[apple/security.git] / libsecurity_ssl / lib / SSLRecordInternal.c

//
//  SSLRecordInternal.c
//  Security
//
//  Created by Fabrice Gautier on 10/25/11.
//  Copyright (c) 2011 Apple, Inc. All rights reserved.
//

/* THIS FILE CONTAINS KERNEL CODE */

#include "sslBuildFlags.h"
#include "SSLRecordInternal.h"
#include "sslDebug.h"
#include "cipherSpecs.h"
#include "symCipher.h"
#include "sslUtils.h"
#include "tls_record.h"

#include <AssertMacros.h>
#include <string.h>

#include <inttypes.h>

#define DEFAULT_BUFFER_SIZE 4096


/*
 * Redirect SSLBuffer-based I/O call to user-supplied I/O.
 */
static
int sslIoRead(SSLBuffer                        buf,
              size_t                           *actualLength,
              struct SSLRecordInternalContext  *ctx)
{
	size_t  dataLength = buf.length;
	int     ortn;

	*actualLength = 0;
	ortn = (ctx->read)(ctx->ioRef,
                       buf.data,
                       &dataLength);
	*actualLength = dataLength;
	return ortn;
}

static
int sslIoWrite(SSLBuffer                       buf,
               size_t                          *actualLength,
               struct SSLRecordInternalContext *ctx)
{
	size_t  dataLength = buf.length;
	int     ortn;

	*actualLength = 0;
	ortn = (ctx->write)(ctx->ioRef,
                        buf.data,
                        &dataLength);
	*actualLength = dataLength;
	return ortn;
}


static int
SSLDisposeCipherSuite(CipherContext *cipher, struct SSLRecordInternalContext *ctx)
{   int      err;

	/* symmetric encryption context */
	if(cipher->symCipher) {
		if ((err = cipher->symCipher->finish(cipher->cipherCtx)) != 0) {
			return err;
		}
	}

	/* per-record hash/hmac context */
	ctx->sslTslCalls->freeMac(cipher);

    return 0;
}


/* common for sslv3 and tlsv1, except for the computeMac callout */
int SSLVerifyMac(uint8_t type,
                 SSLBuffer *data,
                 uint8_t *compareMAC,
                 struct SSLRecordInternalContext *ctx)
{
	int        err;
    uint8_t           macData[SSL_MAX_DIGEST_LEN];
    SSLBuffer       secret, mac;

    secret.data = ctx->readCipher.macSecret;
    secret.length = ctx->readCipher.macRef->hash->digestSize;
    mac.data = macData;
    mac.length = ctx->readCipher.macRef->hash->digestSize;

	check(ctx->sslTslCalls != NULL);
    if ((err = ctx->sslTslCalls->computeMac(type,
                                            *data,
                                            mac,
                                            &ctx->readCipher,
                                            ctx->readCipher.sequenceNum,
                                            ctx)) != 0)
        return err;

    if ((memcmp(mac.data, compareMAC, mac.length)) != 0) {
		sslErrorLog("SSLVerifyMac: Mac verify failure\n");
        return errSSLRecordProtocol;
    }
    return 0;
}

#include "cipherSpecs.h"
#include "symCipher.h"

static const HashHmacReference *sslCipherSuiteGetHashHmacReference(uint16_t selectedCipher)
{
    HMAC_Algs alg = sslCipherSuiteGetMacAlgorithm(selectedCipher);

    switch (alg) {
        case HA_Null:
            return &HashHmacNull;
        case HA_MD5:
            return &HashHmacMD5;
        case HA_SHA1:
            return &HashHmacSHA1;
        case HA_SHA256:
            return &HashHmacSHA256;
        case HA_SHA384:
            return &HashHmacSHA384;
        default:
            sslErrorLog("Invalid hashAlgorithm %d", alg);
            check(0);
            return &HashHmacNull;
    }
}

static const SSLSymmetricCipher *sslCipherSuiteGetSymmetricCipher(uint16_t selectedCipher)
{

    SSL_CipherAlgorithm alg = sslCipherSuiteGetSymmetricCipherAlgorithm(selectedCipher);
    switch(alg) {
        case SSL_CipherAlgorithmNull:
            return &SSLCipherNull;
#if ENABLE_RC2
        case SSL_CipherAlgorithmRC2_128:
            return &SSLCipherRC2_128;
#endif
#if ENABLE_RC4
        case SSL_CipherAlgorithmRC4_128:
            return &SSLCipherRC4_128;
#endif
#if ENABLE_DES
        case SSL_CipherAlgorithmDES_CBC:
            return &SSLCipherDES_CBC;
#endif
        case SSL_CipherAlgorithm3DES_CBC:
            return &SSLCipher3DES_CBC;
        case SSL_CipherAlgorithmAES_128_CBC:
            return &SSLCipherAES_128_CBC;
        case SSL_CipherAlgorithmAES_256_CBC:
            return &SSLCipherAES_256_CBC;
#if ENABLE_AES_GCM
        case SSL_CipherAlgorithmAES_128_GCM:
            return &SSLCipherAES_128_GCM;
        case SSL_CipherAlgorithmAES_256_GCM:
            return &SSLCipherAES_256_GCM;
#endif
        default:
            check(0);
            return &SSLCipherNull;
    }
}

static void InitCipherSpec(struct SSLRecordInternalContext *ctx, uint16_t selectedCipher)
{
    SSLRecordCipherSpec *dst = &ctx->selectedCipherSpec;

    ctx->selectedCipher = selectedCipher;
    dst->cipher = sslCipherSuiteGetSymmetricCipher(selectedCipher);
    dst->macAlgorithm = sslCipherSuiteGetHashHmacReference(selectedCipher);
};

