]> git.saurik.com Git - apple/security.git/blob - SecureTransport/ssl2Protocol.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-163.tar.gz
[apple/security.git] / SecureTransport / ssl2Protocol.cpp
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 File: ssl2Protocol.cpp
21
22 Contains: Protocol engine for SSL 2
23
24 Written by: Doug Mitchell
25
26 Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
27
28 */
29
30 #include "ssl.h"
31 #include "ssl2.h"
32 #include "sslRecord.h"
33 #include "sslMemory.h"
34 #include "sslContext.h"
35 #include "sslHandshake.h"
36 #include "sslSession.h"
37 #include "sslAlertMessage.h"
38 #include "sslDebug.h"
39 #include "appleCdsa.h"
40 #include "sslUtils.h"
41 #include "sslDigests.h"
42 #include <string.h>
43 #include <assert.h>
44
45 #ifndef NDEBUG
46
47 static char *sslHdskMsgToStr(SSL2MessageType msg)
48 {
49 static char badStr[100];
50
51 switch(msg) {
52 case SSL2_MsgError:
53 return "SSL2_MsgError";
54 case SSL2_MsgClientHello:
55 return "SSL2_MsgClientHello";
56 case SSL2_MsgClientMasterKey:
57 return "SSL2_MsgClientMasterKey";
58 case SSL2_MsgClientFinished:
59 return "SSL2_MsgClientFinished";
60 case SSL2_MsgServerHello:
61 return "SSL2_MsgServerHello";
62 case SSL2_MsgServerVerify:
63 return "SSL2_MsgServerVerify";
64 case SSL2_MsgServerFinished:
65 return "SSL2_MsgServerFinished";
66 case SSL2_MsgRequestCert:
67 return "SSL2_MsgRequestCert";
68 case SSL2_MsgClientCert:
69 return "SSL2_MsgClientCert";
70 case SSL2_MsgKickstart:
71 return "SSL2_MsgKickstart";
72 default:
73 sprintf(badStr, "Unknown msg (%d(d)", msg);
74 return badStr;
75 }
76 }
77
78 static void logSsl2Msg(SSL2MessageType msg, char sent)
79 {
80 char *ms = sslHdskMsgToStr(msg);
81 sslHdskMsgDebug("...msg %s: %s", (sent ? "sent" : "recd"), ms);
82 }
83
84 #else
85
86 #define logSsl2Msg(m, s)
87
88 #endif /* NDEBUG */
89
90 OSStatus
91 SSL2ProcessMessage(SSLRecord &rec, SSLContext *ctx)
92 { OSStatus err = 0;
93 SSL2MessageType msg;
94 SSLBuffer contents;
95
96 if (rec.contents.length < 2)
97 return errSSLProtocol;
98
99 msg = (SSL2MessageType)rec.contents.data[0];
100 contents.data = rec.contents.data + 1;
101 contents.length = rec.contents.length - 1;
102
103 logSsl2Msg(msg, 0);
104
105 switch (msg)
106 { case SSL2_MsgError:
107 err = errSSLClosedAbort;
108 break;
109 case SSL2_MsgClientHello:
110 if (ctx->state != SSL_HdskStateServerUninit)
111 return errSSLProtocol;
112 err = SSL2ProcessClientHello(contents, ctx);
113 if (err == errSSLNegotiation)
114 SSL2SendError(SSL2_ErrNoCipher, ctx);
115 break;
116 case SSL2_MsgClientMasterKey:
117 if (ctx->state != SSL2_HdskStateClientMasterKey)
118 return errSSLProtocol;
119 err = SSL2ProcessClientMasterKey(contents, ctx);
120 break;
121 case SSL2_MsgClientFinished:
122 if (ctx->state != SSL2_HdskStateClientFinished)
123 return errSSLProtocol;
124 err = SSL2ProcessClientFinished(contents, ctx);
125 break;
126 case SSL2_MsgServerHello:
127 if (ctx->state != SSL2_HdskStateServerHello &&
128 ctx->state != SSL_HdskStateServerHelloUnknownVersion)
129 return errSSLProtocol;
130 err = SSL2ProcessServerHello(contents, ctx);
131 if (err == errSSLNegotiation)
132 SSL2SendError(SSL2_ErrNoCipher, ctx);
133 break;
134 case SSL2_MsgServerVerify:
135 if (ctx->state != SSL2_HdskStateServerVerify)
136 return errSSLProtocol;
137 err = SSL2ProcessServerVerify(contents, ctx);
138 break;
139 case SSL2_MsgServerFinished:
140 if (ctx->state != SSL2_HdskStateServerFinished) {
