--- /dev/null
+/*
+ * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ File: ssl2Record.cpp
+
+ Contains: Record encrypting/decrypting/MACing for SSL 2
+
+ Written by: Doug Mitchell
+
+ Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
+
+*/
+
+#include "ssl2.h"
+#include "sslRecord.h"
+#include "sslMemory.h"
+#include "sslContext.h"
+#include "sslAlertMessage.h"
+#include "sslDebug.h"
+#include "sslUtils.h"
+#include "sslDigests.h"
+
+#include <string.h>
+
+static OSStatus SSL2DecryptRecord(
+ SSLBuffer &payload,
+ SSLContext *ctx);
+static OSStatus SSL2VerifyMAC(
+ SSLBuffer &content,
+ UInt8 *compareMAC,
+ SSLContext *ctx);
+static OSStatus SSL2CalculateMAC(
+ SSLBuffer &secret,
+ SSLBuffer &content,
+ UInt32 seqNo,
+ const HashReference &hash,
+ SSLBuffer &mac,
+ SSLContext *ctx);
+
+
+OSStatus
+SSL2ReadRecord(SSLRecord &rec, SSLContext *ctx)
+{ OSStatus err;
+ UInt32 len, contentLen;
+ int padding, headerSize;
+ UInt8 *charPtr;
+ SSLBuffer readData, cipherFragment;
+
+ switch (ctx->negProtocolVersion)
+ { case SSL_Version_Undetermined:
+ case SSL_Version_3_0_With_2_0_Hello:
+ case SSL_Version_2_0:
+ break;
+ case SSL_Version_3_0: /* We've negotiated a 3.0 session;
+ * we can send an alert */
+ case TLS_Version_1_0:
+ SSLFatalSessionAlert(SSL_AlertUnexpectedMsg, ctx);
+ return errSSLProtocol;
+ case SSL_Version_3_0_Only: /* We haven't yet negotiated, but
+ * we don't want to support 2.0; just
+ * die without an alert */
+ return errSSLProtocol;
+ default:
+ sslErrorLog("bad protocolVersion in ctx->protocolVersion");
+ return errSSLInternal;
+ }
+
+ if (!ctx->partialReadBuffer.data || ctx->partialReadBuffer.length < 3)
+ { if (ctx->partialReadBuffer.data)
+ if ((err = SSLFreeBuffer(ctx->partialReadBuffer, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
+ return err;
+ }
+ if ((err = SSLAllocBuffer(ctx->partialReadBuffer, DEFAULT_BUFFER_SIZE, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
+ return err;
+ }
+ }
+
+ if (ctx->amountRead < 3)
+ { readData.length = 3 - ctx->amountRead;
+ readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
+ len = readData.length;
+ err = sslIoRead(readData, &len, ctx);
+ if(err != 0)
+ { if (err == errSSLWouldBlock)
+ ctx->amountRead += len;
+ if (err == ioErr && ctx->amountRead == 0) /* If the session closes on a record boundary, it's graceful */
+ err = errSSLClosedGraceful;
+ return err;
+ }
+ ctx->amountRead += len;
+ }
+
+ rec.contentType = SSL_RecordTypeV2_0;
+ rec.protocolVersion = SSL_Version_2_0;
+ charPtr = ctx->partialReadBuffer.data;
+
+ if (((*charPtr) & 0x80) != 0) /* High bit on -> specifies 2-byte header */
+ { headerSize = 2;
+ contentLen = ((charPtr[0] & 0x7F) << 8) | charPtr[1];
+ padding = 0;
+ }
+ else if (((*charPtr) & 0x40) != 0) /* Bit 6 on -> specifies security escape */
+ { return errSSLProtocol; /* No security escapes are defined */
+ }
+ else /* 3-byte header */
+ { headerSize = 3;
+ contentLen = ((charPtr[0] & 0x3F) << 8) | charPtr[1];
+ padding = charPtr[2];
+ }
+
+ /*
+ * FIXME - what's the max record size?
+ * and why doesn't SSLReadRecord parse the 2 or 3 byte header?
+ * Note: I see contentLen of 0 coming back from www.cduniverse.com when
+ * it's only been given SSL_RSA_EXPORT_WITH_DES40_CBC_SHA.
