]> git.saurik.com Git - apple/security.git/blob - libsecurity_ssl/lib/sslHandshakeHello.c
Security-55179.1.tar.gz
[apple/security.git] / libsecurity_ssl / lib / sslHandshakeHello.c
1 /*
2 * Copyright (c) 1999-2001,2005-2008,2010-2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * sslHandshakeHello.c - Support for client hello and server hello messages.
26 */
27
28 #include "sslContext.h"
29 #include "sslHandshake.h"
30 #include "sslMemory.h"
31 #include "sslSession.h"
32 #include "sslUtils.h"
33 #include "sslDebug.h"
34 #include "sslCrypto.h"
35
36 #include "sslDigests.h"
37 #include "cipherSpecs.h"
38
39 #include <string.h>
40
41 /* IE treats null session id as valid; two consecutive sessions with NULL ID
42 * are considered a match. Workaround: when resumable sessions are disabled,
43 * send a random session ID. */
44 #define SSL_IE_NULL_RESUME_BUG 1
45 #if SSL_IE_NULL_RESUME_BUG
46 #define SSL_NULL_ID_LEN 32 /* length of bogus session ID */
47 #endif
48
49 OSStatus
50 SSLEncodeServerHello(SSLRecord *serverHello, SSLContext *ctx)
51 { OSStatus err;
52 UInt8 *charPtr;
53 int sessionIDLen;
54 size_t msglen;
55 int head;
56
57 sessionIDLen = 0;
58 if (ctx->sessionID.data != 0)
59 sessionIDLen = (UInt8)ctx->sessionID.length;
60 #if SSL_IE_NULL_RESUME_BUG
61 if(sessionIDLen == 0) {
62 sessionIDLen = SSL_NULL_ID_LEN;
63 }
64 #endif /* SSL_IE_NULL_RESUME_BUG */
65
66 msglen = 38 + sessionIDLen;
67
68 /* this was set to a known quantity in SSLProcessClientHello */
69 assert(ctx->negProtocolVersion != SSL_Version_Undetermined);
70 /* should not be here in this case */
71 assert(ctx->negProtocolVersion != SSL_Version_2_0);
72 sslLogNegotiateDebug("===SSL3 server: sending version %d_%d",
73 ctx->negProtocolVersion >> 8, ctx->negProtocolVersion & 0xff);
74 sslLogNegotiateDebug("...sessionIDLen = %d", sessionIDLen);
75 serverHello->protocolVersion = ctx->negProtocolVersion;
76 serverHello->contentType = SSL_RecordTypeHandshake;
77 head = SSLHandshakeHeaderSize(serverHello);
78 if ((err = SSLAllocBuffer(&serverHello->contents, msglen + head, ctx)) != 0)
79 return err;
80
81 charPtr = SSLEncodeHandshakeHeader(ctx, serverHello, SSL_HdskServerHello, msglen);
82
83 charPtr = SSLEncodeInt(charPtr, serverHello->protocolVersion, 2);
84
85 #if SSL_PAC_SERVER_ENABLE
86 /* serverRandom might have already been set, in SSLAdvanceHandshake() */
87 if(!ctx->serverRandomValid) {
88 if ((err = SSLEncodeRandom(ctx->serverRandom, ctx)) != 0) {
89 return err;
90 }
91 }
92 #else
93 /* This is the normal production code path */
94 if ((err = SSLEncodeRandom(ctx->serverRandom, ctx)) != 0)
95 return err;
96 #endif /* SSL_PAC_SERVER_ENABLE */
97
98 memcpy(charPtr, ctx->serverRandom, SSL_CLIENT_SRVR_RAND_SIZE);
99
100 charPtr += SSL_CLIENT_SRVR_RAND_SIZE;
101 *(charPtr++) = (UInt8)sessionIDLen;
102 #if SSL_IE_NULL_RESUME_BUG
103 if(ctx->sessionID.data != NULL) {
104 /* normal path for enabled resumable session */
105 memcpy(charPtr, ctx->sessionID.data, sessionIDLen);
106 }
107 else {
108 /* IE workaround */
109 SSLBuffer rb;
110 rb.data = charPtr;
111 rb.length = SSL_NULL_ID_LEN;
112 sslRand(ctx, &rb);
113 }
114 #else
115 if (sessionIDLen > 0)
116 memcpy(charPtr, ctx->sessionID.data, sessionIDLen);
117 #endif /* SSL_IE_NULL_RESUME_BUG */
118 charPtr += sessionIDLen;
119 charPtr = SSLEncodeInt(charPtr, ctx->selectedCipher, 2);
120 *(charPtr++) = 0; /* Null compression */
121
122 sslLogNegotiateDebug("ssl3: server specifying cipherSuite 0x%lx",
123 (UInt32)ctx->selectedCipher);
124
125 assert(charPtr == serverHello->contents.data + serverHello->contents.length);
126
127 return noErr;
128 }
129
130 OSStatus
131 SSLEncodeServerHelloVerifyRequest(SSLRecord *helloVerifyRequest, SSLContext *ctx)
132 { OSStatus err;
133 UInt8 *charPtr;
134 size_t msglen;
135 int head;
136
137 assert(ctx->protocolSide == kSSLServerSide);
138 assert(ctx->negProtocolVersion == DTLS_Version_1_0);
139 assert(ctx->dtlsCookie.length);
140
141 msglen = 3 + ctx->dtlsCookie.length;
142
143 helloVerifyRequest->protocolVersion = DTLS_Version_1_0;
144 helloVerifyRequest->contentType = SSL_RecordTypeHandshake;