141 /* FIXME - this ifndef should not be necessary */
142 #ifndef NDEBUG
143 sslHdskStateDebug("SSL2_MsgServerFinished; state %s",
144 hdskStateToStr(ctx->state));
145 #endif
146 return errSSLProtocol;
147 }
148 err = SSL2ProcessServerFinished(contents, ctx);
149 break;
150 case SSL2_MsgRequestCert:
151 /* Don't process the request; we don't support client certification */
152 break;
153 case SSL2_MsgClientCert:
154 return errSSLProtocol;
155 break;
156 default:
157 return errSSLProtocol;
158 break;
159 }
160
161 if (err == 0)
162 {
163 if ((msg == SSL2_MsgClientHello) &&
164 (ctx->negProtocolVersion >= SSL_Version_3_0))
165 { /* Promote this message to SSL 3 protocol */
166 if ((err = SSL3ReceiveSSL2ClientHello(rec, ctx)) != 0)
167 return err;
168 }
169 else
170 err = SSL2AdvanceHandshake(msg, ctx);
171 }
172 return err;
173 }
174
175 OSStatus
176 SSL2AdvanceHandshake(SSL2MessageType msg, SSLContext *ctx)
177 { OSStatus err;
178
179 err = noErr;
180
181 switch (msg)
182 { case SSL2_MsgKickstart:
183 assert(ctx->negProtocolVersion == SSL_Version_Undetermined);
184 assert(ctx->versionSsl2Enable);
185 if (ctx->versionSsl3Enable || ctx->versionTls1Enable) {
186 /* prepare for possible v3 upgrade */
187 if ((err = SSLInitMessageHashes(ctx)) != 0)
188 return err;
189 }
190 if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeClientHello, ctx)) != 0)
191 return err;
192 if (ctx->versionSsl3Enable || ctx->versionTls1Enable) {
193 SSLChangeHdskState(ctx, SSL_HdskStateServerHelloUnknownVersion);
194 }
195 else {
196 /* v2 only */
197 SSLChangeHdskState(ctx, SSL2_HdskStateServerHello);
198 }
199 break;
200 case SSL2_MsgClientHello:
201 if ((err = SSL2CompareSessionIDs(ctx)) != 0)
202 return err;
203 if (ctx->sessionMatch == 0)
204 if ((err = SSL2GenerateSessionID(ctx)) != 0)
205 return err;
206 if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeServerHello, ctx)) != 0)
207 return err;
208 if (ctx->sessionMatch == 0)
209 { SSLChangeHdskState(ctx, SSL2_HdskStateClientMasterKey);
210 break;
211 }
212 sslLogResumSessDebug("===RESUMING SSL2 server-side session");
213 if ((err = SSL2InstallSessionKey(ctx)) != 0)
214 return err;
215 /* Fall through for matching session; lame, but true */
216 case SSL2_MsgClientMasterKey:
217 if ((err = SSL2InitCiphers(ctx)) != 0)
218 return err;
219 if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeServerVerify, ctx)) != 0)
220 return err;
221 if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeServerFinished, ctx)) != 0)
222 return err;
223 SSLChangeHdskState(ctx, SSL2_HdskStateClientFinished);
224 break;
225 case SSL2_MsgServerHello:
226 if (ctx->sessionMatch == 0)
227 { if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeClientMasterKey, ctx)) != 0)
228 return err;
229 }
230 else
231 {
232 sslLogResumSessDebug("===RESUMING SSL2 client-side session");
233 if ((err = SSL2InstallSessionKey(ctx)) != 0)
234 return err;
235 }
236 if ((err = SSL2InitCiphers(ctx)) != 0)
237 return err;
238 if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeClientFinished, ctx)) != 0)
239 return err;
240 SSLChangeHdskState(ctx, SSL2_HdskStateServerVerify);
241 break;
242 case SSL2_MsgClientFinished:
243 /* Handshake is complete; turn ciphers on */
244 ctx->writeCipher.ready = 1;
245 ctx->readCipher.ready = 1;
246 /* original code never got out of SSL2_MsgClientFinished state */
247 assert(ctx->protocolSide == SSL_ServerSide);
248 SSLChangeHdskState(ctx, SSL_HdskStateServerReady);
249 if (ctx->peerID.data != 0)
250 SSLAddSessionData(ctx);