+ */
+ if((contentLen == 0) || (contentLen > 0xffff)) {
+ return errSSLProtocol;
+ }
+
+ charPtr += headerSize;
+
+ if (ctx->partialReadBuffer.length < headerSize + contentLen)
+ { if ((err = SSLReallocBuffer(ctx->partialReadBuffer, 5 + contentLen, ctx)) != 0)
+ return err;
+ }
+
+ if (ctx->amountRead < headerSize + contentLen)
+ { readData.length = headerSize + contentLen - ctx->amountRead;
+ readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
+ len = readData.length;
+ err = sslIoRead(readData, &len, ctx);
+ if(err != 0)
+ { if (err == errSSLWouldBlock)
+ ctx->amountRead += len;
+ return err;
+ }
+ ctx->amountRead += len;
+ }
+
+ cipherFragment.data = ctx->partialReadBuffer.data + headerSize;
+ cipherFragment.length = contentLen;
+ if ((err = SSL2DecryptRecord(cipherFragment, ctx)) != 0)
+ return err;
+
+ cipherFragment.length -= padding; /* Remove padding; MAC was removed
+ * by SSL2DecryptRecord */
+
+ IncrementUInt64(&ctx->readCipher.sequenceNum);
+
+ /* Allocate a buffer to return the plaintext in and return it */
+ if ((err = SSLAllocBuffer(rec.contents, cipherFragment.length, ctx)) != 0)
+ return err;
+ memcpy(rec.contents.data, cipherFragment.data, cipherFragment.length);
+
+ ctx->amountRead = 0; /* We've used all the data in the cache */
+
+ return noErr;
+}
+
+OSStatus
+SSL2WriteRecord(SSLRecord &rec, SSLContext *ctx)
+{ OSStatus err;
+ int padding = 0, i, headerSize;
+ WaitingRecord *out, *queue;
+ SSLBuffer buf, content, payload, secret, mac;
+ UInt8 *charPtr;
+ UInt16 payloadSize, blockSize;
+
+ assert(rec.contents.length < 16384);
+
+ out = 0;
+ /* Allocate a WaitingRecord to store our ready-to-send record in */
+ if ((err = SSLAllocBuffer(buf, sizeof(WaitingRecord), ctx)) != 0)
+ return err;
+ out = (WaitingRecord*)buf.data;
+ out->next = 0;
+ out->sent = 0;
+
+ payloadSize = (UInt16)
+ (rec.contents.length + ctx->writeCipher.macRef->hash->digestSize);
+ blockSize = ctx->writeCipher.symCipher->blockSize;
+ if (blockSize > 0)
+ {
+ padding = blockSize - (payloadSize % blockSize);
+ if (padding == blockSize)
+ padding = 0;
+ payloadSize += padding;
+ headerSize = 3;
+ }
+ else
+ { padding = 0;
+ headerSize = 2;
+ }
+ out->data.data = 0;
+ if ((err = SSLAllocBuffer(out->data, headerSize + payloadSize, ctx)) != 0)
+ goto fail;
+ charPtr = out->data.data;
+
+ if (headerSize == 2)
+ charPtr = SSLEncodeInt(charPtr, payloadSize | 0x8000, 2);
+ else
+ { charPtr = SSLEncodeInt(charPtr, payloadSize, 2);
+ *charPtr++ = padding;
+ }
+
+ payload.data = charPtr;
+ payload.length = payloadSize;
+
+ mac.data = charPtr;
+ mac.length = ctx->writeCipher.macRef->hash->digestSize;
+ charPtr += mac.length;
+
+ content.data = charPtr;
+ content.length = rec.contents.length + padding;
+ memcpy(charPtr, rec.contents.data, rec.contents.length);
+ charPtr += rec.contents.length;
+ i = padding;
+ while (i--)
+ *charPtr++ = padding;
+
+ assert(charPtr == out->data.data + out->data.length);
+
+ secret.data = ctx->writeCipher.macSecret;
+ secret.length = ctx->writeCipher.symCipher->keySize;
+ if (mac.length > 0)
+ if ((err = SSL2CalculateMAC(secret, content,
+ ctx->writeCipher.sequenceNum.low,
+ *ctx->writeCipher.macRef->hash, mac, ctx)) != 0)
+ goto fail;
+
+ if ((err = ctx->writeCipher.symCipher->encrypt(payload,
+ payload,
+ &ctx->writeCipher,
+ ctx)) != 0)
+ goto fail;
+
+ /* Enqueue the record to be written from the idle loop */
+ if (ctx->recordWriteQueue == 0)
+ ctx->recordWriteQueue = out;
+ else
+ { queue = ctx->recordWriteQueue;
+ while (queue->next != 0)
+ queue = queue->next;
+ queue->next = out;
+ }
+
+ /* Increment the sequence number */
+ IncrementUInt64(&ctx->writeCipher.sequenceNum);
+
+ return noErr;
+
+fail:
+ /*
+ * Only for if we fail between when the WaitingRecord is allocated and
+ * when it is queued
+ */