145 head = SSLHandshakeHeaderSize(helloVerifyRequest);
146 if ((err = SSLAllocBuffer(&helloVerifyRequest->contents, msglen + head, ctx)) != 0)
147 return err;
148
149 charPtr = SSLEncodeHandshakeHeader(ctx, helloVerifyRequest, SSL_HdskHelloVerifyRequest, msglen);
150
151 charPtr = SSLEncodeInt(charPtr, helloVerifyRequest->protocolVersion, 2);
152
153 *charPtr++ = ctx->dtlsCookie.length;
154 memcpy(charPtr, ctx->dtlsCookie.data, ctx->dtlsCookie.length);
155 charPtr += ctx->dtlsCookie.length;
156
157 assert(charPtr == (helloVerifyRequest->contents.data + helloVerifyRequest->contents.length));
158
159 return noErr;
160 }
161
162
163 OSStatus
164 SSLProcessServerHelloVerifyRequest(SSLBuffer message, SSLContext *ctx)
165 { OSStatus err;
166 SSLProtocolVersion protocolVersion;
167 unsigned int cookieLen;
168 UInt8 *p;
169
170 assert(ctx->protocolSide == kSSLClientSide);
171
172 /* TODO: those length values should not be hardcoded */
173 /* 3 bytes at least with empty cookie */
174 if (message.length < 3 ) {
175 sslErrorLog("SSLProcessServerHelloVerifyRequest: msg len error\n");
176 return errSSLProtocol;
177 }
178 p = message.data;
179
180 protocolVersion = (SSLProtocolVersion)SSLDecodeInt(p, 2);
181 p += 2;
182
183 /* TODO: Not clear what else to do with protocol version here */
184 if(protocolVersion != DTLS_Version_1_0) {
185 sslErrorLog("SSLProcessServerHelloVerifyRequest: protocol version error\n");
186 return errSSLProtocol;
187 }
188
189 cookieLen = *p++;
190 sslLogNegotiateDebug("cookieLen = %d, msglen=%d\n", cookieLen, message.length);
191 /* TODO: hardcoded '15' again */
192 if (message.length < (3 + cookieLen)) {
193 sslErrorLog("SSLProcessServerHelloVerifyRequest: msg len error 2\n");
194 return errSSLProtocol;
195 }
196
197 err = SSLAllocBuffer(&ctx->dtlsCookie, cookieLen, ctx);
198 if (err == 0)
199 memcpy(ctx->dtlsCookie.data, p, cookieLen);
200
201 return err;
202 }
203
204 static void
205 SSLProcessServerHelloExtension_SecureRenegotiation(SSLContext *ctx, UInt16 extLen, UInt8 *p)
206 {
207 if(extLen!= (1 + ctx->ownVerifyData.length + ctx->peerVerifyData.length))
208 return;
209
210 if(*p!=ctx->ownVerifyData.length + ctx->ownVerifyData.length)
211 return;
212 p++;
213
214 if(memcmp(p, ctx->ownVerifyData.data, ctx->ownVerifyData.length))
215 return;
216 p+=ctx->ownVerifyData.length;
217
218 if(memcmp(p, ctx->peerVerifyData.data, ctx->peerVerifyData.length))
219 return;
220
221 ctx->secure_renegotiation_received = true;
222 }
223
224
225 static OSStatus
226 SSLProcessServerHelloExtensions(SSLContext *ctx, UInt16 extensionsLen, UInt8 *p)
227 {
228 Boolean got_secure_renegotiation = false;
229 UInt16 remaining;
230
231 if(extensionsLen<2) {
232 sslErrorLog("SSLProcessHelloExtensions: need a least 2 bytes\n");
233 return errSSLProtocol;
234 }
235
236 remaining = SSLDecodeInt(p, 2); p+=2;
237 extensionsLen -=2;
238
239 /* remaining = number of bytes remaining to process according to buffer data */
240 /* extensionsLen = number of bytes in the buffer */
241
242 if(remaining>extensionsLen) {
243 sslErrorLog("SSLProcessHelloExtensions: ext len error 1\n");
244 return errSSLProtocol;
245 }
246
247 if(remaining<extensionsLen) {
248 sslErrorLog("Warning: SSLProcessServerHelloExtensions: Too many bytes\n");
249 }
250
251 while(remaining) {
252 UInt16 extType;
253 UInt16 extLen;
254
255 if (remaining<4) {
256 sslErrorLog("SSLProcessHelloExtensions: ext len error\n");
257 return errSSLProtocol;
258 }
259
260 extType = SSLDecodeInt(p, 2); p+=2;
261 extLen = SSLDecodeInt(p, 2); p+=2;
262
263 if (remaining<(4+extLen)) {
264 sslErrorLog("SSLProcessHelloExtension: ext len error 2\n");
265 return errSSLProtocol;
266 }
267 remaining -= (4+extLen);
268
269 switch (extType) {
270 case SSL_HE_SecureRenegotation:
271 if(got_secure_renegotiation)
272 return errSSLProtocol; /* Fail if we already processed one */
273 got_secure_renegotiation = true;
274 SSLProcessServerHelloExtension_SecureRenegotiation(ctx, extLen, p);
275 break;
276 default:
277 /*
278 Do nothing for other extensions. Per RFC 5246, we should (MUST) error
279 if we received extensions we didnt specify in the Client Hello.