/* Entry points to Record Layer */

static int SSLRecordReadInternal(SSLRecordContextRef ref, SSLRecord *rec)
{   int        err;
    size_t          len, contentLen;
    uint8_t           *charPtr;
    SSLBuffer       readData, cipherFragment;
    size_t          head=5;
    int             skipit=0;
    struct SSLRecordInternalContext *ctx = ref;

    if(ctx->isDTLS)
        head+=8;

    if (!ctx->partialReadBuffer.data || ctx->partialReadBuffer.length < head)
    {   if (ctx->partialReadBuffer.data)
        if ((err = SSLFreeBuffer(&ctx->partialReadBuffer)) != 0)
        {
            return err;
        }
        if ((err = SSLAllocBuffer(&ctx->partialReadBuffer,
                                  DEFAULT_BUFFER_SIZE)) != 0)
        {
            return err;
        }
    }

    if (ctx->negProtocolVersion == SSL_Version_Undetermined) {
        if (ctx->amountRead < 1)
        {   readData.length = 1 - ctx->amountRead;
            readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
            len = readData.length;
            err = sslIoRead(readData, &len, ctx);
            if(err != 0)
            {   if (err == errSSLRecordWouldBlock) {
                ctx->amountRead += len;
                return err;
            }
            else {
                /* abort */
                err = errSSLRecordClosedAbort;
#if 0 // TODO: revisit this in the transport layer
                if((ctx->protocolSide == kSSLClientSide) &&
                   (ctx->amountRead == 0) &&
                   (len == 0)) {
                    /*
                     * Detect "server refused to even try to negotiate"
                     * error, when the server drops the connection before
                     * sending a single byte.
                     */
                    switch(ctx->state) {
                        case SSL_HdskStateServerHello:
                            sslHdskStateDebug("Server dropped initial connection\n");
                            err = errSSLConnectionRefused;
                            break;
                        default:
                            break;
                    }
                }
#endif
                return err;
            }
            }
            ctx->amountRead += len;
        }
    }

    if (ctx->amountRead < head)
    {   readData.length = head - ctx->amountRead;
        readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
        len = readData.length;
        err = sslIoRead(readData, &len, ctx);
        if(err != 0)
        {
			switch(err) {
				case errSSLRecordWouldBlock:
					ctx->amountRead += len;
					break;
#if	SSL_ALLOW_UNNOTICED_DISCONNECT
				case errSSLClosedGraceful:
					/* legal if we're on record boundary and we've gotten past
					 * the handshake */
					if((ctx->amountRead == 0) && 				/* nothing pending */
					   (len == 0) &&							/* nothing new */
					   (ctx->state == SSL_HdskStateClientReady)) {	/* handshake done */
					    /*
						 * This means that the server has disconnected without
						 * sending a closure alert notice. This is technically
						 * illegal per the SSL3 spec, but about half of the
						 * servers out there do it, so we report it as a separate
						 * error which most clients - including (currently)
						 * URLAccess - ignore by treating it the same as
						 * a errSSLClosedGraceful error. Paranoid
						 * clients can detect it and handle it however they
						 * want to.
						 */
						SSLChangeHdskState(ctx, SSL_HdskStateNoNotifyClose);
						err = errSSLClosedNoNotify;
						break;
					}
					else {
						/* illegal disconnect */
						err = errSSLClosedAbort;
						/* and drop thru to default: fatal alert */
					}
#endif	/* SSL_ALLOW_UNNOTICED_DISCONNECT */
				default:
					break;
            }
            return err;
        }
        ctx->amountRead += len;
    }

    check(ctx->amountRead >= head);

    charPtr = ctx->partialReadBuffer.data;
    rec->contentType = *charPtr++;
    if (rec->contentType < SSL_RecordTypeV3_Smallest ||
        rec->contentType > SSL_RecordTypeV3_Largest)
        return errSSLRecordProtocol;

    rec->protocolVersion = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
    charPtr += 2;

    if(rec->protocolVersion == DTLS_Version_1_0)
    {
        sslUint64 seqNum;
        SSLDecodeUInt64(charPtr, 8, &seqNum);
        charPtr += 8;
        sslLogRecordIo("Read DTLS Record %016llx (seq is: %016llx)",
                       seqNum, ctx->readCipher.sequenceNum);

        /* if the epoch of the record is different of current read cipher, just drop it */
        if((seqNum>>48)!=(ctx->readCipher.sequenceNum>>48)) {
            skipit=1;
        } else {
            ctx->readCipher.sequenceNum=seqNum;
        }
    }

    contentLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    if (contentLen > (16384 + 2048))    /* Maximum legal length of an
										 * SSLCipherText payload */
    {
        return errSSLRecordRecordOverflow;
    }

    if (ctx->partialReadBuffer.length < head + contentLen)
    {   if ((err = SSLReallocBuffer(&ctx->partialReadBuffer, head + contentLen)) != 0)
    {
        return err;
    }
    }

    if (ctx->amountRead < head + contentLen)
    {   readData.length = head + contentLen - ctx->amountRead;
        readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
        len = readData.length;
        err = sslIoRead(readData, &len, ctx);
        if(err != 0)
        {   if (err == errSSLRecordWouldBlock)
            ctx->amountRead += len;
            return err;
        }
        ctx->amountRead += len;
    }

    check(ctx->amountRead >= head + contentLen);

    cipherFragment.data = ctx->partialReadBuffer.data + head;
    cipherFragment.length = contentLen;

    ctx->amountRead = 0;        /* We've used all the data in the cache */

    /* We dont decrypt if we were told to skip this record */
    if(skipit) {
        return errSSLRecordUnexpectedRecord;
    }
	/*
	 * Decrypt the payload & check the MAC, modifying the length of the
	 * buffer to indicate the amount of plaintext data after adjusting
	 * for the block size and removing the MAC */
	check(ctx->sslTslCalls != NULL);
    if ((err = ctx->sslTslCalls->decryptRecord(rec->contentType,
                                               &cipherFragment, ctx)) != 0)
        return err;

	/*
	 * We appear to have sucessfully received a record; increment the
	 * sequence number
	 */
    IncrementUInt64(&ctx->readCipher.sequenceNum);

