]> git.saurik.com Git - apple/security.git/blob - SecureTransport/hdskhelo.c
projects / apple / security.git / blob
? search:


9d3841cbd0228a8e1be09023c78dd7817755d991
[apple/security.git] / SecureTransport / hdskhelo.c
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 File: hdskhelo.c
21
22 Contains: Support for client hello and server hello messages.
23
24 Written by: Doug Mitchell, based on Netscape SSLRef 3.0
25
26 Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
27
28 */
29 /* *********************************************************************
30 File: hdskhelo.c
31
32 SSLRef 3.0 Final -- 11/19/96
33
34 Copyright (c)1996 by Netscape Communications Corp.
35
36 By retrieving this software you are bound by the licensing terms
37 disclosed in the file "LICENSE.txt". Please read it, and if you don't
38 accept the terms, delete this software.
39
40 SSLRef 3.0 was developed by Netscape Communications Corp. of Mountain
41 View, California <http://home.netscape.com/> and Consensus Development
42 Corporation of Berkeley, California <http://www.consensus.com/>.
43
44 *********************************************************************
45
46 File: hdskhelo.c Support for client hello and server hello messages
47
48 Also, encoding of Random structures and initializing the message
49 hashes used for calculating finished and certificate verify messages.
50
51 ****************************************************************** */
52
53 #ifndef _SSLCTX_H_
54 #include "sslctx.h"
55 #endif
56
57 #ifndef _SSLHDSHK_H_
58 #include "sslhdshk.h"
59 #endif
60
61 #ifndef _SSLALLOC_H_
62 #include "sslalloc.h"
63 #endif
64
65 #ifndef _SSLSESS_H_
66 #include "sslsess.h"
67 #endif
68
69 #ifndef _SSLUTIL_H_
70 #include "sslutil.h"
71 #endif
72
73 #ifndef _SSL_DEBUG_H_
74 #include "sslDebug.h"
75 #endif
76
77 #ifndef _APPLE_GLUE_H_
78 #include "appleGlue.h"
79 #endif
80
81 #ifndef _APPLE_CDSA_H_
82 #include "appleCdsa.h"
83 #endif
84
85 #ifndef _DIGESTS_H_
86 #include "digests.h"
87 #endif
88
89 #ifndef _CIPHER_SPECS_H_
90 #include "cipherSpecs.h"
91 #endif
92
93 #include <string.h>
94
95 static SSLErr SSLEncodeRandom(unsigned char *p, SSLContext *ctx);
96
97 /* IE treats null session id as valid; two consecutive sessions with NULL ID
98 * are considered a match. Workaround: when resumable sessions are disabled,
99 * send a random session ID. */
100 #define SSL_IE_NULL_RESUME_BUG 1
101 #if SSL_IE_NULL_RESUME_BUG
102 #define SSL_NULL_ID_LEN 32 /* length of bogus session ID */
103 #endif
104
105 SSLErr
106 SSLEncodeServerHello(SSLRecord *serverHello, SSLContext *ctx)
107 { SSLErr err;
108 UInt8 *progress;
109 int sessionIDLen;
110
111 sessionIDLen = 0;
112 if (ctx->sessionID.data != 0)
113 sessionIDLen = (UInt8)ctx->sessionID.length;
114 #if SSL_IE_NULL_RESUME_BUG
115 if(sessionIDLen == 0) {
116 sessionIDLen = SSL_NULL_ID_LEN;
117 }
118 #endif /* SSL_IE_NULL_RESUME_BUG */
119
120 #if LOG_NEGOTIATE
121 dprintf2("===SSL3 server: sending version %d_%d\n",
122 ctx->negProtocolVersion >> 8, ctx->negProtocolVersion & 0xff);
123 dprintf1("...sessionIDLen = %d\n", sessionIDLen);
124 #endif
125 serverHello->protocolVersion = ctx->negProtocolVersion;
126 serverHello->contentType = SSL_handshake;