280 Client should also abort handshake if multiple extensions of the same
281 type are found
282 */
283 break;
284 }
285 p+=extLen;
286 }
287
288 return noErr;
289 }
290
291 OSStatus
292 SSLProcessServerHello(SSLBuffer message, SSLContext *ctx)
293 { OSStatus err;
294 SSLProtocolVersion protocolVersion, negVersion;
295 size_t sessionIDLen;
296 size_t extensionsLen;
297 UInt8 *p;
298
299 assert(ctx->protocolSide == kSSLClientSide);
300
301 if (message.length < 38) {
302 sslErrorLog("SSLProcessServerHello: msg len error\n");
303 return errSSLProtocol;
304 }
305 p = message.data;
306
307 protocolVersion = (SSLProtocolVersion)SSLDecodeInt(p, 2);
308 p += 2;
309 /* FIXME this should probably send appropriate alerts */
310 err = sslVerifyProtVersion(ctx, protocolVersion, &negVersion);
311 if(err) {
312 return err;
313 }
314 ctx->negProtocolVersion = negVersion;
315 switch(negVersion) {
316 case SSL_Version_3_0:
317 ctx->sslTslCalls = &Ssl3Callouts;
318 break;
319 case TLS_Version_1_0:
320 case TLS_Version_1_1:
321 case DTLS_Version_1_0:
322 ctx->sslTslCalls = &Tls1Callouts;
323 break;
324 case TLS_Version_1_2:
325 ctx->sslTslCalls = &Tls12Callouts;
326 break;
327 default:
328 return errSSLNegotiation;
329 }
330 sslLogNegotiateDebug("===SSL3 client: negVersion is %d_%d",
331 (negVersion >> 8) & 0xff, negVersion & 0xff);
332
333 memcpy(ctx->serverRandom, p, 32);
334 p += 32;
335
336 sessionIDLen = *p++;
337 if (message.length < (38 + sessionIDLen)) {
338 sslErrorLog("SSLProcessServerHello: msg len error 2\n");
339 return errSSLProtocol;
340 }
341 if (sessionIDLen > 0 && ctx->peerID.data != 0)
342 { /* Don't die on error; just treat it as an uncached session */
343 if (ctx->sessionID.data)
344 SSLFreeBuffer(&ctx->sessionID, ctx);
345 err = SSLAllocBuffer(&ctx->sessionID, sessionIDLen, ctx);
346 if (err == 0)
347 memcpy(ctx->sessionID.data, p, sessionIDLen);
348 }
349 p += sessionIDLen;
350
351 ctx->selectedCipher = (UInt16)SSLDecodeInt(p,2);
352 sslLogNegotiateDebug("===ssl3: server requests cipherKind %x",
353 (unsigned)ctx->selectedCipher);
354 p += 2;
355 if ((err = FindCipherSpec(ctx)) != 0) {
356 return err;
357 }
358
359 if (*p++ != 0) /* Compression */
360 return unimpErr;
361
362 /* Process ServerHello extensions */
363 extensionsLen = message.length - (38 + sessionIDLen);
364
365 if(extensionsLen) {
366 err = SSLProcessServerHelloExtensions(ctx, extensionsLen, p);
367 if(err)
368 return err;
369 }
370
371 /* RFC 5746: Make sure the renegotiation is secure */
372 if(ctx->secure_renegotiation && !ctx->secure_renegotiation_received)
373 return errSSLNegotiation;
374
375 if(ctx->secure_renegotiation_received)
376 ctx->secure_renegotiation = true;
377
378 /*
379 * Note: the server MAY send a SSL_HE_EC_PointFormats extension if
380 * we've negotiated an ECDSA ciphersuite...but
381 * a) the provided format list MUST contain SSL_PointFormatUncompressed per
382 * RFC 4492 5.2; and
383 * b) The uncompressed format is the only one we support.
384 *
385 * Thus we drop a possible incoming SSL_HE_EC_PointFormats extension here.
386 * IF we ever support other point formats, we have to parse the extension
387 * to see what the server supports.
