[apple/security.git] / libsecurity_ssl / lib / tls1RecordCallouts.c

/*
 * Copyright (c) 2002,2005-2007,2010-2011 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * tls1RecordCallouts.c - TLSv1-specific routines for SslTlsCallouts.
 */

/* THIS FILE CONTAINS KERNEL CODE */

#include "tls_record.h"
#include "sslMemory.h"
#include "sslDebug.h"
#include "sslUtils.h"

#include <AssertMacros.h>
#include <string.h>

/* not needed; encrypt/encode is the same for both protocols as long as
 * we don't use the "variable length padding" feature. */
#if 0
static int tls1WriteRecord(
	SSLRecord rec,
	SSLContext *ctx)
{
	check(0);
	return errSecUnimplemented;
}
#endif

static int tls1DecryptRecord(
	uint8_t type,
	SSLBuffer *payload,
	struct SSLRecordInternalContext *ctx)
{
	int    err;
    SSLBuffer   content;

    if ((ctx->readCipher.symCipher->params->blockSize > 0) &&
        ((payload->length % ctx->readCipher.symCipher->params->blockSize) != 0)) {
        return errSSLRecordRecordOverflow;
    }

    /* Decrypt in place */
    if ((err = ctx->readCipher.symCipher->c.cipher.decrypt(payload->data,
		payload->data, payload->length,
		ctx->readCipher.cipherCtx)) != 0)
    {
        return errSSLRecordDecryptionFail;
    }

    /* Locate content within decrypted payload */

    /* TLS 1.1 and DTLS 1.0 block ciphers */
    if((ctx->negProtocolVersion>=TLS_Version_1_1) && (ctx->readCipher.symCipher->params->blockSize>0))
    {
        content.data = payload->data + ctx->readCipher.symCipher->params->blockSize;
        content.length = payload->length - (ctx->readCipher.macRef->hash->digestSize + ctx->readCipher.symCipher->params->blockSize);
    } else {
        content.data = payload->data;
        content.length = payload->length - ctx->readCipher.macRef->hash->digestSize;
    }

    /* Test for underflow - if the record size is smaller than required */
    if(content.length > payload->length) {
            return errSSLRecordClosedAbort;
    }

    err = 0;

    if (ctx->readCipher.symCipher->params->blockSize > 0) {
		/* for TLSv1, padding can be anywhere from 0 to 255 bytes */
		uint8_t padSize = payload->data[payload->length - 1];

        /* Padding check sequence:
            1. Check that the padding size (last byte in padding) is within bound
            2. Adjust content.length accordingly
            3. Check every padding byte (except last, already checked)
           Do not return, just set the error value on failure,
           to avoid creating a padding oracle with timing.
        */
        if(padSize+1<=content.length) {
            uint8_t *padChars;
            content.length -= (1 + padSize);
            padChars = payload->data + payload->length - (padSize+1);
            while(padChars < (payload->data + payload->length - 1)) {
                if(*padChars++ != padSize) {
                    err = errSSLRecordBadRecordMac;
                }
            }
        } else {
            err = errSSLRecordBadRecordMac;
        }
    }

	/* Verify MAC on payload */
    if (ctx->readCipher.macRef->hash->digestSize > 0)
    /* Optimize away MAC for null case */
        if (SSLVerifyMac(type, &content,
                          content.data + content.length, ctx) != 0)
        {
            err = errSSLRecordBadRecordMac;
        }

    *payload = content;     /* Modify payload buffer to indicate content length */

    return err;
}

/* initialize a per-CipherContext HashHmacContext for use in MACing each record */
static int tls1InitMac (
	CipherContext *cipherCtx)		// macRef, macSecret valid on entry
									// macCtx valid on return
{
	const HMACReference *hmac;
	int serr;

    check(cipherCtx);
	check(cipherCtx->macRef != NULL);
	hmac = cipherCtx->macRef->hmac;
	check(hmac != NULL);

	if(cipherCtx->macCtx.hmacCtx != NULL) {
		hmac->free(cipherCtx->macCtx.hmacCtx);
		cipherCtx->macCtx.hmacCtx = NULL;
	}
	serr = hmac->alloc(hmac, cipherCtx->macSecret,
		cipherCtx->macRef->hmac->macSize, &cipherCtx->macCtx.hmacCtx);

	/* mac secret now stored in macCtx.hmacCtx, delete it from cipherCtx */
	memset(cipherCtx->macSecret, 0, sizeof(cipherCtx->macSecret));
	return serr;
}

static int tls1FreeMac (
	CipherContext *cipherCtx)
{
	/* this can be called on a completely zeroed out CipherContext... */
	if(cipherCtx->macRef == NULL) {
		return 0;
	}
	check(cipherCtx->macRef->hmac != NULL);

	if(cipherCtx->macCtx.hmacCtx != NULL) {
		cipherCtx->macRef->hmac->free(cipherCtx->macCtx.hmacCtx);
		cipherCtx->macCtx.hmacCtx = NULL;
	}
	return 0;
}