	/* Allocate a buffer to return the plaintext in and return it */
    if ((err = SSLAllocBuffer(&rec->contents, cipherFragment.length)) != 0)
    {
        return err;
    }
    memcpy(rec->contents.data, cipherFragment.data, cipherFragment.length);


    return 0;
}

static int SSLRecordWriteInternal(SSLRecordContextRef ref, SSLRecord rec)
{
    int err;
    struct SSLRecordInternalContext *ctx = ref;

    err=ctx->sslTslCalls->writeRecord(rec, ctx);

    check_noerr(err);

    return err;
}

/* Record Layer Entry Points */

static int
SSLRollbackInternalRecordLayerWriteCipher(SSLRecordContextRef ref)
{
    int err;
    struct SSLRecordInternalContext *ctx = ref;

    if ((err = SSLDisposeCipherSuite(&ctx->writePending, ctx)) != 0)
        return err;

    ctx->writePending = ctx->writeCipher;
    ctx->writeCipher = ctx->prevCipher;

    /* Zero out old data */
    memset(&ctx->prevCipher, 0, sizeof(CipherContext));

    return 0;
}

static int
SSLAdvanceInternalRecordLayerWriteCipher(SSLRecordContextRef ref)
{
    int err;
    struct SSLRecordInternalContext *ctx = ref;

    if ((err = SSLDisposeCipherSuite(&ctx->prevCipher, ctx)) != 0)
        return err;

    ctx->prevCipher = ctx->writeCipher;
    ctx->writeCipher = ctx->writePending;

    /* Zero out old data */
    memset(&ctx->writePending, 0, sizeof(CipherContext));

    return 0;
}

static int
SSLAdvanceInternalRecordLayerReadCipher(SSLRecordContextRef ref)
{
    struct SSLRecordInternalContext *ctx = ref;
    int err;

    if ((err = SSLDisposeCipherSuite(&ctx->readCipher, ctx)) != 0)
        return err;

    ctx->readCipher = ctx->readPending;
    memset(&ctx->readPending, 0, sizeof(CipherContext)); 	/* Zero out old data */

    return 0;
}

static int
SSLInitInternalRecordLayerPendingCiphers(SSLRecordContextRef ref, uint16_t selectedCipher, bool isServer, SSLBuffer key)
{   int        err;
    uint8_t         *keyDataProgress, *keyPtr, *ivPtr;
    CipherContext   *serverPending, *clientPending;

    struct SSLRecordInternalContext *ctx = ref;

    InitCipherSpec(ctx, selectedCipher);

    ctx->readPending.macRef = ctx->selectedCipherSpec.macAlgorithm;
    ctx->writePending.macRef = ctx->selectedCipherSpec.macAlgorithm;
    ctx->readPending.symCipher = ctx->selectedCipherSpec.cipher;
    ctx->writePending.symCipher = ctx->selectedCipherSpec.cipher;
    /* This need to be reinitialized because the whole thing is zeroed sometimes */
    ctx->readPending.encrypting = 0;
    ctx->writePending.encrypting = 1;

    if(ctx->negProtocolVersion == DTLS_Version_1_0)
    {
        ctx->readPending.sequenceNum = (ctx->readPending.sequenceNum & (0xffffULL<<48)) + (1ULL<<48);
        ctx->writePending.sequenceNum = (ctx->writePending.sequenceNum & (0xffffULL<<48)) + (1ULL<<48);
    } else {
        ctx->writePending.sequenceNum = 0;
        ctx->readPending.sequenceNum = 0;
    }

    if (isServer)
    {   serverPending = &ctx->writePending;
        clientPending = &ctx->readPending;
    }
    else
    {   serverPending = &ctx->readPending;
        clientPending = &ctx->writePending;
    }

    /* Check the size of the 'key' buffer - <rdar://problem/11204357> */
    if(key.length != ctx->selectedCipherSpec.macAlgorithm->hash->digestSize*2
                   + ctx->selectedCipherSpec.cipher->params->keySize*2
                   + ctx->selectedCipherSpec.cipher->params->ivSize*2)
    {
        return errSSLRecordInternal;
    }

    keyDataProgress = key.data;
    memcpy(clientPending->macSecret, keyDataProgress,
           ctx->selectedCipherSpec.macAlgorithm->hash->digestSize);
    keyDataProgress += ctx->selectedCipherSpec.macAlgorithm->hash->digestSize;
    memcpy(serverPending->macSecret, keyDataProgress,
           ctx->selectedCipherSpec.macAlgorithm->hash->digestSize);
    keyDataProgress += ctx->selectedCipherSpec.macAlgorithm->hash->digestSize;

    if (ctx->selectedCipherSpec.cipher->params->cipherType == aeadCipherType)
        goto skipInit;

    /* init the reusable-per-record MAC contexts */
    err = ctx->sslTslCalls->initMac(clientPending);
    if(err) {
        goto fail;
    }
    err = ctx->sslTslCalls->initMac(serverPending);
    if(err) {
        goto fail;
    }

    keyPtr = keyDataProgress;
    keyDataProgress += ctx->selectedCipherSpec.cipher->params->keySize;
    /* Skip server write key to get to IV */
    ivPtr = keyDataProgress + ctx->selectedCipherSpec.cipher->params->keySize;
    if ((err = ctx->selectedCipherSpec.cipher->c.cipher.initialize(clientPending->symCipher->params, clientPending->encrypting, keyPtr, ivPtr,
                                                                   &clientPending->cipherCtx)) != 0)
        goto fail;
    keyPtr = keyDataProgress;
    keyDataProgress += ctx->selectedCipherSpec.cipher->params->keySize;
    /* Skip client write IV to get to server write IV */
    ivPtr = keyDataProgress + ctx->selectedCipherSpec.cipher->params->ivSize;
    if ((err = ctx->selectedCipherSpec.cipher->c.cipher.initialize(serverPending->symCipher->params, serverPending->encrypting, keyPtr, ivPtr,
                                                                   &serverPending->cipherCtx)) != 0)
        goto fail;

skipInit:
    /* Ciphers are ready for use */
    ctx->writePending.ready = 1;
    ctx->readPending.ready = 1;