388 */
389 return noErr;
390 }
391
392 OSStatus
393 SSLEncodeClientHello(SSLRecord *clientHello, SSLContext *ctx)
394 {
395 size_t length;
396 unsigned i;
397 OSStatus err;
398 unsigned char *p;
399 SSLBuffer sessionIdentifier = { 0, NULL };
400 size_t sessionIDLen;
401 size_t sessionTicketLen = 0;
402 size_t serverNameLen = 0;
403 size_t pointFormatLen = 0;
404 size_t suppCurveLen = 0;
405 size_t signatureAlgorithmsLen = 0;
406 size_t totalExtenLen = 0;
407 UInt16 numCipherSuites;
408 int head;
409
410 assert(ctx->protocolSide == kSSLClientSide);
411
412 clientHello->contents.length = 0;
413 clientHello->contents.data = NULL;
414
415 sessionIDLen = 0;
416 if (ctx->resumableSession.data != 0)
417 { if ((err = SSLRetrieveSessionID(ctx->resumableSession,
418 &sessionIdentifier, ctx)) != 0)
419 { return err;
420 }
421 sessionIDLen = sessionIdentifier.length;
422 }
423
424 /*
425 * Since we're not in SSLv2 compatibility mode, only count non-SSLv2 ciphers.
426 */
427 #if ENABLE_SSLV2
428 numCipherSuites = ctx->numValidNonSSLv2Specs;
429 #else
430 numCipherSuites = ctx->numValidCipherSuites;
431 #endif
432
433 /* RFC 5746 : add the fake ciphersuite unless we are including the extension */
434 if(!ctx->secure_renegotiation)
435 numCipherSuites+=1;
436
437 length = 39 + 2*numCipherSuites + sessionIDLen;
438
439 err = sslGetMaxProtVersion(ctx, &clientHello->protocolVersion);
440 if(err) {
441 /* we don't have a protocol enabled */
442 goto err_exit;
443 }
444
445 /* RFC 5746: If are starting a new handshake, so we didnt received this yet */
446 ctx->secure_renegotiation_received = false;
447
448 /* If we already negotiated the protocol version previously,
449 we should just use that */
450 if(ctx->negProtocolVersion != SSL_Version_Undetermined) {
451 clientHello->protocolVersion = ctx->negProtocolVersion;
452 }
453
454 #if ENABLE_DTLS
455 if(clientHello->protocolVersion == DTLS_Version_1_0) {
456 /* extra space for cookie */
457 /* TODO: cookie len - 0 for now */
458 length += 1 + ctx->dtlsCookie.length;
459 sslLogNegotiateDebug("==DTLS Hello: len=%lu\n", length);
460 }
461 /* Because of the way the version number for DTLS is encoded,
462 the following code mean that you can use extensions with DTLS... */
463 #endif /* ENABLE_DTLS */
464
465 /* RFC 5746: We add the extension only for renegotiation ClientHello */
466 if(ctx->secure_renegotiation) {
467 totalExtenLen += 2 + /* extension type */
468 2 + /* extension length */
469 1 + /* lenght of renegotiated_conection (client verify data) */
470 ctx->ownVerifyData.length;
471 }
472
473 /* prepare for optional ClientHello extensions */
474 if((clientHello->protocolVersion >= TLS_Version_1_0) &&
475 (ctx->peerDomainName != NULL) &&
476 (ctx->peerDomainNameLen != 0)) {
477 serverNameLen = 2 + /* extension type */
478 2 + /* 2-byte vector length, extension_data */
479 2 + /* length of server_name_list */
480 1 + /* length of name_type */
481 2 + /* length of HostName */
482 ctx->peerDomainNameLen;
483 totalExtenLen += serverNameLen;
484 }
485 if(ctx->sessionTicket.length) {
486 sessionTicketLen = 2 + /* extension type */
487 2 + /* 2-byte vector length, extension_data */
488 ctx->sessionTicket.length;
489 totalExtenLen += sessionTicketLen;
490 }
491 if((clientHello->protocolVersion >= TLS_Version_1_0) &&
492 (ctx->ecdsaEnable)) {
493 /* Two more extensions: point format, supported curves */
494 pointFormatLen = 2 + /* extension type */
495 2 + /* 2-byte vector length, extension_data */
496 1 + /* length of the ec_point_format_list */
497 1; /* the single format we support */
498 suppCurveLen = 2 + /* extension type */
499 2 + /* 2-byte vector length, extension_data */
500 2 + /* length of the elliptic_curve_list */
501 (2 * ctx->ecdhNumCurves); /* each curve is 2 bytes */
502 totalExtenLen += (pointFormatLen + suppCurveLen);
503 }
504 if(ctx->isDTLS
505 ? clientHello->protocolVersion < DTLS_Version_1_0
506 : clientHello->protocolVersion >= TLS_Version_1_2) {
507 signatureAlgorithmsLen = 2 + /* extension type */
508 2 + /* 2-byte vector length, extension_data */
509 2 + /* length of signatureAlgorithms list */
510 2 * (ctx->ecdsaEnable ? 5 : 3); //FIXME: 5:3 should not be hardcoded here.