/*
 * mac = HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
 *					TLSCompressed.version + TLSCompressed.length +
 *					TLSCompressed.fragment));
 */

/* sequence, type, version, length */
#define HDR_LENGTH (8 + 1 + 2 + 2)
static int tls1ComputeMac (
	uint8_t type,
	SSLBuffer data,
	SSLBuffer mac, 					// caller mallocs data
	CipherContext *cipherCtx,		// assumes macCtx, macRef
	sslUint64 seqNo,
	struct SSLRecordInternalContext *ctx)
{
	uint8_t hdr[HDR_LENGTH];
	uint8_t *p;
	HMACContextRef hmacCtx;
	int serr;
	const HMACReference *hmac;
	size_t macLength;

	check(cipherCtx != NULL);
	check(cipherCtx->macRef != NULL);
	hmac = cipherCtx->macRef->hmac;
	check(hmac != NULL);
	hmacCtx = cipherCtx->macCtx.hmacCtx;	// may be NULL, for null cipher

	serr = hmac->init(hmacCtx);
	if(serr) {
		goto fail;
	}
	p = SSLEncodeUInt64(hdr, seqNo);
	*p++ = type;
	*p++ = ctx->negProtocolVersion >> 8;
	*p++ = ctx->negProtocolVersion & 0xff;
	*p++ = data.length >> 8;
	*p   = data.length & 0xff;
	serr = hmac->update(hmacCtx, hdr, HDR_LENGTH);
	if(serr) {
		goto fail;
	}
	serr = hmac->update(hmacCtx, data.data, data.length);
	if(serr) {
		goto fail;
	}
	macLength = mac.length;
	serr = hmac->final(hmacCtx, mac.data, &macLength);
	if(serr) {
		goto fail;
	}
	mac.length = macLength;
fail:
	return serr;
}