    /* Ciphers get swapped by sending or receiving a change cipher spec message */
    err = 0;

fail:
    return err;
}

static int
SSLSetInternalRecordLayerProtocolVersion(SSLRecordContextRef ref, SSLProtocolVersion negVersion)
{
    struct SSLRecordInternalContext *ctx = ref;

    switch(negVersion) {
        case SSL_Version_3_0:
            ctx->sslTslCalls = &Ssl3RecordCallouts;
            break;
        case TLS_Version_1_0:
        case TLS_Version_1_1:
        case DTLS_Version_1_0:
        case TLS_Version_1_2:
            ctx->sslTslCalls = &Tls1RecordCallouts;
            break;
        case SSL_Version_2_0:
        case SSL_Version_Undetermined:
        default:
            return errSSLRecordNegotiation;
    }
    ctx->negProtocolVersion = negVersion;

    return 0;
}

static int
SSLRecordFreeInternal(SSLRecordContextRef ref, SSLRecord rec)
{
    return SSLFreeBuffer(&rec.contents);
}

static int
SSLRecordServiceWriteQueueInternal(SSLRecordContextRef ref)
{
    int             err = 0, werr = 0;
    size_t          written = 0;
    SSLBuffer       buf;
    WaitingRecord   *rec;
    struct SSLRecordInternalContext *ctx= ref;

    while (!werr && ((rec = ctx->recordWriteQueue) != 0))
    {   buf.data = rec->data + rec->sent;
        buf.length = rec->length - rec->sent;
        werr = sslIoWrite(buf, &written, ctx);
        rec->sent += written;
        if (rec->sent >= rec->length)
        {
            check(rec->sent == rec->length);
            check(err == 0);
            ctx->recordWriteQueue = rec->next;
			sslFree(rec);
        }
        if (err) {
            check_noerr(err);
            return err;
        }
    }

    return werr;
}

/***** Internal Record Layer APIs *****/

SSLRecordContextRef
SSLCreateInternalRecordLayer(bool dtls)
{
    struct SSLRecordInternalContext *ctx;

    ctx = sslMalloc(sizeof(struct SSLRecordInternalContext));
    if(ctx==NULL)
        return NULL;

    memset(ctx, 0, sizeof(struct SSLRecordInternalContext));

    ctx->negProtocolVersion = SSL_Version_Undetermined;

    ctx->sslTslCalls = &Ssl3RecordCallouts;
    ctx->recordWriteQueue = NULL;

    InitCipherSpec(ctx, TLS_NULL_WITH_NULL_NULL);

    ctx->writeCipher.macRef    = ctx->selectedCipherSpec.macAlgorithm;
    ctx->readCipher.macRef     = ctx->selectedCipherSpec.macAlgorithm;
    ctx->readCipher.symCipher  = ctx->selectedCipherSpec.cipher;
    ctx->writeCipher.symCipher = ctx->selectedCipherSpec.cipher;
    ctx->readCipher.encrypting = 0;
    ctx->writeCipher.encrypting = 1;

    ctx->isDTLS = dtls;

    return ctx;

}

int
SSLSetInternalRecordLayerIOFuncs(
                                 SSLRecordContextRef ref,
                                 SSLIOReadFunc    readFunc,
                                 SSLIOWriteFunc   writeFunc)
{
    struct SSLRecordInternalContext *ctx = ref;

    ctx->read = readFunc;
    ctx->write = writeFunc;

    return 0;
}

int
SSLSetInternalRecordLayerConnection(
                                    SSLRecordContextRef ref,
                                    SSLIOConnectionRef ioRef)
{
    struct SSLRecordInternalContext *ctx = ref;

    ctx->ioRef = ioRef;

    return 0;
}

void
SSLDestroyInternalRecordLayer(SSLRecordContextRef ref)
{
    struct SSLRecordInternalContext *ctx = ref;
	WaitingRecord   *waitRecord, *next;

    /* RecordContext cleanup : */
    SSLFreeBuffer(&ctx->partialReadBuffer);
    waitRecord = ctx->recordWriteQueue;
    while (waitRecord)
    {   next = waitRecord->next;
        sslFree(waitRecord);
        waitRecord = next;
    }


    /* Cleanup cipher structs */
    SSLDisposeCipherSuite(&ctx->readCipher, ctx);
    SSLDisposeCipherSuite(&ctx->writeCipher, ctx);
    SSLDisposeCipherSuite(&ctx->readPending, ctx);
    SSLDisposeCipherSuite(&ctx->writePending, ctx);
    SSLDisposeCipherSuite(&ctx->prevCipher, ctx);

    sslFree(ctx);