127 if ((err = SSLAllocBuffer(&serverHello->contents, 42 + sessionIDLen, &ctx->sysCtx)) != 0)
128 return err;
129
130 progress = serverHello->contents.data;
131 *progress++ = SSL_server_hello;
132 progress = SSLEncodeInt(progress, 38 + sessionIDLen, 3);
133 progress = SSLEncodeInt(progress, serverHello->protocolVersion, 2);
134 if ((err = SSLEncodeRandom(progress, ctx)) != 0)
135 return err;
136 memcpy(ctx->serverRandom, progress, SSL_CLIENT_SRVR_RAND_SIZE);
137 progress += SSL_CLIENT_SRVR_RAND_SIZE;
138 *(progress++) = (UInt8)sessionIDLen;
139 #if SSL_IE_NULL_RESUME_BUG
140 if(ctx->sessionID.data != NULL) {
141 /* normal path for enabled resumable session */
142 memcpy(progress, ctx->sessionID.data, sessionIDLen);
143 }
144 else {
145 /* IE workaround */
146 SSLBuffer rb;
147 rb.data = progress;
148 rb.length = SSL_NULL_ID_LEN;
149 sslRand(ctx, &rb);
150 }
151 #else
152 if (sessionIDLen > 0)
153 memcpy(progress, ctx->sessionID.data, sessionIDLen);
154 #endif /* SSL_IE_NULL_RESUME_BUG */
155 progress += sessionIDLen;
156 progress = SSLEncodeInt(progress, ctx->selectedCipher, 2);
157 *(progress++) = 0; /* Null compression */
158
159 #if LOG_NEGOTIATE
160 dprintf1("ssl3: server specifying cipherSuite 0x%lx\n", (UInt32)ctx->selectedCipher);
161 #endif
162
163 CASSERT(progress == serverHello->contents.data + serverHello->contents.length);
164
165 return SSLNoErr;
166 }
167
168 SSLErr
169 SSLProcessServerHello(SSLBuffer message, SSLContext *ctx)
170 { SSLErr err;
171 SSLProtocolVersion protocolVersion;
172 unsigned int sessionIDLen;
173 UInt8 *p;
174
175 CASSERT(ctx->protocolSide == SSL_ClientSide);
176
177 if (message.length < 38 || message.length > 70) {
178 errorLog0("SSLProcessServerHello: msg len error\n");
179 return SSLProtocolErr;
180 }
181 p = message.data;
182
183 protocolVersion = (SSLProtocolVersion)SSLDecodeInt(p, 2);
184 p += 2;
185 if (protocolVersion > ctx->maxProtocolVersion) {
186 return SSLNegotiationErr;
187 }
188 ctx->negProtocolVersion = protocolVersion;
189 switch(protocolVersion) {
190 case SSL_Version_3_0:
191 ctx->sslTslCalls = &Ssl3Callouts;
192 break;
193 case TLS_Version_1_0:
194 ctx->sslTslCalls = &Tls1Callouts;
195 break;
196 default:
197 return SSLNegotiationErr;
198 }
199 #if LOG_NEGOTIATE
200 dprintf2("===SSL3 client: negVersion is %d_%d\n",
201 (protocolVersion >> 8) & 0xff, protocolVersion & 0xff);
202 #endif
203
204 memcpy(ctx->serverRandom, p, 32);
205 p += 32;
206
207 sessionIDLen = *p++;
208 if (message.length != 38 + sessionIDLen) {
209 errorLog0("SSLProcessServerHello: msg len error 2\n");
210 return SSLProtocolErr;
211 }
212 if (sessionIDLen > 0 && ctx->peerID.data != 0)
213 { /* Don't die on error; just treat it as an uncached session */
214 err = SSLAllocBuffer(&ctx->sessionID, sessionIDLen, &ctx->sysCtx);
215 if (err == 0)
216 memcpy(ctx->sessionID.data, p, sessionIDLen);
217 }
218 p += sessionIDLen;
219
220 ctx->selectedCipher = (UInt16)SSLDecodeInt(p,2);
221 #if LOG_NEGOTIATE
222 dprintf1("===ssl3: server requests cipherKind %d\n",
223 (unsigned)ctx->selectedCipher);
224 #endif
225 p += 2;
226 if ((err = FindCipherSpec(ctx)) != 0) {
227 return err;
228 }
229
230 if (*p++ != 0) /* Compression */
231 return SSLUnsupportedErr;