511 totalExtenLen += signatureAlgorithmsLen;
512 }
513 if(totalExtenLen != 0) {
514 /*
515 * Total length extensions have to fit in a 16 bit field...
516 */
517 if(totalExtenLen > 0xffff) {
518 sslErrorLog("Total extensions length EXCEEDED\n");
519 totalExtenLen = 0;
520 sessionTicketLen = 0;
521 serverNameLen = 0;
522 pointFormatLen = 0;
523 suppCurveLen = 0;
524 signatureAlgorithmsLen = 0;
525 }
526 else {
527 /* add length of total length plus lengths of extensions */
528 length += (totalExtenLen + 2);
529 }
530 }
531
532 clientHello->contentType = SSL_RecordTypeHandshake;
533 head = SSLHandshakeHeaderSize(clientHello);
534 if ((err = SSLAllocBuffer(&clientHello->contents, length + head, ctx)) != 0)
535 goto err_exit;
536
537 p = SSLEncodeHandshakeHeader(ctx, clientHello, SSL_HdskClientHello, length);
538
539 p = SSLEncodeInt(p, clientHello->protocolVersion, 2);
540
541 sslLogNegotiateDebug("===SSL3 client: proclaiming max protocol "
542 "%d_%d capable ONLY",
543 clientHello->protocolVersion >> 8, clientHello->protocolVersion & 0xff);
544 if ((err = SSLEncodeRandom(p, ctx)) != 0)
545 { goto err_exit;
546 }
547 memcpy(ctx->clientRandom, p, SSL_CLIENT_SRVR_RAND_SIZE);
548 p += 32;
549 *p++ = sessionIDLen; /* 1 byte vector length */
550 if (sessionIDLen > 0)
551 { memcpy(p, sessionIdentifier.data, sessionIDLen);
552 }
553 p += sessionIDLen;
554 #if ENABLE_DTLS
555 if (clientHello->protocolVersion == DTLS_Version_1_0) {
556 /* TODO: Add the cookie ! Currently: size=0 -> no cookie */
557 *p++ = ctx->dtlsCookie.length;
558 if(ctx->dtlsCookie.length) {
559 memcpy(p, ctx->dtlsCookie.data, ctx->dtlsCookie.length);
560 p+=ctx->dtlsCookie.length;
561 }
562 sslLogNegotiateDebug("==DTLS Hello: cookie len = %d\n",ctx->dtlsCookie.length);
563 }
564 #endif
565
566
567 p = SSLEncodeInt(p, 2*numCipherSuites, 2);
568 /* 2 byte long vector length */
569
570 /* RFC 5746 : add the fake ciphersuite unless we are including the extension */
571 if(!ctx->secure_renegotiation)
572 p = SSLEncodeInt(p, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, 2);
573
574 for (i = 0; i<ctx->numValidCipherSuites; ++i) {
575 #if ENABLE_SSLV2
576 if(CIPHER_SUITE_IS_SSLv2(ctx->validCipherSuites[i])) {
577 continue;
578 }
579 #endif
580 sslLogNegotiateDebug("ssl3EncodeClientHello sending suite %x",
581 (unsigned)ctx->validCipherSuites[i]);
582 p = SSLEncodeInt(p, ctx->validCipherSuites[i], 2);
583 }
584 *p++ = 1; /* 1 byte long vector */
585 *p++ = 0; /* null compression */
586
587 /*
588 * Append ClientHello extensions.
589 */
590 if(totalExtenLen != 0) {
591 /* first, total length of all extensions */
592 p = SSLEncodeSize(p, totalExtenLen, 2);
593 }
594 if(ctx->secure_renegotiation){
595 assert(ctx->ownVerifyData.length<=255);
596 p = SSLEncodeInt(p, SSL_HE_SecureRenegotation, 2);
597 p = SSLEncodeSize(p, ctx->ownVerifyData.length+1, 2);
598 p = SSLEncodeSize(p, ctx->ownVerifyData.length, 1);
599 memcpy(p, ctx->ownVerifyData.data, ctx->ownVerifyData.length);
600 p += ctx->ownVerifyData.length;
601 }
602 if(sessionTicketLen) {
603 sslEapDebug("Adding %lu bytes of sessionTicket to ClientHello",
604 ctx->sessionTicket.length);
605 p = SSLEncodeInt(p, SSL_HE_SessionTicket, 2);
606 p = SSLEncodeSize(p, ctx->sessionTicket.length, 2);
607 memcpy(p, ctx->sessionTicket.data, ctx->sessionTicket.length);
608 p += ctx->sessionTicket.length;
609 }
610 if(serverNameLen) {
611 sslEapDebug("Specifying ServerNameIndication");
612 p = SSLEncodeInt(p, SSL_HE_ServerName, 2);
613 p = SSLEncodeSize(p, ctx->peerDomainNameLen + 5, 2);
614 p = SSLEncodeSize(p, ctx->peerDomainNameLen + 3, 2);
615 p = SSLEncodeInt(p, SSL_NT_HostName, 1);
616 p = SSLEncodeSize(p, ctx->peerDomainNameLen, 2);
617 memcpy(p, ctx->peerDomainName, ctx->peerDomainNameLen);
618 p += ctx->peerDomainNameLen;
619 }
620 if(suppCurveLen) {
621 UInt32 len = 2 * ctx->ecdhNumCurves;
622 unsigned dex;
623 p = SSLEncodeInt(p, SSL_HE_EllipticCurves, 2);
624 p = SSLEncodeSize(p, len+2, 2); /* length of extension data */
625 p = SSLEncodeSize(p, len, 2); /* length of elliptic_curve_list */
626 for(dex=0; dex<ctx->ecdhNumCurves; dex++) {