}

struct SSLRecordFuncs SSLRecordLayerInternal =
{
    .read  = SSLRecordReadInternal,
    .write = SSLRecordWriteInternal,
    .initPendingCiphers = SSLInitInternalRecordLayerPendingCiphers,
    .advanceWriteCipher = SSLAdvanceInternalRecordLayerWriteCipher,
    .advanceReadCipher = SSLAdvanceInternalRecordLayerReadCipher,
    .rollbackWriteCipher = SSLRollbackInternalRecordLayerWriteCipher,
    .setProtocolVersion = SSLSetInternalRecordLayerProtocolVersion,
    .free = SSLRecordFreeInternal,
    .serviceWriteQueue = SSLRecordServiceWriteQueueInternal,
};
Commit	Line	Data
427c49bc A	1	//
	2	// SSLRecordInternal.c
	3	// Security
	4	//
	5	// Created by Fabrice Gautier on 10/25/11.
	6	// Copyright (c) 2011 Apple, Inc. All rights reserved.
	7	//
	8
	9	/* THIS FILE CONTAINS KERNEL CODE */
	10
	11	#include "sslBuildFlags.h"
	12	#include "SSLRecordInternal.h"
	13	#include "sslDebug.h"
	14	#include "cipherSpecs.h"
	15	#include "symCipher.h"
	16	#include "sslUtils.h"
	17	#include "tls_record.h"
	18
	19	#include <AssertMacros.h>
	20	#include <string.h>
	21
	22	#include <inttypes.h>
	23
	24	#define DEFAULT_BUFFER_SIZE 4096
	25
	26
	27	/*
	28	* Redirect SSLBuffer-based I/O call to user-supplied I/O.
	29	*/
	30	static
	31	int sslIoRead(SSLBuffer buf,
	32	size_t *actualLength,
	33	struct SSLRecordInternalContext *ctx)
	34	{
	35	size_t dataLength = buf.length;
	36	int ortn;
	37
	38	*actualLength = 0;
	39	ortn = (ctx->read)(ctx->ioRef,
	40	buf.data,
	41	&dataLength);
	42	*actualLength = dataLength;
	43	return ortn;
	44	}
	45
	46	static
	47	int sslIoWrite(SSLBuffer buf,
	48	size_t *actualLength,
	49	struct SSLRecordInternalContext *ctx)
	50	{
	51	size_t dataLength = buf.length;
	52	int ortn;
	53
	54	*actualLength = 0;
	55	ortn = (ctx->write)(ctx->ioRef,
	56	buf.data,
	57	&dataLength);
	58	*actualLength = dataLength;
	59	return ortn;
	60	}
	61
	62
	63	static int
	64	SSLDisposeCipherSuite(CipherContext cipher, struct SSLRecordInternalContext ctx)
65	{ int err;
66
67	/* symmetric encryption context */
68	if(cipher->symCipher) {
69	if ((err = cipher->symCipher->finish(cipher->cipherCtx)) != 0) {
70	return err;
71	}
72	}
73
74	/* per-record hash/hmac context */
75	ctx->sslTslCalls->freeMac(cipher);
76
77	return 0;
78	}
79
80
81
82	/* common for sslv3 and tlsv1, except for the computeMac callout */
83	int SSLVerifyMac(uint8_t type,
84	SSLBuffer *data,
85	uint8_t *compareMAC,
86	struct SSLRecordInternalContext *ctx)
87	{
88	int err;
89	uint8_t macData[SSL_MAX_DIGEST_LEN];
90	SSLBuffer secret, mac;
91
92	secret.data = ctx->readCipher.macSecret;
93	secret.length = ctx->readCipher.macRef->hash->digestSize;
94	mac.data = macData;
95	mac.length = ctx->readCipher.macRef->hash->digestSize;
96
97	check(ctx->sslTslCalls != NULL);
98	if ((err = ctx->sslTslCalls->computeMac(type,
99	*data,
100	mac,
101	&ctx->readCipher,
102	ctx->readCipher.sequenceNum,
103	ctx)) != 0)
104	return err;
105
106	if ((memcmp(mac.data, compareMAC, mac.length)) != 0) {
107	sslErrorLog("SSLVerifyMac: Mac verify failure\n");
108	return errSSLRecordProtocol;
109	}
110	return 0;
111	}
112
113	#include "cipherSpecs.h"
114	#include "symCipher.h"
115
116	static const HashHmacReference *sslCipherSuiteGetHashHmacReference(uint16_t selectedCipher)
117	{
118	HMAC_Algs alg = sslCipherSuiteGetMacAlgorithm(selectedCipher);
119
120	switch (alg) {
121	case HA_Null:
122	return &HashHmacNull;
123	case HA_MD5:
124	return &HashHmacMD5;
125	case HA_SHA1:
126	return &HashHmacSHA1;
127	case HA_SHA256:
128	return &HashHmacSHA256;
129	case HA_SHA384:
130	return &HashHmacSHA384;
131	default:
132	sslErrorLog("Invalid hashAlgorithm %d", alg);
133	check(0);
134	return &HashHmacNull;
135	}
136	}
137
138	static const SSLSymmetricCipher *sslCipherSuiteGetSymmetricCipher(uint16_t selectedCipher)
139	{
140
141	SSL_CipherAlgorithm alg = sslCipherSuiteGetSymmetricCipherAlgorithm(selectedCipher);
142	switch(alg) {
143	case SSL_CipherAlgorithmNull:
144	return &SSLCipherNull;
145	#if ENABLE_RC2
146	case SSL_CipherAlgorithmRC2_128:
147	return &SSLCipherRC2_128;
148	#endif
149	#if ENABLE_RC4
150	case SSL_CipherAlgorithmRC4_128:
151	return &SSLCipherRC4_128;
152	#endif
153	#if ENABLE_DES
154	case SSL_CipherAlgorithmDES_CBC:
155	return &SSLCipherDES_CBC;
156	#endif
157	case SSL_CipherAlgorithm3DES_CBC:
158	return &SSLCipher3DES_CBC;
159	case SSL_CipherAlgorithmAES_128_CBC:
160	return &SSLCipherAES_128_CBC;
161	case SSL_CipherAlgorithmAES_256_CBC:
162	return &SSLCipherAES_256_CBC;
163	#if ENABLE_AES_GCM
164	case SSL_CipherAlgorithmAES_128_GCM:
165	return &SSLCipherAES_128_GCM;
166	case SSL_CipherAlgorithmAES_256_GCM:
167	return &SSLCipherAES_256_GCM;
168	#endif
169	default:
170	check(0);
171	return &SSLCipherNull;
172	}
173	}
174
175	static void InitCipherSpec(struct SSLRecordInternalContext *ctx, uint16_t selectedCipher)
176	{
177	SSLRecordCipherSpec *dst = &ctx->selectedCipherSpec;
178
179	ctx->selectedCipher = selectedCipher;
180	dst->cipher = sslCipherSuiteGetSymmetricCipher(selectedCipher);
181	dst->macAlgorithm = sslCipherSuiteGetHashHmacReference(selectedCipher);
182	};
183
