msgSend().
reverting asn1mpint() as all users really just expect
unsigned integers here. also openssl seems to interpret
rsa modulus as unsigned no matter what... so keeping
it as it was before.
handle nil cipher bytes in factotum_rsa_decrypt() due
to pkcs1padbuf() failing.
apply some lessions from intels berzerk paper:
instead of parsing the decrypted digest info blob, we
generate the *expected* blob's for all digest algorithms
that match the digest size and compare the results.
provide pkcs1 pad and unpad functions that consistently
enforce minimum padding size and handles block types 1
and 2.
silly clients (web*) reconnect when the handshake failed with a lower
protocol version, which allows downgrade attacks (POODLE). but instead
of stopping this madness, they invented a new magic TLSID to indicate
to the server that this connection attempt is a retry, and rely on the
server to notice and stop them from sabotaging themselfs.
implement ECDHE key exchange with secp256r1 on the server side, providing
perfect forward secrecy (tho slowly).
it is easier to just keep the ECDH/DH state in the TlsSec structure,
which fits better with the grouping of the functions. we do the cleanup
in tlsConnectionFree() now, so a lot of error handling logic could go
away.
reinvestigated some error paths and removed the ones that cannot error.
move functions to fit the logical grouping.
combine the code for signing handshake hashes (for client certs) and
DH parameters. provide digestDHparams() function to be shared between
server and client code.
don't pass or generate sessionID's. this was never used nor
actually implemented and leaks the process pid.
get rid of version and random field duplications, move TlsSec
structure into TlsConnection.
make msgRecv() clear the message first, get rid of unneccesary
msgClear() calls.
instead of letting factotum_rsa_open() parse the certificate,
we pass in the rsa public key which is then matched against the
factotum keyring. this avoids parsing the x509 certificate
twice.
the sec->rsapub was not freed, so free it in tlsSecClose()
for version <= TLS1.1, there is no sigalg field in the ServerKeyExchange
message and the signature digest algorithm is fixed to md5+sha1 and we
only support RSA signatures (TLS1.1 doesnt know about ECDSA).
we used to negotiate tls1.1 for client cert authentication because the
signature generation was not implemented for tls1.2. this is now fixed
and tls1.2 can be negotiated with client certs.
actually verify the diffie hellman parameter signature, this
comes in two flavours. TLS1.2 uses X509 signature with a
single hash specified by the signature algorithm field in
the signature itself and pre TLS1.2 where md5+sha1 hashes
of the signed blob are pkcs1 padded and encrypted with the
rsa private key.
stop advertizing non-rsa cipher suits (DSS and ECDSA), as
we have not implmenented them.
fix some memory leaks in X509 code while we'r at it.
TLS1.2 requires the client to send the list of supported
signature and hash algorithm pairs. some servers will simply
reject the client hello otherwise. note that we do not implement
any dh/ecdh param signature verification.
order the cipher list to strogest first. aes128 is actually more
secure than aes256.