232
233 CASSERT(p == message.data + message.length);
234 return SSLNoErr;
235 }
236
237 SSLErr
238 SSLEncodeClientHello(SSLRecord *clientHello, SSLContext *ctx)
239 { int length, i;
240 SSLErr err;
241 unsigned char *p;
242 SSLBuffer sessionIdentifier;
243 UInt16 sessionIDLen;
244
245 CASSERT(ctx->protocolSide == SSL_ClientSide);
246
247 sessionIDLen = 0;
248 if (ctx->resumableSession.data != 0)
249 { if (ERR(err = SSLRetrieveSessionID(ctx->resumableSession, &sessionIdentifier, ctx)) != 0)
250 { return err;
251 }
252 sessionIDLen = sessionIdentifier.length;
253 }
254
255 length = 39 + 2*(ctx->numValidCipherSpecs) + sessionIDLen;
256
257 clientHello->protocolVersion = ctx->maxProtocolVersion;
258 clientHello->contentType = SSL_handshake;
259 if ((err = SSLAllocBuffer(&clientHello->contents, length + 4, &ctx->sysCtx)) != 0)
260 return err;
261
262 p = clientHello->contents.data;
263 *p++ = SSL_client_hello;
264 p = SSLEncodeInt(p, length, 3);
265 p = SSLEncodeInt(p, ctx->maxProtocolVersion, 2);
266 #if LOG_NEGOTIATE
267 dprintf2("===SSL3 client: proclaiming max protocol %d_%d capable ONLY\n",
268 ctx->maxProtocolVersion >> 8, ctx->maxProtocolVersion & 0xff);
269 #endif
270 if ((err = SSLEncodeRandom(p, ctx)) != 0)
271 { SSLFreeBuffer(&clientHello->contents, &ctx->sysCtx);
272 return err;
273 }
274 memcpy(ctx->clientRandom, p, SSL_CLIENT_SRVR_RAND_SIZE);
275 p += 32;
276 *p++ = sessionIDLen; /* 1 byte vector length */
277 if (sessionIDLen > 0)
278 { memcpy(p, sessionIdentifier.data, sessionIDLen);
279 if ((err = SSLFreeBuffer(&sessionIdentifier, &ctx->sysCtx)) != 0)
280 return err;
281 }
282 p += sessionIDLen;
283 p = SSLEncodeInt(p, 2*(ctx->numValidCipherSpecs), 2); /* 2 byte long vector length */
284 for (i = 0; i<ctx->numValidCipherSpecs; ++i)
285 p = SSLEncodeInt(p, ctx->validCipherSpecs[i].cipherSpec, 2);
286 *p++ = 1; /* 1 byte long vector */
287 *p++ = 0; /* null compression */
288
289 CASSERT(p == clientHello->contents.data + clientHello->contents.length);
290
291 if ((err = SSLInitMessageHashes(ctx)) != 0)
292 return err;
293
294 return SSLNoErr;
295 }
296
297 SSLErr
298 SSLProcessClientHello(SSLBuffer message, SSLContext *ctx)
299 { SSLErr err;
300 SSLProtocolVersion clientVersion;
301 UInt16 cipherListLen, cipherCount, desiredSpec, cipherSpec;
302 UInt8 sessionIDLen, compressionCount;
303 UInt8 *progress;
304 int i;
305
306 if (message.length < 41) {
307 errorLog0("SSLProcessClientHello: msg len error 1\n");
308 return SSLProtocolErr;
309 }
310 progress = message.data;
311 clientVersion = (SSLProtocolVersion)SSLDecodeInt(progress, 2);
312 progress += 2;
313 #if old_way
314 /* tested, works with SSLv3 */
315 if (clientVersion < SSL_Version_3_0) {
316 #if LOG_NEGOTIATE
317 dprintf1("===SSL3 server: clientVersion %s rejected\n", clientVersion);
318 #endif
319 return SSLUnsupportedErr;
320 }
321 ctx->negProtocolVersion = SSL_Version_3_0;
322 #else
323 /* Untested, for TLS */
324 if(clientVersion > ctx->maxProtocolVersion) {
325 clientVersion = ctx->maxProtocolVersion;
326 }
327 switch(clientVersion) {
328 case SSL_Version_3_0:
329 ctx->sslTslCalls = &Ssl3Callouts;
330 break;
331 case TLS_Version_1_0:
332 ctx->sslTslCalls = &Tls1Callouts;
333 break;
334 default:
335 return SSLNegotiationErr;
336 }
337 ctx->negProtocolVersion = clientVersion;
338 #endif /* new_way */
339 #if LOG_NEGOTIATE
340 dprintf2("===SSL3 server: negVersion is %d_%d\n",
341 clientVersion >> 8, clientVersion & 0xff);
342 #endif
343
344 memcpy(ctx->clientRandom, progress, SSL_CLIENT_SRVR_RAND_SIZE);
345 progress += 32;
346 sessionIDLen = *(progress++);
347 if (message.length < 41 + sessionIDLen) {
348 errorLog0("SSLProcessClientHello: msg len error 2\n");
349 return SSLProtocolErr;
350 }
351 if (sessionIDLen > 0 && ctx->peerID.data != 0)
352 { /* Don't die on error; just treat it as an uncacheable session */
353 err = SSLAllocBuffer(&ctx->sessionID, sessionIDLen, &ctx->sysCtx);
354 if (err == 0)
355 memcpy(ctx->sessionID.data, progress, sessionIDLen);
356 }
357 progress += sessionIDLen;
358
359 cipherListLen = (UInt16)SSLDecodeInt(progress, 2); /* Count of cipherSpecs, must be even & >= 2 */
360 progress += 2;
361 if ((cipherListLen & 1) || cipherListLen < 2 || message.length < 39 + sessionIDLen + cipherListLen) {
362 errorLog0("SSLProcessClientHello: msg len error 3\n");
363 return SSLProtocolErr;
364 }
365 cipherCount = cipherListLen/2;
366 cipherSpec = 0xFFFF; /* No match marker */
367 while (cipherSpec == 0xFFFF && cipherCount--)
368 { desiredSpec = (UInt16)SSLDecodeInt(progress, 2);
369 progress += 2;
370 for (i = 0; i <ctx->numValidCipherSpecs; i++)
371 { if (ctx->validCipherSpecs[i].cipherSpec == desiredSpec)
372 { cipherSpec = desiredSpec;
373 break;
374 }
375 }
376 }
377
378 if (cipherSpec == 0xFFFF)
379 return SSLNegotiationErr;
380 progress += 2 * cipherCount; /* Advance past unchecked cipherCounts */
381 ctx->selectedCipher = cipherSpec;
382 if ((err = FindCipherSpec(ctx)) != 0) {
383 return err;
384 }
385 #if LOG_NEGOTIATE
386 dprintf1("ssl3 server: selecting cipherKind 0x%x\n", (unsigned)ctx->selectedCipher);
387 #endif
388
389 compressionCount = *(progress++);
390 /* message.length restriction relaxed to allow too-long messages for future expansion
391 following recommendation of TLS meeting 5/29/96 */
392 if (compressionCount < 1 || message.length < 38 + sessionIDLen + cipherListLen + compressionCount) {
393 errorLog0("SSLProcessClientHello: msg len error 4\n");
394 return SSLProtocolErr;
395 }
396 /* Ignore list; we're doing null */
397
398 if ((err = SSLInitMessageHashes(ctx)) != 0)
399 return err;
400
401 return SSLNoErr;
402 }
403
404 static SSLErr
405 SSLEncodeRandom(unsigned char *p, SSLContext *ctx)
406 { SSLBuffer randomData;
407 SSLErr err;
408 UInt32 time;
409
410 if ((err = sslTime(&time)) != 0)
411 return err;
412 SSLEncodeInt(p, time, 4);
413 randomData.data = p+4;
414 randomData.length = 28;
415 if((err = sslRand(ctx, &randomData)) != 0)
416 return err;
417 return SSLNoErr;
418 }
419
420 SSLErr
421 SSLInitMessageHashes(SSLContext *ctx)
422 { SSLErr err;
423
424 if ((err = CloseHash(&SSLHashSHA1, &ctx->shaState, ctx)) != 0)
425 return err;
426 if ((err = CloseHash(&SSLHashMD5, &ctx->md5State, ctx)) != 0)
427 return err;
428 if ((err = ReadyHash(&SSLHashSHA1, &ctx->shaState, ctx)) != 0)
429 return err;
430 if ((err = ReadyHash(&SSLHashMD5, &ctx->md5State, ctx)) != 0)
431 return err;
432 return SSLNoErr;
433 }
mirror of Security