184	/* Entry points to Record Layer */
185
186	static int SSLRecordReadInternal(SSLRecordContextRef ref, SSLRecord *rec)
187	{ int err;
188	size_t len, contentLen;
189	uint8_t *charPtr;
190	SSLBuffer readData, cipherFragment;
191	size_t head=5;
192	int skipit=0;
193	struct SSLRecordInternalContext *ctx = ref;
194
195	if(ctx->isDTLS)
196	head+=8;
197
198	if (!ctx->partialReadBuffer.data \|\| ctx->partialReadBuffer.length < head)
199	{ if (ctx->partialReadBuffer.data)
200	if ((err = SSLFreeBuffer(&ctx->partialReadBuffer)) != 0)
201	{
202	return err;
203	}
204	if ((err = SSLAllocBuffer(&ctx->partialReadBuffer,
205	DEFAULT_BUFFER_SIZE)) != 0)
206	{
207	return err;
208	}
209	}
210
211	if (ctx->negProtocolVersion == SSL_Version_Undetermined) {
212	if (ctx->amountRead < 1)
213	{ readData.length = 1 - ctx->amountRead;
214	readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
215	len = readData.length;
216	err = sslIoRead(readData, &len, ctx);
217	if(err != 0)
218	{ if (err == errSSLRecordWouldBlock) {
219	ctx->amountRead += len;
220	return err;
221	}
222	else {
223	/* abort */
224	err = errSSLRecordClosedAbort;
225	#if 0 // TODO: revisit this in the transport layer
226	if((ctx->protocolSide == kSSLClientSide) &&
227	(ctx->amountRead == 0) &&
228	(len == 0)) {
229	/*
230	* Detect "server refused to even try to negotiate"
231	* error, when the server drops the connection before
232	* sending a single byte.
233	*/
234	switch(ctx->state) {
235	case SSL_HdskStateServerHello:
236	sslHdskStateDebug("Server dropped initial connection\n");
237	err = errSSLConnectionRefused;
238	break;
239	default:
240	break;
241	}
242	}
243	#endif
244	return err;
245	}
246	}
247	ctx->amountRead += len;
248	}
249	}
250
251	if (ctx->amountRead < head)
252	{ readData.length = head - ctx->amountRead;
253	readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
254	len = readData.length;
255	err = sslIoRead(readData, &len, ctx);
256	if(err != 0)
257	{
258	switch(err) {
259	case errSSLRecordWouldBlock:
260	ctx->amountRead += len;
261	break;
262	#if SSL_ALLOW_UNNOTICED_DISCONNECT
263	case errSSLClosedGraceful:
264	/* legal if we're on record boundary and we've gotten past
265	* the handshake */
266	if((ctx->amountRead == 0) && /* nothing pending */
267	(len == 0) && /* nothing new */
268	(ctx->state == SSL_HdskStateClientReady)) { /* handshake done */
269	/*
270	* This means that the server has disconnected without
271	* sending a closure alert notice. This is technically
272	* illegal per the SSL3 spec, but about half of the
273	* servers out there do it, so we report it as a separate
274	* error which most clients - including (currently)
275	* URLAccess - ignore by treating it the same as
276	* a errSSLClosedGraceful error. Paranoid
277	* clients can detect it and handle it however they
278	* want to.
279	*/
280	SSLChangeHdskState(ctx, SSL_HdskStateNoNotifyClose);
281	err = errSSLClosedNoNotify;
282	break;
283	}
284	else {
285	/* illegal disconnect */
286	err = errSSLClosedAbort;
287	/* and drop thru to default: fatal alert */
288	}
289	#endif /* SSL_ALLOW_UNNOTICED_DISCONNECT */
290	default:
291	break;
292	}
293	return err;
294	}
295	ctx->amountRead += len;
296	}
297
298	check(ctx->amountRead >= head);
299
300	charPtr = ctx->partialReadBuffer.data;
301	rec->contentType = *charPtr++;
302	if (rec->contentType < SSL_RecordTypeV3_Smallest \|\|
303	rec->contentType > SSL_RecordTypeV3_Largest)
304	return errSSLRecordProtocol;
305
306	rec->protocolVersion = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
307	charPtr += 2;
308
309	if(rec->protocolVersion == DTLS_Version_1_0)
310	{
311	sslUint64 seqNum;
312	SSLDecodeUInt64(charPtr, 8, &seqNum);
313	charPtr += 8;
314	sslLogRecordIo("Read DTLS Record %016llx (seq is: %016llx)",
315	seqNum, ctx->readCipher.sequenceNum);
316
317	/* if the epoch of the record is different of current read cipher, just drop it */
318	if((seqNum>>48)!=(ctx->readCipher.sequenceNum>>48)) {
319	skipit=1;
320	} else {
321	ctx->readCipher.sequenceNum=seqNum;
322	}
323	}
324
325	contentLen = SSLDecodeInt(charPtr, 2);
326	charPtr += 2;
327	if (contentLen > (16384 + 2048)) /* Maximum legal length of an
328	* SSLCipherText payload */
329	{
330	return errSSLRecordRecordOverflow;
331	}
332
333	if (ctx->partialReadBuffer.length < head + contentLen)
334	{ if ((err = SSLReallocBuffer(&ctx->partialReadBuffer, head + contentLen)) != 0)
335	{
336	return err;
337	}
338	}
339
340	if (ctx->amountRead < head + contentLen)
341	{ readData.length = head + contentLen - ctx->amountRead;
342	readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
343	len = readData.length;
344	err = sslIoRead(readData, &len, ctx);
345	if(err != 0)
346	{ if (err == errSSLRecordWouldBlock)
347	ctx->amountRead += len;
348	return err;
349	}
350	ctx->amountRead += len;
351	}
352
353	check(ctx->amountRead >= head + contentLen);
354
355	cipherFragment.data = ctx->partialReadBuffer.data + head;
356	cipherFragment.length = contentLen;
357
358	ctx->amountRead = 0; /* We've used all the data in the cache */
359
360	/* We dont decrypt if we were told to skip this record */