251 break;
252 case SSL2_MsgServerVerify:
253 SSLChangeHdskState(ctx, SSL2_HdskStateServerFinished);
254 break;
255 case SSL2_MsgRequestCert:
256 if ((err = SSL2SendError(SSL2_ErrNoCert, ctx)) != 0)
257 return err;
258 break;
259 case SSL2_MsgServerFinished:
260 /* Handshake is complete; turn ciphers on */
261 ctx->writeCipher.ready = 1;
262 ctx->readCipher.ready = 1;
263 /* original code never got out of SSL2_MsgServerFinished state */
264 assert(ctx->protocolSide == SSL_ClientSide);
265 SSLChangeHdskState(ctx, SSL_HdskStateClientReady);
266 if (ctx->peerID.data != 0)
267 SSLAddSessionData(ctx);
268 break;
269 case SSL2_MsgError:
270 case SSL2_MsgClientCert:
271 return errSSLProtocol;
272 break;
273 }
274
275 return noErr;
276 }
277
278 OSStatus
279 SSL2PrepareAndQueueMessage(EncodeSSL2MessageFunc encodeFunc, SSLContext *ctx)
280 { OSStatus err;
281 SSLRecord rec;
282
283 rec.contentType = SSL_RecordTypeV2_0;
284 rec.protocolVersion = SSL_Version_2_0;
285 if ((err = encodeFunc(rec.contents, ctx)) != 0)
286 return err;
287
288 logSsl2Msg((SSL2MessageType)rec.contents.data[0], 1);
289
290 assert(ctx->sslTslCalls != NULL);
291 if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
292 { SSLFreeBuffer(rec.contents, ctx);
293 return err;
294 }
295
296 assert((ctx->negProtocolVersion == SSL_Version_Undetermined) ||
297 (ctx->negProtocolVersion == SSL_Version_2_0));
298 if((ctx->negProtocolVersion == SSL_Version_Undetermined) &&
299 (ctx->versionSsl3Enable || ctx->versionTls1Enable)) {
300 /* prepare for possible V3/TLS1 upgrade */
301 if ((err = SSLHashSHA1.update(ctx->shaState, rec.contents)) != 0 ||
302 (err = SSLHashMD5.update(ctx->md5State, rec.contents)) != 0)
303 return err;
304 }
305 err = SSLFreeBuffer(rec.contents, ctx);
306 return err;
307 }
308
309 OSStatus
310 SSL2CompareSessionIDs(SSLContext *ctx)
311 { OSStatus err;
312 SSLBuffer sessionIdentifier;
313
314 ctx->sessionMatch = 0;
315
316 if (ctx->resumableSession.data == 0)
317 return noErr;
318
319 if ((err = SSLRetrieveSessionID(ctx->resumableSession,
320 &sessionIdentifier, ctx)) != 0)
321 return err;
322
323 if (sessionIdentifier.length == ctx->sessionID.length &&
324 memcmp(sessionIdentifier.data, ctx->sessionID.data, sessionIdentifier.length) == 0)
325 ctx->sessionMatch = 1;
326
327 if ((err = SSLFreeBuffer(sessionIdentifier, ctx)) != 0)
328 return err;
329
330 return noErr;
331 }
332
333 OSStatus
334 SSL2InstallSessionKey(SSLContext *ctx)
335 { OSStatus err;
336
337 assert(ctx->sessionMatch != 0);
338 assert(ctx->resumableSession.data != 0);
339 if ((err = SSLInstallSessionFromData(ctx->resumableSession, ctx)) != 0)
340 return err;
341 return noErr;
342 }
343
344 OSStatus
345 SSL2GenerateSessionID(SSLContext *ctx)
346 { OSStatus err;
347
348 if ((err = SSLFreeBuffer(ctx->sessionID, ctx)) != 0)
349 return err;
350 if ((err = SSLAllocBuffer(ctx->sessionID, SSL_SESSION_ID_LEN, ctx)) != 0)
351 return err;
352 if ((err = sslRand(ctx, &ctx->sessionID)) != 0)
353 return err;
354 return noErr;
355 }
356
357 OSStatus
358 SSL2InitCiphers(SSLContext *ctx)
359 { OSStatus err;
360 int keyMaterialLen;
361 SSLBuffer keyData;
362 uint8 variantChar, *charPtr, *readKey, *writeKey, *iv;
363 SSLBuffer hashDigest, hashContext, masterKey, challenge, connectionID, variantData;
364
365 keyMaterialLen = 2 * ctx->selectedCipherSpec->cipher->keySize;
366 if ((err = SSLAllocBuffer(keyData, keyMaterialLen, ctx)) != 0)
367 return err;
368
369 /* Can't have % in assertion string... */
370 #if SSL_DEBUG