627 sslEcdsaDebug("+++ adding supported curves %u to ClientHello",
628 (unsigned)ctx->ecdhCurves[dex]);
629 p = SSLEncodeInt(p, ctx->ecdhCurves[dex], 2);
630 }
631 }
632 if(pointFormatLen) {
633 sslEcdsaDebug("+++ adding point format to ClientHello");
634 p = SSLEncodeInt(p, SSL_HE_EC_PointFormats, 2);
635 p = SSLEncodeSize(p, 2, 2); /* length of extension data */
636 p = SSLEncodeSize(p, 1, 1); /* length of ec_point_format_list */
637 p = SSLEncodeInt(p, SSL_PointFormatUncompressed, 1);
638 }
639 if (signatureAlgorithmsLen) {
640 sslEcdsaDebug("+++ adding signature algorithms to ClientHello");
641 /* TODO: Don't hardcode this */
642 /* We dont support SHA512 or SHA224 because we didnot implement the digest abstraction for those
643 and we dont keep a running hash for those.
644 We dont support SHA384/ECDSA because corecrypto ec does not support it with 256 bits curves */
645 UInt32 len = 2 * (ctx->ecdsaEnable ? 5 : 3); //FIXME: 5:3 should not be hardcoded here.
646 p = SSLEncodeInt(p, SSL_HE_SignatureAlgorithms, 2);
647 p = SSLEncodeSize(p, len+2, 2); /* length of extension data */
648 p = SSLEncodeSize(p, len, 2); /* length of extension data */
649 // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA512, 1);
650 // p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
651 p = SSLEncodeInt(p, SSL_HashAlgorithmSHA384, 1);
652 p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
653 p = SSLEncodeInt(p, SSL_HashAlgorithmSHA256, 1);
654 p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
655 // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA224, 1);
656 // p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
657 p = SSLEncodeInt(p, SSL_HashAlgorithmSHA1, 1);
658 p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
659 if (ctx->ecdsaEnable) {
660 // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA512, 1);
661 // p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
662 // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA384, 1);
663 // p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
664 p = SSLEncodeInt(p, SSL_HashAlgorithmSHA256, 1);
665 p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
666 // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA224, 1);
667 // p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
668 p = SSLEncodeInt(p, SSL_HashAlgorithmSHA1, 1);
669 p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
670 }
671 }
672
673 sslLogNegotiateDebug("Client Hello : data=%p p=%p len=%08x\n", clientHello->contents.data, p, clientHello->contents.length);
674
675 assert(p == clientHello->contents.data + clientHello->contents.length);
676
677 if ((err = SSLInitMessageHashes(ctx)) != 0)
678 goto err_exit;
679
680 err_exit:
681 if (err != 0) {
682 SSLFreeBuffer(&clientHello->contents, ctx);
683 }
684 SSLFreeBuffer(&sessionIdentifier, ctx);
685
686 return err;
687 }
688
689 OSStatus
690 SSLProcessClientHello(SSLBuffer message, SSLContext *ctx)
691 { OSStatus err;
692 SSLProtocolVersion negVersion;
693 UInt16 cipherListLen, cipherCount, desiredSuite, cipherSuite;
694 UInt8 sessionIDLen, compressionCount;
695 UInt8 *charPtr;
696 unsigned i;
697 UInt8 *eom; /* end of message */
698
699 if (message.length < 41) {
700 sslErrorLog("SSLProcessClientHello: msg len error 1\n");
701 return errSSLProtocol;
702 }
703 charPtr = message.data;
704 eom = charPtr + message.length;
705 ctx->clientReqProtocol = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
706 charPtr += 2;
707 err = sslVerifyProtVersion(ctx, ctx->clientReqProtocol, &negVersion);
708 if(err) {
709 sslErrorLog("SSLProcessClientHello: protocol version error %04x - %04x\n", ctx->clientReqProtocol, negVersion);
710 return err;
711 }
712 switch(negVersion) {
713 case SSL_Version_3_0:
714 ctx->sslTslCalls = &Ssl3Callouts;
715 break;
716 case TLS_Version_1_0:
717 case TLS_Version_1_1:
718 case DTLS_Version_1_0:
719 ctx->sslTslCalls = &Tls1Callouts;
720 break;
721 case TLS_Version_1_2:
722 ctx->sslTslCalls = &Tls12Callouts;
723 break;
724 default:
725 return errSSLNegotiation;
726 }
727 ctx->negProtocolVersion = negVersion;
728 sslLogNegotiateDebug("===SSL3 server: negVersion is %d_%d",