const SslRecordCallouts Tls1RecordCallouts = {
	tls1DecryptRecord,
	ssl3WriteRecord,
	tls1InitMac,
	tls1FreeMac,
	tls1ComputeMac,
};
Commit	Line	Data
427c49bc A	1	/*
	2	* Copyright (c) 2002,2005-2007,2010-2011 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* tls1RecordCallouts.c - TLSv1-specific routines for SslTlsCallouts.
	26	*/
	27
	28	/* THIS FILE CONTAINS KERNEL CODE */
	29
	30	#include "tls_record.h"
	31	#include "sslMemory.h"
	32	#include "sslDebug.h"
	33	#include "sslUtils.h"
	34
	35	#include <AssertMacros.h>
	36	#include <string.h>
	37
	38	/* not needed; encrypt/encode is the same for both protocols as long as
	39	* we don't use the "variable length padding" feature. */
	40	#if 0
	41	static int tls1WriteRecord(
	42	SSLRecord rec,
	43	SSLContext *ctx)
	44	{
	45	check(0);
	46	return errSecUnimplemented;
	47	}
	48	#endif
	49
	50	static int tls1DecryptRecord(
	51	uint8_t type,
	52	SSLBuffer *payload,
	53	struct SSLRecordInternalContext *ctx)
	54	{
	55	int err;
	56	SSLBuffer content;
	57
	58	if ((ctx->readCipher.symCipher->params->blockSize > 0) &&
	59	((payload->length % ctx->readCipher.symCipher->params->blockSize) != 0)) {
	60	return errSSLRecordRecordOverflow;
	61	}
	62
	63	/* Decrypt in place */
	64	if ((err = ctx->readCipher.symCipher->c.cipher.decrypt(payload->data,
65	payload->data, payload->length,
66	ctx->readCipher.cipherCtx)) != 0)
67	{
68	return errSSLRecordDecryptionFail;
69	}
70
71	/* Locate content within decrypted payload */
72
73	/* TLS 1.1 and DTLS 1.0 block ciphers */
74	if((ctx->negProtocolVersion>=TLS_Version_1_1) && (ctx->readCipher.symCipher->params->blockSize>0))
75	{
76	content.data = payload->data + ctx->readCipher.symCipher->params->blockSize;
77	content.length = payload->length - (ctx->readCipher.macRef->hash->digestSize + ctx->readCipher.symCipher->params->blockSize);
78	} else {
79	content.data = payload->data;
80	content.length = payload->length - ctx->readCipher.macRef->hash->digestSize;
81	}
82
83	/* Test for underflow - if the record size is smaller than required */
84	if(content.length > payload->length) {
85	return errSSLRecordClosedAbort;
86	}
87
88	err = 0;
89
90	if (ctx->readCipher.symCipher->params->blockSize > 0) {
91	/* for TLSv1, padding can be anywhere from 0 to 255 bytes */
92	uint8_t padSize = payload->data[payload->length - 1];
93
94	/* Padding check sequence:
95	1. Check that the padding size (last byte in padding) is within bound
96	2. Adjust content.length accordingly
97	3. Check every padding byte (except last, already checked)
98	Do not return, just set the error value on failure,
99	to avoid creating a padding oracle with timing.
100	*/
101	if(padSize+1<=content.length) {
102	uint8_t *padChars;
103	content.length -= (1 + padSize);
104	padChars = payload->data + payload->length - (padSize+1);
105	while(padChars < (payload->data + payload->length - 1)) {
106	if(*padChars++ != padSize) {
107	err = errSSLRecordBadRecordMac;
108	}
109	}
110	} else {
111	err = errSSLRecordBadRecordMac;
112	}
113	}
114
115	/* Verify MAC on payload */
116	if (ctx->readCipher.macRef->hash->digestSize > 0)
117	/* Optimize away MAC for null case */
118	if (SSLVerifyMac(type, &content,
119	content.data + content.length, ctx) != 0)
120	{
121	err = errSSLRecordBadRecordMac;
122	}
123
124	payload = content; / Modify payload buffer to indicate content length */
125
126	return err;
127	}
128
129	/* initialize a per-CipherContext HashHmacContext for use in MACing each record */
130	static int tls1InitMac (
131	CipherContext *cipherCtx) // macRef, macSecret valid on entry
132	// macCtx valid on return
133	{
134	const HMACReference *hmac;
135	int serr;
136
137	check(cipherCtx);
138	check(cipherCtx->macRef != NULL);
139	hmac = cipherCtx->macRef->hmac;
140	check(hmac != NULL);
141
142	if(cipherCtx->macCtx.hmacCtx != NULL) {
143	hmac->free(cipherCtx->macCtx.hmacCtx);
144	cipherCtx->macCtx.hmacCtx = NULL;
145	}
146	serr = hmac->alloc(hmac, cipherCtx->macSecret,
147	cipherCtx->macRef->hmac->macSize, &cipherCtx->macCtx.hmacCtx);
148
149	/* mac secret now stored in macCtx.hmacCtx, delete it from cipherCtx */
150	memset(cipherCtx->macSecret, 0, sizeof(cipherCtx->macSecret));
151	return serr;
152	}
153
154	static int tls1FreeMac (
155	CipherContext *cipherCtx)
156	{
157	/* this can be called on a completely zeroed out CipherContext... */
158	if(cipherCtx->macRef == NULL) {
159	return 0;
160	}
161	check(cipherCtx->macRef->hmac != NULL);
162
163	if(cipherCtx->macCtx.hmacCtx != NULL) {
164	cipherCtx->macRef->hmac->free(cipherCtx->macCtx.hmacCtx);
165	cipherCtx->macCtx.hmacCtx = NULL;
166	}
167	return 0;
168	}
169
170	/*
171	* mac = HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
172	* TLSCompressed.version + TLSCompressed.length +
173	* TLSCompressed.fragment));
174	*/
175
176	/* sequence, type, version, length */
177	#define HDR_LENGTH (8 + 1 + 2 + 2)
178	static int tls1ComputeMac (
179	uint8_t type,
180	SSLBuffer data,
181	SSLBuffer mac, // caller mallocs data
182	CipherContext *cipherCtx, // assumes macCtx, macRef
183	sslUint64 seqNo,
184	struct SSLRecordInternalContext *ctx)
185	{
186	uint8_t hdr[HDR_LENGTH];
187	uint8_t *p;
188	HMACContextRef hmacCtx;
189	int serr;
190	const HMACReference *hmac;
191	size_t macLength;
192
193	check(cipherCtx != NULL);
194	check(cipherCtx->macRef != NULL);
195	hmac = cipherCtx->macRef->hmac;
196	check(hmac != NULL);
197	hmacCtx = cipherCtx->macCtx.hmacCtx; // may be NULL, for null cipher
198
199	serr = hmac->init(hmacCtx);
200	if(serr) {
201	goto fail;
202	}
203	p = SSLEncodeUInt64(hdr, seqNo);
204	*p++ = type;
205	*p++ = ctx->negProtocolVersion >> 8;
206	*p++ = ctx->negProtocolVersion & 0xff;
207	*p++ = data.length >> 8;
208	*p = data.length & 0xff;
209	serr = hmac->update(hmacCtx, hdr, HDR_LENGTH);
210	if(serr) {
211	goto fail;
212	}
213	serr = hmac->update(hmacCtx, data.data, data.length);
214	if(serr) {
215	goto fail;
216	}
217	macLength = mac.length;
218	serr = hmac->final(hmacCtx, mac.data, &macLength);
219	if(serr) {
220	goto fail;
221	}
222	mac.length = macLength;
223	fail:
224	return serr;
225	}
226
227	const SslRecordCallouts Tls1RecordCallouts = {
228	tls1DecryptRecord,
229	ssl3WriteRecord,
230	tls1InitMac,
231	tls1FreeMac,
232	tls1ComputeMac,
233	};
234