-/*
- * Copyright (c) 2002,2005-2007,2010-2011 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * ssl3RecordCallouts.c - SSLv3-specific routines for SslTlsCallouts.
- */
-
-/* THIS FILE CONTAINS KERNEL CODE */
-
-#include <AssertMacros.h>
-#include <string.h>
-#include <stdint.h>
-#include <inttypes.h>
-
-#ifdef KERNEL
-#include <sys/types.h>
-#else
-#include <stddef.h>
-#endif
-
-#include "sslDebug.h"
-#include "sslMemory.h"
-#include "sslUtils.h"
-#include "sslRand.h"
-
-#include "tls_record.h"
-
-
-/*
- * ssl3WriteRecord does not send alerts on failure, out of the assumption/fear
- * that this might result in a loop (since sending an alert causes ssl3WriteRecord
- * to be called).
- *
- * As far as I can tell, we can use this same routine for SSLv3 and TLSv1, as long
- * as we're not trying to use the "variable length padding" feature of TLSv1.
- * OpenSSL doesn't use that feature; for now, neither will we. Thus this routine
- * is used for the SslTlsCallouts.writeRecord function for both protocols.
- */
-int ssl3WriteRecord(
- SSLRecord rec,
- struct SSLRecordInternalContext *ctx)
-{
- int err;
- int padding = 0, i;
- WaitingRecord *out = NULL, *queue;
- SSLBuffer payload, mac;
- uint8_t *charPtr;
- uint16_t payloadSize,blockSize = 0;
- int head = 5;
-
- switch(rec.protocolVersion) {
- case DTLS_Version_1_0:
- head += 8;
- case SSL_Version_3_0:
- case TLS_Version_1_0:
- case TLS_Version_1_1:
- case TLS_Version_1_2:
- break;
- default:
- check(0);
- return errSSLRecordInternal;
- }
- check(rec.contents.length <= 16384);
-
- sslLogRecordIo("type = %02x, ver = %04x, len = %ld, seq = %016llx",
- rec.contentType, rec.protocolVersion, rec.contents.length,
- ctx->writeCipher.sequenceNum);
-
- /* Allocate enough room for the transmitted record, which will be:
- * 5 bytes of header (13 for DTLS) +
- * IV [block cipher and TLS1.1 or DTLS 1.0 only]
- * encrypted contents +
- * macLength +
- * padding [block ciphers only] +
- * padding length field (1 byte) [block ciphers only]
- */
- payloadSize = (uint16_t) rec.contents.length;
- CipherType cipherType = ctx->writeCipher.symCipher->params->cipherType;
- const Cipher *cipher = &ctx->writeCipher.symCipher->c.cipher;
- const AEADCipher *aead = &ctx->writeCipher.symCipher->c.aead;
- blockSize = ctx->writeCipher.symCipher->params->blockSize;
- switch (cipherType) {
- case blockCipherType:
- payloadSize += ctx->writeCipher.macRef->hash->digestSize;
- padding = blockSize - (payloadSize % blockSize) - 1;
- payloadSize += padding + 1;
- /* TLS 1.1, TLS1.2 and DTLS 1.0 have an extra block for IV */
- if(ctx->negProtocolVersion >= TLS_Version_1_1) {
- payloadSize += blockSize;
- }
- break;
- case streamCipherType:
- payloadSize += ctx->writeCipher.macRef->hash->digestSize;
- break;
- case aeadCipherType:
- /* AES_GCM doesn't need padding. */
- payloadSize += aead->macSize;
- break;
- default:
- check(0);
- return errSSLRecordInternal;
- }
-
- out = (WaitingRecord *)sslMalloc(offsetof(WaitingRecord, data) +
- head + payloadSize);
- out->next = NULL;
- out->sent = 0;
- out->length = head + payloadSize;
-
- charPtr = out->data;
- *(charPtr++) = rec.contentType;
- charPtr = SSLEncodeInt(charPtr, rec.protocolVersion, 2);
-
- /* DTLS sequence number */
- if(rec.protocolVersion == DTLS_Version_1_0)
- charPtr = SSLEncodeUInt64(charPtr,ctx->writeCipher.sequenceNum);
-
- charPtr = SSLEncodeInt(charPtr, payloadSize, 2);
-
- /* Also for DTLS */
- if((ctx->negProtocolVersion >= TLS_Version_1_1) &&
- (cipherType == blockCipherType))
- {
- SSLBuffer randomIV;
- randomIV.data = charPtr;
- randomIV.length = blockSize;
- if((err = sslRand(&randomIV)) != 0)
- return err;
- charPtr += blockSize;
- }
- if (cipherType == aeadCipherType) {
- /* Encode the explicit iv, for AES_GCM we just use the 8 byte
- sequenceNum as the explicitIV.