361	if(skipit) {
362	return errSSLRecordUnexpectedRecord;
363	}
364	/*
365	* Decrypt the payload & check the MAC, modifying the length of the
366	* buffer to indicate the amount of plaintext data after adjusting
367	* for the block size and removing the MAC */
368	check(ctx->sslTslCalls != NULL);
369	if ((err = ctx->sslTslCalls->decryptRecord(rec->contentType,
370	&cipherFragment, ctx)) != 0)
371	return err;
372
373	/*
374	* We appear to have sucessfully received a record; increment the
375	* sequence number
376	*/
377	IncrementUInt64(&ctx->readCipher.sequenceNum);
378
379	/* Allocate a buffer to return the plaintext in and return it */
380	if ((err = SSLAllocBuffer(&rec->contents, cipherFragment.length)) != 0)
381	{
382	return err;
383	}
384	memcpy(rec->contents.data, cipherFragment.data, cipherFragment.length);
385
386
387	return 0;
388	}
389
390	static int SSLRecordWriteInternal(SSLRecordContextRef ref, SSLRecord rec)
391	{
392	int err;
393	struct SSLRecordInternalContext *ctx = ref;
394
395	err=ctx->sslTslCalls->writeRecord(rec, ctx);
396
397	check_noerr(err);
398
399	return err;
400	}
401
402	/* Record Layer Entry Points */
403
404	static int
405	SSLRollbackInternalRecordLayerWriteCipher(SSLRecordContextRef ref)
406	{
407	int err;
408	struct SSLRecordInternalContext *ctx = ref;
409
410	if ((err = SSLDisposeCipherSuite(&ctx->writePending, ctx)) != 0)
411	return err;
412
413	ctx->writePending = ctx->writeCipher;
414	ctx->writeCipher = ctx->prevCipher;
415
416	/* Zero out old data */
417	memset(&ctx->prevCipher, 0, sizeof(CipherContext));
418
419	return 0;
420	}
421
422	static int
423	SSLAdvanceInternalRecordLayerWriteCipher(SSLRecordContextRef ref)
424	{
425	int err;
426	struct SSLRecordInternalContext *ctx = ref;
427
428	if ((err = SSLDisposeCipherSuite(&ctx->prevCipher, ctx)) != 0)
429	return err;
430
431	ctx->prevCipher = ctx->writeCipher;
432	ctx->writeCipher = ctx->writePending;
433
434	/* Zero out old data */
435	memset(&ctx->writePending, 0, sizeof(CipherContext));
436
437	return 0;
438	}
439
440	static int
441	SSLAdvanceInternalRecordLayerReadCipher(SSLRecordContextRef ref)
442	{
443	struct SSLRecordInternalContext *ctx = ref;
444	int err;
445
446	if ((err = SSLDisposeCipherSuite(&ctx->readCipher, ctx)) != 0)
447	return err;
448
449	ctx->readCipher = ctx->readPending;
450	memset(&ctx->readPending, 0, sizeof(CipherContext)); /* Zero out old data */
451
452	return 0;
453	}
454
455	static int
456	SSLInitInternalRecordLayerPendingCiphers(SSLRecordContextRef ref, uint16_t selectedCipher, bool isServer, SSLBuffer key)
457	{ int err;
458	uint8_t keyDataProgress, keyPtr, *ivPtr;
459	CipherContext serverPending, clientPending;
460
461	struct SSLRecordInternalContext *ctx = ref;
462
463	InitCipherSpec(ctx, selectedCipher);
464
465	ctx->readPending.macRef = ctx->selectedCipherSpec.macAlgorithm;
466	ctx->writePending.macRef = ctx->selectedCipherSpec.macAlgorithm;
467	ctx->readPending.symCipher = ctx->selectedCipherSpec.cipher;
468	ctx->writePending.symCipher = ctx->selectedCipherSpec.cipher;
469	/* This need to be reinitialized because the whole thing is zeroed sometimes */
470	ctx->readPending.encrypting = 0;
471	ctx->writePending.encrypting = 1;
472
473	if(ctx->negProtocolVersion == DTLS_Version_1_0)
474	{
475	ctx->readPending.sequenceNum = (ctx->readPending.sequenceNum & (0xffffULL<<48)) + (1ULL<<48);
476	ctx->writePending.sequenceNum = (ctx->writePending.sequenceNum & (0xffffULL<<48)) + (1ULL<<48);
477	} else {
478	ctx->writePending.sequenceNum = 0;
479	ctx->readPending.sequenceNum = 0;
480	}
481
482	if (isServer)
483	{ serverPending = &ctx->writePending;
484	clientPending = &ctx->readPending;
485	}
486	else
487	{ serverPending = &ctx->readPending;
488	clientPending = &ctx->writePending;
489	}
490
491	/* Check the size of the 'key' buffer - <rdar://problem/11204357> */
492	if(key.length != ctx->selectedCipherSpec.macAlgorithm->hash->digestSize*2
493	+ ctx->selectedCipherSpec.cipher->params->keySize*2
494	+ ctx->selectedCipherSpec.cipher->params->ivSize*2)
495	{
496	return errSSLRecordInternal;
497	}
498
499	keyDataProgress = key.data;
500	memcpy(clientPending->macSecret, keyDataProgress,
501	ctx->selectedCipherSpec.macAlgorithm->hash->digestSize);
502	keyDataProgress += ctx->selectedCipherSpec.macAlgorithm->hash->digestSize;
503	memcpy(serverPending->macSecret, keyDataProgress,
504	ctx->selectedCipherSpec.macAlgorithm->hash->digestSize);
505	keyDataProgress += ctx->selectedCipherSpec.macAlgorithm->hash->digestSize;
506
507	if (ctx->selectedCipherSpec.cipher->params->cipherType == aeadCipherType)
508	goto skipInit;
509
510	/* init the reusable-per-record MAC contexts */
511	err = ctx->sslTslCalls->initMac(clientPending);
512	if(err) {
513	goto fail;
514	}
515	err = ctx->sslTslCalls->initMac(serverPending);
516	if(err) {
517	goto fail;
518	}
519
520	keyPtr = keyDataProgress;
521	keyDataProgress += ctx->selectedCipherSpec.cipher->params->keySize;
522	/* Skip server write key to get to IV */
523	ivPtr = keyDataProgress + ctx->selectedCipherSpec.cipher->params->keySize;