371 {
372 UInt32 keyModDigestSize = keyMaterialLen % SSLHashMD5.digestSize;
373 assert(keyModDigestSize == 0);
374 }
375 #endif
376
377 masterKey.data = ctx->masterSecret;
378 masterKey.length = ctx->selectedCipherSpec->cipher->keySize;
379 challenge.data = ctx->clientRandom + SSL_CLIENT_SRVR_RAND_SIZE -
380 ctx->ssl2ChallengeLength;
381 challenge.length = ctx->ssl2ChallengeLength;
382 connectionID.data = ctx->serverRandom;
383 connectionID.length = ctx->ssl2ConnectionIDLength;
384 variantData.data = &variantChar;
385 variantData.length = 1;
386 if ((err = SSLAllocBuffer(hashContext, SSLHashMD5.contextSize, ctx)) != 0)
387 { SSLFreeBuffer(keyData, ctx);
388 return err;
389 }
390
391 variantChar = 0x30; /* '0' */
392 charPtr = keyData.data;
393 while (keyMaterialLen)
394 { hashDigest.data = charPtr;
395 hashDigest.length = SSLHashMD5.digestSize;
396 if ((err = SSLHashMD5.init(hashContext, ctx)) != 0 ||
397 (err = SSLHashMD5.update(hashContext, masterKey)) != 0 ||
398 (err = SSLHashMD5.update(hashContext, variantData)) != 0 ||
399 (err = SSLHashMD5.update(hashContext, challenge)) != 0 ||
400 (err = SSLHashMD5.update(hashContext, connectionID)) != 0 ||
401 (err = SSLHashMD5.final(hashContext, hashDigest)) != 0)
402 { SSLFreeBuffer(keyData, ctx);
403 SSLFreeBuffer(hashContext, ctx);
404 return err;
405 }
406 charPtr += hashDigest.length;
407 ++variantChar;
408 keyMaterialLen -= hashDigest.length;
409 }
410
411 assert(charPtr == keyData.data + keyData.length);
412
413 if ((err = SSLFreeBuffer(hashContext, ctx)) != 0)
414 { SSLFreeBuffer(keyData, ctx);
415 return err;
416 }
417
418 ctx->readPending.macRef = ctx->selectedCipherSpec->macAlgorithm;
419 ctx->writePending.macRef = ctx->selectedCipherSpec->macAlgorithm;
420 ctx->readPending.symCipher = ctx->selectedCipherSpec->cipher;
421 ctx->writePending.symCipher = ctx->selectedCipherSpec->cipher;
422 ctx->readPending.sequenceNum = ctx->readCipher.sequenceNum;
423 ctx->writePending.sequenceNum = ctx->writeCipher.sequenceNum;
424
425 if (ctx->protocolSide == SSL_ServerSide)
426 { writeKey = keyData.data;
427 readKey = keyData.data + ctx->selectedCipherSpec->cipher->keySize;
428 }
429 else
430 { readKey = keyData.data;
431 writeKey = keyData.data + ctx->selectedCipherSpec->cipher->keySize;
432 }
433
434 iv = ctx->masterSecret + ctx->selectedCipherSpec->cipher->keySize;
435
436 if ((err = ctx->readPending.symCipher->initialize(readKey, iv,
437 &ctx->readPending, ctx)) != 0 ||
438 (err = ctx->writePending.symCipher->initialize(writeKey, iv,
439 &ctx->writePending, ctx)) != 0)
440 { SSLFreeBuffer(keyData, ctx);
441 return err;
442 }
443
444 /*
445 * HEY! macSecret is only 20 bytes. This blows up when key size
446 * is greater than 20, e.g., 3DES.
447 * I'll increase the size of macSecret to 24, 'cause it appears
448 * from the SSL v23 spec that the macSecret really the same size as
449 * CLIENT-WRITE-KEY and SERVER-READ-KEY (see 1.2 of the spec).
450 */
451 memcpy(ctx->readPending.macSecret, readKey, ctx->selectedCipherSpec->cipher->keySize);
452 memcpy(ctx->writePending.macSecret, writeKey, ctx->selectedCipherSpec->cipher->keySize);
453
454 if ((err = SSLFreeBuffer(keyData, ctx)) != 0)
455 return err;
456
457 ctx->readCipher = ctx->readPending;
458 ctx->writeCipher = ctx->writePending;
459 memset(&ctx->readPending, 0, sizeof(CipherContext)); /* Zero out old data */
460 memset(&ctx->writePending, 0, sizeof(CipherContext)); /* Zero out old data */
461
462 return noErr;
463 }
mirror of Security