729 negVersion >> 8, negVersion & 0xff);
730
731 memcpy(ctx->clientRandom, charPtr, SSL_CLIENT_SRVR_RAND_SIZE);
732 charPtr += 32;
733 sessionIDLen = *(charPtr++);
734 if (message.length < (unsigned)(41 + sessionIDLen)) {
735 sslErrorLog("SSLProcessClientHello: msg len error 2\n");
736 return errSSLProtocol;
737 }
738 /* FIXME peerID is never set on server side.... */
739 if (sessionIDLen > 0 && ctx->peerID.data != 0)
740 { /* Don't die on error; just treat it as an uncacheable session */
741 err = SSLAllocBuffer(&ctx->sessionID, sessionIDLen, ctx);
742 if (err == 0)
743 memcpy(ctx->sessionID.data, charPtr, sessionIDLen);
744 }
745 charPtr += sessionIDLen;
746
747 #if ENABLE_DTLS
748 /* TODO: actually do something with this cookie */
749 if(negVersion==DTLS_Version_1_0) {
750 UInt8 cookieLen = *charPtr++;
751
752 sslLogNegotiateDebug("cookieLen=%d\n", cookieLen);
753
754 if((ctx->dtlsCookie.length==0) || ((cookieLen==ctx->dtlsCookie.length) && (memcmp(ctx->dtlsCookie.data, charPtr, cookieLen)==0)))
755 {
756 ctx->cookieVerified=true;
757 } else {
758 ctx->cookieVerified=false;
759 }
760
761 charPtr+=cookieLen;
762 }
763
764 /* TODO: if we are about to send a HelloVerifyRequest, we probably dont need to process the cipherspecs */
765 #endif
766
767 cipherListLen = (UInt16)SSLDecodeInt(charPtr, 2);
768 /* Count of cipherSuites, must be even & >= 2 */
769 charPtr += 2;
770 if((charPtr + cipherListLen) > eom) {
771 sslErrorLog("SSLProcessClientHello: msg len error 5\n");
772 return errSSLProtocol;
773 }
774 if ((cipherListLen & 1) ||
775 (cipherListLen < 2) ||
776 (message.length < (unsigned)(39 + sessionIDLen + cipherListLen))) {
777 sslErrorLog("SSLProcessClientHello: msg len error 3\n");
778 return errSSLProtocol;
779 }
780 cipherCount = cipherListLen/2;
781 cipherSuite = 0xFFFF; /* No match marker */
782 while (cipherSuite == 0xFFFF && cipherCount--)
783 { desiredSuite = (UInt16)SSLDecodeInt(charPtr, 2);
784 charPtr += 2;
785 for (i = 0; i <ctx->numValidCipherSuites; i++)
786 { if (ctx->validCipherSuites[i] == desiredSuite)
787 { cipherSuite = desiredSuite;
788 break;
789 }
790 }
791 }
792
793 if (cipherSuite == 0xFFFF)
794 return errSSLNegotiation;
795 charPtr += 2 * cipherCount; /* Advance past unchecked cipherCounts */
796 ctx->selectedCipher = cipherSuite;
797 /* validate cipher later, after we get possible sessionTicket */
798
799 compressionCount = *(charPtr++);
800 if ((compressionCount < 1) ||
801 (message.length <
802 (unsigned)(38 + sessionIDLen + cipherListLen + compressionCount))) {
803 sslErrorLog("SSLProcessClientHello: msg len error 4\n");
804 return errSSLProtocol;
805 }
806 /* Ignore list; we're doing null */
807
808 /*
809 * Handle ClientHello extensions.
810 */
811 /* skip compression list */
812 charPtr += compressionCount;
813 if(charPtr < eom) {
814 ptrdiff_t remLen = eom - charPtr;
815 UInt32 totalExtensLen;
816 UInt32 extenType;
817 UInt32 extenLen;
818 if(remLen < 6) {
819 /*
820 * Not enough for extension type and length, but not an error...
821 * skip it and proceed.
822 */
823 sslEapDebug("SSLProcessClientHello: too small for any extension");
824 goto proceed;
825 }
826 totalExtensLen = SSLDecodeInt(charPtr, 2);
827 charPtr += 2;
828 if((charPtr + totalExtensLen) > eom) {
829 sslEapDebug("SSLProcessClientHello: too small for specified total_extension_length");
830 goto proceed;
831 }
832 while(charPtr < eom) {
833 extenType = SSLDecodeInt(charPtr, 2);
834 charPtr += 2;
835 extenLen = SSLDecodeInt(charPtr, 2);
836 charPtr += 2;
837 if((charPtr + extenLen) > eom) {
838 sslEapDebug("SSLProcessClientHello: too small for specified extension_length");
839 break;
840 }
841 switch(extenType) {
842 #if SSL_PAC_SERVER_ENABLE
843
844 case SSL_HE_SessionTicket:
845 SSLFreeBuffer(&ctx->sessionTicket, NULL);
846 SSLCopyBufferFromData(charPtr, extenLen, &ctx->sessionTicket);
847 sslEapDebug("Saved %lu bytes of sessionTicket from ClientHello",
848 (unsigned long)extenLen);
849 break;
850 #endif
851 case SSL_HE_ServerName:
852 {
853 /*
854 * This is for debug only (it's disabled for Deployment builds).