524	if ((err = ctx->selectedCipherSpec.cipher->c.cipher.initialize(clientPending->symCipher->params, clientPending->encrypting, keyPtr, ivPtr,
525	&clientPending->cipherCtx)) != 0)
526	goto fail;
527	keyPtr = keyDataProgress;
528	keyDataProgress += ctx->selectedCipherSpec.cipher->params->keySize;
529	/* Skip client write IV to get to server write IV */
530	ivPtr = keyDataProgress + ctx->selectedCipherSpec.cipher->params->ivSize;
531	if ((err = ctx->selectedCipherSpec.cipher->c.cipher.initialize(serverPending->symCipher->params, serverPending->encrypting, keyPtr, ivPtr,
532	&serverPending->cipherCtx)) != 0)
533	goto fail;
534
535	skipInit:
536	/* Ciphers are ready for use */
537	ctx->writePending.ready = 1;
538	ctx->readPending.ready = 1;
539
540	/* Ciphers get swapped by sending or receiving a change cipher spec message */
541	err = 0;
542
543	fail:
544	return err;
545	}
546
547	static int
548	SSLSetInternalRecordLayerProtocolVersion(SSLRecordContextRef ref, SSLProtocolVersion negVersion)
549	{
550	struct SSLRecordInternalContext *ctx = ref;
551
552	switch(negVersion) {
553	case SSL_Version_3_0:
554	ctx->sslTslCalls = &Ssl3RecordCallouts;
555	break;
556	case TLS_Version_1_0:
557	case TLS_Version_1_1:
558	case DTLS_Version_1_0:
559	case TLS_Version_1_2:
560	ctx->sslTslCalls = &Tls1RecordCallouts;
561	break;
562	case SSL_Version_2_0:
563	case SSL_Version_Undetermined:
564	default:
565	return errSSLRecordNegotiation;
566	}
567	ctx->negProtocolVersion = negVersion;
568
569	return 0;
570	}
571
572	static int
573	SSLRecordFreeInternal(SSLRecordContextRef ref, SSLRecord rec)
574	{
575	return SSLFreeBuffer(&rec.contents);
576	}
577
578	static int
579	SSLRecordServiceWriteQueueInternal(SSLRecordContextRef ref)
580	{
581	int err = 0, werr = 0;
582	size_t written = 0;
583	SSLBuffer buf;
584	WaitingRecord *rec;
585	struct SSLRecordInternalContext *ctx= ref;
586
587	while (!werr && ((rec = ctx->recordWriteQueue) != 0))
588	{ buf.data = rec->data + rec->sent;
589	buf.length = rec->length - rec->sent;
590	werr = sslIoWrite(buf, &written, ctx);
591	rec->sent += written;
592	if (rec->sent >= rec->length)
593	{
594	check(rec->sent == rec->length);
595	check(err == 0);
596	ctx->recordWriteQueue = rec->next;
597	sslFree(rec);
598	}
599	if (err) {
600	check_noerr(err);
601	return err;
602	}
603	}
604
605	return werr;
606	}
607
608	/*** Internal Record Layer APIs ***/
609
610	SSLRecordContextRef
611	SSLCreateInternalRecordLayer(bool dtls)
612	{
613	struct SSLRecordInternalContext *ctx;
614
615	ctx = sslMalloc(sizeof(struct SSLRecordInternalContext));
616	if(ctx==NULL)
617	return NULL;
618
619	memset(ctx, 0, sizeof(struct SSLRecordInternalContext));
620
621	ctx->negProtocolVersion = SSL_Version_Undetermined;
622
623	ctx->sslTslCalls = &Ssl3RecordCallouts;
624	ctx->recordWriteQueue = NULL;
625
626	InitCipherSpec(ctx, TLS_NULL_WITH_NULL_NULL);
627
628	ctx->writeCipher.macRef = ctx->selectedCipherSpec.macAlgorithm;
629	ctx->readCipher.macRef = ctx->selectedCipherSpec.macAlgorithm;
630	ctx->readCipher.symCipher = ctx->selectedCipherSpec.cipher;
631	ctx->writeCipher.symCipher = ctx->selectedCipherSpec.cipher;
632	ctx->readCipher.encrypting = 0;
633	ctx->writeCipher.encrypting = 1;
634
635	ctx->isDTLS = dtls;
636
637	return ctx;
638
639	}
640
641	int
642	SSLSetInternalRecordLayerIOFuncs(
643	SSLRecordContextRef ref,
644	SSLIOReadFunc readFunc,
645	SSLIOWriteFunc writeFunc)
646	{
647	struct SSLRecordInternalContext *ctx = ref;
648
649	ctx->read = readFunc;
650	ctx->write = writeFunc;
651
652	return 0;
653	}
654
655	int
656	SSLSetInternalRecordLayerConnection(
657	SSLRecordContextRef ref,
658	SSLIOConnectionRef ioRef)
659	{
660	struct SSLRecordInternalContext *ctx = ref;
661
662	ctx->ioRef = ioRef;
663
664	return 0;
665	}
666
667	void
668	SSLDestroyInternalRecordLayer(SSLRecordContextRef ref)
669	{
670	struct SSLRecordInternalContext *ctx = ref;
671	WaitingRecord waitRecord, next;
672
673	/* RecordContext cleanup : */
674	SSLFreeBuffer(&ctx->partialReadBuffer);
675	waitRecord = ctx->recordWriteQueue;
676	while (waitRecord)
677	{ next = waitRecord->next;
678	sslFree(waitRecord);
679	waitRecord = next;
680	}
681
682
683	/* Cleanup cipher structs */
684	SSLDisposeCipherSuite(&ctx->readCipher, ctx);
685	SSLDisposeCipherSuite(&ctx->writeCipher, ctx);
686	SSLDisposeCipherSuite(&ctx->readPending, ctx);
687	SSLDisposeCipherSuite(&ctx->writePending, ctx);
688	SSLDisposeCipherSuite(&ctx->prevCipher, ctx);
689
690	sslFree(ctx);
691
692	}
693
694	struct SSLRecordFuncs SSLRecordLayerInternal =
695	{
696	.read = SSLRecordReadInternal,
697	.write = SSLRecordWriteInternal,
698	.initPendingCiphers = SSLInitInternalRecordLayerPendingCiphers,
699	.advanceWriteCipher = SSLAdvanceInternalRecordLayerWriteCipher,
700	.advanceReadCipher = SSLAdvanceInternalRecordLayerReadCipher,
701	.rollbackWriteCipher = SSLRollbackInternalRecordLayerWriteCipher,
702	.setProtocolVersion = SSLSetInternalRecordLayerProtocolVersion,
703	.free = SSLRecordFreeInternal,
704	.serviceWriteQueue = SSLRecordServiceWriteQueueInternal,
705	};
706