+ SSLFreeBuffer(out->data, 0);
+ buf.data = (UInt8*)out;
+ buf.length = sizeof(WaitingRecord);
+ SSLFreeBuffer(buf, ctx);
+ return err;
+}
+
+static OSStatus
+SSL2DecryptRecord(SSLBuffer &payload, SSLContext *ctx)
+{ OSStatus err;
+ SSLBuffer content;
+
+ if (ctx->readCipher.symCipher->blockSize > 0)
+ if (payload.length % ctx->readCipher.symCipher->blockSize != 0)
+ return errSSLProtocol;
+
+ /* Decrypt in place */
+ if ((err = ctx->readCipher.symCipher->decrypt(payload,
+ payload,
+ &ctx->readCipher,
+ ctx)) != 0)
+ return err;
+
+ if (ctx->readCipher.macRef->hash->digestSize > 0)
+ /* Optimize away MAC for null case */
+ { content.data = payload.data + ctx->readCipher.macRef->hash->digestSize; /* Data is after MAC */
+ content.length = payload.length - ctx->readCipher.macRef->hash->digestSize;
+ if ((err = SSL2VerifyMAC(content, payload.data, ctx)) != 0)
+ return err;
+ /* Adjust payload to remove MAC; caller is still responsible
+ * for removing padding [if any] */
+ payload = content;
+ }
+
+ return noErr;
+}
+
+#define IGNORE_MAC_FAILURE 0
+
+static OSStatus
+SSL2VerifyMAC(SSLBuffer &content, UInt8 *compareMAC, SSLContext *ctx)
+{ OSStatus err;
+ UInt8 calculatedMAC[SSL_MAX_DIGEST_LEN];
+ SSLBuffer secret, mac;
+
+ secret.data = ctx->readCipher.macSecret;
+ secret.length = ctx->readCipher.symCipher->keySize;
+ mac.data = calculatedMAC;
+ mac.length = ctx->readCipher.macRef->hash->digestSize;
+ if ((err = SSL2CalculateMAC(secret, content, ctx->readCipher.sequenceNum.low,
+ *ctx->readCipher.macRef->hash, mac, ctx)) != 0)
+ return err;
+ if (memcmp(mac.data, compareMAC, mac.length) != 0) {
+ #if IGNORE_MAC_FAILURE
+ sslErrorLog("SSL2VerifyMAC: Mac verify failure\n");
+ return noErr;
+ #else
+ sslErrorLog("SSL2VerifyMAC: Mac verify failure\n");
+ return errSSLProtocol;
+ #endif
+ }
+ return noErr;
+}
+
+#define LOG_MAC_DATA 0
+#if LOG_MAC_DATA
+static void logMacData(
+ char *field,
+ SSLBuffer *data)
+{
+ int i;
+
+ printf("%s: ", field);
+ for(i=0; i<data->length; i++) {
+ printf("%02X", data->data[i]);
+ if((i % 4) == 3) {
+ printf(" ");
+ }
+ }
+ printf("\n");
+}
+#else /* LOG_MAC_DATA */
+#define logMacData(f, d)
+#endif /* LOG_MAC_DATA */
+
+/* For SSL 2, the MAC is hash ( secret || content || sequence# )
+ * where secret is the decryption key for the message, content is
+ * the record data plus any padding used to round out the record
+ * size to an even multiple of the block size and sequence# is
+ * a monotonically increasing 32-bit unsigned integer.
+ */
+static OSStatus
+SSL2CalculateMAC(
+ SSLBuffer &secret,
+ SSLBuffer &content,
+ UInt32 seqNo,
+ const HashReference &hash,
+ SSLBuffer &mac,
+ SSLContext *ctx)
+{ OSStatus err;
+ UInt8 sequenceNum[4];
+ SSLBuffer seqData, hashContext;
+
+ SSLEncodeInt(sequenceNum, seqNo, 4);
+ seqData.data = sequenceNum;
+ seqData.length = 4;
+
+ hashContext.data = 0;
+ if ((err = ReadyHash(hash, hashContext, ctx)) != 0)
+ return err;
+ if ((err = hash.update(hashContext, secret)) != 0)
+ goto fail;
+ if ((err = hash.update(hashContext, content)) != 0)
+ goto fail;
+ if ((err = hash.update(hashContext, seqData)) != 0)
+ goto fail;
+ if ((err = hash.final(hashContext, mac)) != 0)
+ goto fail;
+
+ logMacData("secret ", &secret);
+ logMacData("seqData", &seqData);
+ logMacData("mac ", &mac);
+
+ err = noErr;
+fail:
+ SSLFreeBuffer(hashContext, ctx);
+ return err;
+}
+
+OSStatus
+SSL2SendError(SSL2ErrorCode error, SSLContext *ctx)
+{ OSStatus err;
+ SSLRecord rec;
+ UInt8 errorData[3];
+
+ rec.contentType = SSL_RecordTypeV2_0;
+ rec.protocolVersion = SSL_Version_2_0;
+ rec.contents.data = errorData;
+ rec.contents.length = 3;
+ errorData[0] = SSL2_MsgError;
+ SSLEncodeInt(errorData + 1, error, 2);
+
+ err = SSL2WriteRecord(rec, ctx);
+ return err;
+}
projects / apple / security.git / blobdiff