- Ideally this needs to be done in the algorithm itself, by an
- extra function pointer in AEADCipher. */
- charPtr = SSLEncodeUInt64(charPtr,ctx->writeCipher.sequenceNum);
- /* TODO: If we ever add any mode other than GCM this code might have
- to be different. */
- /* TODO: Pass 4 byte implicit and 8 byte explicit IV to cipher */
- //err = ctx->writeCipher.symCipher->c.aead.setIV(charPtr, &ctx->writeCipher, ctx);
- }
-
- /* Copy the contents into the output buffer */
- memcpy(charPtr, rec.contents.data, rec.contents.length);
- payload.data = charPtr;
- payload.length = rec.contents.length;
-
- charPtr += rec.contents.length;
-
- /* MAC the data */
- if (cipherType != aeadCipherType) {
- /* MAC immediately follows data */
- mac.data = charPtr;
- mac.length = ctx->writeCipher.macRef->hash->digestSize;
- charPtr += mac.length;
- if (mac.length > 0) /* Optimize away null case */
- {
- check(ctx->sslTslCalls != NULL);
- if ((err = ctx->sslTslCalls->computeMac(rec.contentType,
- payload,
- mac,
- &ctx->writeCipher,
- ctx->writeCipher.sequenceNum,
- ctx)) != 0)
- goto fail;
- }
- }
-
- /* For TLS 1.1 and DTLS, we would need to specifiy the IV, but instead
- we are clever like this: since the IV is just one block in front,
- we encrypt it with the rest of the data. The actual transmitted IV
- is the result of the encryption, with whatever internal IV is used.
- This method is explained in the TLS 1.1 RFC */
- if(ctx->negProtocolVersion >= TLS_Version_1_1 &&
- cipherType == blockCipherType)
- {
- payload.data -= blockSize;
- }
-
- /* Update payload to reflect encrypted data: IV, contents, mac & padding */
- payload.length = payloadSize;
-
-
- switch (cipherType) {
- case blockCipherType:
- /* Fill in the padding bytes & padding length field with the
- * padding value; the protocol only requires the last byte,
- * but filling them all in avoids leaking data */
- for (i = 1; i <= padding + 1; ++i)
- payload.data[payload.length - i] = padding;
- /* DROPTRHOUGH */
- case streamCipherType:
- /* Encrypt the data */
- if ((err = cipher->encrypt(payload.data,
- payload.data, payload.length, ctx->writeCipher.cipherCtx)) != 0)
- goto fail;
- break;
- case aeadCipherType:
- check(0);
- break;
- default:
- check(0);
- return errSSLRecordInternal;
- }
-
- /* Enqueue the record to be written from the idle loop */
- if (ctx->recordWriteQueue == 0)
- ctx->recordWriteQueue = out;
- else
- { queue = ctx->recordWriteQueue;
- while (queue->next != 0)
- queue = queue->next;
- queue->next = out;
- }
-
- /* Increment the sequence number */
- IncrementUInt64(&ctx->writeCipher.sequenceNum);
-
- return 0;
-
-fail:
- /*
- * Only for if we fail between when the WaitingRecord is allocated and when
- * it is queued
- */
- sslFree(out);
- return err;
-}
-
-static int ssl3DecryptRecord(
- uint8_t type,
- SSLBuffer *payload,
- struct SSLRecordInternalContext *ctx)
-{
- int err;
- SSLBuffer content;
-
- CipherType cipherType = ctx->readCipher.symCipher->params->cipherType;
- const Cipher *c = &ctx->readCipher.symCipher->c.cipher;
- switch (cipherType) {
- case blockCipherType:
- if ((payload->length % ctx->readCipher.symCipher->params->blockSize) != 0)
- {
- return errSSLRecordDecryptionFail;
- }
- /* DROPTHROUGH */
- case streamCipherType:
- /* Decrypt in place */
- err = c->decrypt(payload->data, payload->data,
- payload->length, ctx->readCipher.cipherCtx);
- break;
- case aeadCipherType:
- default:
- check(0);
- return errSSLRecordInternal;
- }
- if (err != 0)
- {
- return errSSLRecordDecryptionFail;
- }
-
- /* Locate content within decrypted payload */
- content.data = payload->data;
- content.length = payload->length - ctx->readCipher.macRef->hash->digestSize;
- if (cipherType == blockCipherType)
- { /* padding can't be equal to or more than a block */
- if (payload->data[payload->length - 1] >= ctx->readCipher.symCipher->params->blockSize)
- {
- sslErrorLog("DecryptSSLRecord: bad padding length (%d)\n",
- (unsigned)payload->data[payload->length - 1]);
- return errSSLRecordDecryptionFail;