855 * Someday, I imagine we'll have a getter in the API to get this info.
856 */
857 UInt8 *cp = charPtr;
858 UInt32 v = SSLDecodeInt(cp, 2);
859 cp += 2;
860 sslEapDebug("SSL_HE_ServerName: length of server_name_list %lu",
861 (unsigned long)v);
862 v = SSLDecodeInt(cp, 1);
863 cp++;
864 sslEapDebug("SSL_HE_ServerName: name_type %lu", (unsigned long)v);
865 v = SSLDecodeInt(cp, 2);
866 cp += 2;
867 sslEapDebug("SSL_HE_ServerName: length of HostName %lu",
868 (unsigned long)v);
869 char hostString[v + 1];
870 memmove(hostString, cp, v);
871 hostString[v] = '\0';
872 sslEapDebug("SSL_HE_ServerName: ServerName '%s'", hostString);
873 break;
874 }
875 case SSL_HE_SignatureAlgorithms:
876 {
877 UInt8 *cp = charPtr, *end = charPtr + extenLen;
878 UInt32 sigAlgsSize = SSLDecodeInt(cp, 2);
879 cp += 2;
880
881 if (extenLen != sigAlgsSize + 2 || extenLen & 1 || sigAlgsSize & 1) {
882 sslEapDebug("SSL_HE_SignatureAlgorithms: odd length of signature algorithms list %lu %lu",
883 (unsigned long)extenLen, (unsigned long)sigAlgsSize);
884 break;
885 }
886
887 ctx->numClientSigAlgs = sigAlgsSize / 2;
888 if(ctx->clientSigAlgs != NULL) {
889 sslFree(ctx->clientSigAlgs);
890 }
891 ctx->clientSigAlgs = (SSLSignatureAndHashAlgorithm *)
892 sslMalloc((ctx->numClientSigAlgs) * sizeof(SSLSignatureAndHashAlgorithm));
893 for(i=0; i<ctx->numClientSigAlgs; i++) {
894 /* TODO: Validate hash and signature fields. */
895 ctx->clientSigAlgs[i].hash = *cp++;
896 ctx->clientSigAlgs[i].signature = *cp++;
897 sslLogNegotiateDebug("===Client specifies sigAlg %d %d",
898 ctx->clientSigAlgs[i].hash,
899 ctx->clientSigAlgs[i].signature);
900 }
901 assert(cp==end);
902 break;
903 }
904 default:
905 sslEapDebug("SSLProcessClientHello: unknown extenType (%lu)",
906 (unsigned long)extenType);
907 break;
908 }
909 charPtr += extenLen;
910 }
911 }
912 proceed:
913 if ((err = FindCipherSpec(ctx)) != 0) {
914 return err;
915 }
916 sslLogNegotiateDebug("ssl3 server: selecting cipherKind 0x%x", (unsigned)ctx->selectedCipher);
917 if ((err = SSLInitMessageHashes(ctx)) != 0)
918 return err;
919
920 return noErr;
921 }
922
923 OSStatus
924 SSLEncodeRandom(unsigned char *p, SSLContext *ctx)
925 { SSLBuffer randomData;
926 OSStatus err;
927 uint32_t now;
928
929 if ((err = sslTime(&now)) != 0)
930 return err;
931 SSLEncodeInt(p, now, 4);
932 randomData.data = p+4;
933 randomData.length = 28;
934 if((err = sslRand(ctx, &randomData)) != 0)
935 return err;
936 return noErr;
937 }
938
939 OSStatus
940 SSLInitMessageHashes(SSLContext *ctx)
941 { OSStatus err;
942
943 if ((err = CloseHash(&SSLHashSHA1, &ctx->shaState, ctx)) != 0)
944 return err;
945 if ((err = CloseHash(&SSLHashMD5, &ctx->md5State, ctx)) != 0)
946 return err;
947 if ((err = CloseHash(&SSLHashSHA256, &ctx->sha256State, ctx)) != 0)
948 return err;
949 if ((err = CloseHash(&SSLHashSHA384, &ctx->sha512State, ctx)) != 0)
950 return err;
951 if ((err = ReadyHash(&SSLHashSHA1, &ctx->shaState, ctx)) != 0)
952 return err;
953 if ((err = ReadyHash(&SSLHashMD5, &ctx->md5State, ctx)) != 0)
954 return err;
955 if ((err = ReadyHash(&SSLHashSHA256, &ctx->sha256State, ctx)) != 0)
956 return err;
957 if ((err = ReadyHash(&SSLHashSHA384, &ctx->sha512State, ctx)) != 0)
958 return err;
959 return noErr;
960 }