- }
- content.length -= 1 + payload->data[payload->length - 1];
- /* Remove block size padding */
- }
-
- /* Verify MAC on payload */
- if (ctx->readCipher.macRef->hash->digestSize > 0)
- /* Optimize away MAC for null case */
- if ((err = SSLVerifyMac(type, &content,
- payload->data + content.length, ctx)) != 0)
- {
- return errSSLRecordBadRecordMac;
- }
-
- *payload = content; /* Modify payload buffer to indicate content length */
-
- return 0;
-}
-
-/* initialize a per-CipherContext HashHmacContext for use in MACing each record */
-static int ssl3InitMac (
- CipherContext *cipherCtx) // macRef, macSecret valid on entry
- // macCtx valid on return
-{
- const HashReference *hash;
- SSLBuffer *hashCtx;
- int serr;
-
- check(cipherCtx->macRef != NULL);
- hash = cipherCtx->macRef->hash;
- check(hash != NULL);
-
- hashCtx = &cipherCtx->macCtx.hashCtx;
- if(hashCtx->data != NULL) {
- SSLFreeBuffer(hashCtx);
- }
- serr = SSLAllocBuffer(hashCtx, hash->contextSize);
- if(serr) {
- return serr;
- }
- return 0;
-}
-
-static int ssl3FreeMac (
- CipherContext *cipherCtx)
-{
- SSLBuffer *hashCtx;
-
- check(cipherCtx != NULL);
- /* this can be called on a completely zeroed out CipherContext... */
- if(cipherCtx->macRef == NULL) {
- return 0;
- }
- hashCtx = &cipherCtx->macCtx.hashCtx;
- if(hashCtx->data != NULL) {
- sslFree(hashCtx->data);
- hashCtx->data = NULL;
- }
- hashCtx->length = 0;
- return 0;
-}
-
-static int ssl3ComputeMac (
- uint8_t type,
- SSLBuffer data,
- SSLBuffer mac, // caller mallocs data
- CipherContext *cipherCtx, // assumes macCtx, macRef
- sslUint64 seqNo,
- struct SSLRecordInternalContext *ctx)
-{
- int err;
- uint8_t innerDigestData[SSL_MAX_DIGEST_LEN];
- uint8_t scratchData[11], *charPtr;
- SSLBuffer digest, digestCtx, scratch;
- SSLBuffer secret;
-
- const HashReference *hash;
-
- check(cipherCtx != NULL);
- check(cipherCtx->macRef != NULL);
- hash = cipherCtx->macRef->hash;
- check(hash != NULL);
- check(hash->macPadSize <= MAX_MAC_PADDING);
- check(hash->digestSize <= SSL_MAX_DIGEST_LEN);
- digestCtx = cipherCtx->macCtx.hashCtx; // may be NULL, for null cipher
- secret.data = cipherCtx->macSecret;
- secret.length = hash->digestSize;
-
- /* init'd early in SSLNewContext() */
- check(SSLMACPad1[0] == 0x36 && SSLMACPad2[0] == 0x5C);
-
- /*
- * MAC = hash( MAC_write_secret + pad_2 +
- * hash( MAC_write_secret + pad_1 + seq_num + type +
- * length + content )
- * )
- */
- if ((err = hash->init(&digestCtx)) != 0)
- goto exit;
- if ((err = hash->update(&digestCtx, &secret)) != 0) /* MAC secret */
- goto exit;
- scratch.data = (uint8_t *)SSLMACPad1;
- scratch.length = hash->macPadSize;
- if ((err = hash->update(&digestCtx, &scratch)) != 0) /* pad1 */
- goto exit;
- charPtr = scratchData;
- charPtr = SSLEncodeUInt64(charPtr, seqNo);
- *charPtr++ = type;
- charPtr = SSLEncodeSize(charPtr, data.length, 2);
- scratch.data = scratchData;
- scratch.length = 11;
- check(charPtr = scratchData+11);
- if ((err = hash->update(&digestCtx, &scratch)) != 0)
- /* sequenceNo, type & length */
- goto exit;
- if ((err = hash->update(&digestCtx, &data)) != 0) /* content */
- goto exit;
- digest.data = innerDigestData;
- digest.length = hash->digestSize;
- if ((err = hash->final(&digestCtx, &digest)) != 0) /* figure inner digest */
- goto exit;
-
- if ((err = hash->init(&digestCtx)) != 0)
- goto exit;
- if ((err = hash->update(&digestCtx, &secret)) != 0) /* MAC secret */
- goto exit;
- scratch.data = (uint8_t *)SSLMACPad2;
- scratch.length = hash->macPadSize;
- if ((err = hash->update(&digestCtx, &scratch)) != 0) /* pad2 */
- goto exit;
- if ((err = hash->update(&digestCtx, &digest)) != 0) /* inner digest */
- goto exit;
- if ((err = hash->final(&digestCtx, &mac)) != 0) /* figure the mac */
- goto exit;
-
- err = 0; /* redundant, I know */
-
-exit:
- return err;
-}
-
-
-const SslRecordCallouts Ssl3RecordCallouts = {
- ssl3DecryptRecord,
- ssl3WriteRecord,
- ssl3InitMac,
- ssl3FreeMac,
- ssl3ComputeMac,
-};
projects / apple / security.git / blobdiff