--- /dev/null
+/*
+ * Copyright (c) 2002,2005-2007,2010-2011 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * tls1RecordCallouts.c - TLSv1-specific routines for SslTlsCallouts.
+ */
+
+/* THIS FILE CONTAINS KERNEL CODE */
+
+#include "tls_record.h"
+#include "sslMemory.h"
+#include "sslDebug.h"
+#include "sslUtils.h"
+
+#include <AssertMacros.h>
+#include <string.h>
+
+/* not needed; encrypt/encode is the same for both protocols as long as
+ * we don't use the "variable length padding" feature. */
+#if 0
+static int tls1WriteRecord(
+ SSLRecord rec,
+ SSLContext *ctx)
+{
+ check(0);
+ return errSecUnimplemented;
+}
+#endif
+
+static int tls1DecryptRecord(
+ uint8_t type,
+ SSLBuffer *payload,
+ struct SSLRecordInternalContext *ctx)
+{
+ int err;
+ SSLBuffer content;
+
+ if ((ctx->readCipher.symCipher->params->blockSize > 0) &&
+ ((payload->length % ctx->readCipher.symCipher->params->blockSize) != 0)) {
+ return errSSLRecordRecordOverflow;
+ }
+
+ /* Decrypt in place */
+ if ((err = ctx->readCipher.symCipher->c.cipher.decrypt(payload->data,
+ payload->data, payload->length,
+ ctx->readCipher.cipherCtx)) != 0)
+ {
+ return errSSLRecordDecryptionFail;
+ }
+
+ /* Locate content within decrypted payload */
+
+ /* TLS 1.1 and DTLS 1.0 block ciphers */
+ if((ctx->negProtocolVersion>=TLS_Version_1_1) && (ctx->readCipher.symCipher->params->blockSize>0))
+ {
+ content.data = payload->data + ctx->readCipher.symCipher->params->blockSize;
+ content.length = payload->length - (ctx->readCipher.macRef->hash->digestSize + ctx->readCipher.symCipher->params->blockSize);
+ } else {
+ content.data = payload->data;
+ content.length = payload->length - ctx->readCipher.macRef->hash->digestSize;
+ }
+
+ /* Test for underflow - if the record size is smaller than required */
+ if(content.length > payload->length) {
+ return errSSLRecordClosedAbort;
+ }
+
+ err = 0;
+
+ if (ctx->readCipher.symCipher->params->blockSize > 0) {
+ /* for TLSv1, padding can be anywhere from 0 to 255 bytes */
+ uint8_t padSize = payload->data[payload->length - 1];
+
+ /* Padding check sequence:
+ 1. Check that the padding size (last byte in padding) is within bound
+ 2. Adjust content.length accordingly
+ 3. Check every padding byte (except last, already checked)
+ Do not return, just set the error value on failure,
+ to avoid creating a padding oracle with timing.
+ */
+ if(padSize+1<=content.length) {
+ uint8_t *padChars;
+ content.length -= (1 + padSize);
+ padChars = payload->data + payload->length - (padSize+1);
+ while(padChars < (payload->data + payload->length - 1)) {
+ if(*padChars++ != padSize) {
+ err = errSSLRecordBadRecordMac;
+ }
+ }
+ } else {
+ err = errSSLRecordBadRecordMac;
+ }
+ }
+
+ /* Verify MAC on payload */
+ if (ctx->readCipher.macRef->hash->digestSize > 0)
+ /* Optimize away MAC for null case */
+ if (SSLVerifyMac(type, &content,
+ content.data + content.length, ctx) != 0)
+ {
+ err = errSSLRecordBadRecordMac;
+ }
+
+ *payload = content; /* Modify payload buffer to indicate content length */
+
+ return err;
+}
+
+/* initialize a per-CipherContext HashHmacContext for use in MACing each record */
+static int tls1InitMac (
+ CipherContext *cipherCtx) // macRef, macSecret valid on entry
+ // macCtx valid on return
+{
+ const HMACReference *hmac;
+ int serr;
+
+ check(cipherCtx);
+ check(cipherCtx->macRef != NULL);
+ hmac = cipherCtx->macRef->hmac;
+ check(hmac != NULL);
+
+ if(cipherCtx->macCtx.hmacCtx != NULL) {
+ hmac->free(cipherCtx->macCtx.hmacCtx);
+ cipherCtx->macCtx.hmacCtx = NULL;
+ }
+ serr = hmac->alloc(hmac, cipherCtx->macSecret,
+ cipherCtx->macRef->hmac->macSize, &cipherCtx->macCtx.hmacCtx);
+
+ /* mac secret now stored in macCtx.hmacCtx, delete it from cipherCtx */
+ memset(cipherCtx->macSecret, 0, sizeof(cipherCtx->macSecret));
+ return serr;
+}
+
+static int tls1FreeMac (
+ CipherContext *cipherCtx)
+{
+ /* this can be called on a completely zeroed out CipherContext... */
+ if(cipherCtx->macRef == NULL) {
+ return 0;
+ }
+ check(cipherCtx->macRef->hmac != NULL);
+
+ if(cipherCtx->macCtx.hmacCtx != NULL) {
+ cipherCtx->macRef->hmac->free(cipherCtx->macCtx.hmacCtx);
+ cipherCtx->macCtx.hmacCtx = NULL;
+ }
+ return 0;
+}
+
+/*
+ * mac = HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
+ * TLSCompressed.version + TLSCompressed.length +
+ * TLSCompressed.fragment));
+ */
+
+/* sequence, type, version, length */
+#define HDR_LENGTH (8 + 1 + 2 + 2)
+static int tls1ComputeMac (
+ uint8_t type,
+ SSLBuffer data,
+ SSLBuffer mac, // caller mallocs data
+ CipherContext *cipherCtx, // assumes macCtx, macRef
+ sslUint64 seqNo,
+ struct SSLRecordInternalContext *ctx)
+{
+ uint8_t hdr[HDR_LENGTH];
+ uint8_t *p;
+ HMACContextRef hmacCtx;
+ int serr;
+ const HMACReference *hmac;
+ size_t macLength;
+
+ check(cipherCtx != NULL);
+ check(cipherCtx->macRef != NULL);
+ hmac = cipherCtx->macRef->hmac;
+ check(hmac != NULL);
+ hmacCtx = cipherCtx->macCtx.hmacCtx; // may be NULL, for null cipher
+
+ serr = hmac->init(hmacCtx);
+ if(serr) {
+ goto fail;
+ }
+ p = SSLEncodeUInt64(hdr, seqNo);
+ *p++ = type;
+ *p++ = ctx->negProtocolVersion >> 8;
+ *p++ = ctx->negProtocolVersion & 0xff;
+ *p++ = data.length >> 8;
+ *p = data.length & 0xff;
+ serr = hmac->update(hmacCtx, hdr, HDR_LENGTH);
+ if(serr) {
+ goto fail;
+ }
+ serr = hmac->update(hmacCtx, data.data, data.length);
+ if(serr) {
+ goto fail;
+ }
+ macLength = mac.length;
+ serr = hmac->final(hmacCtx, mac.data, &macLength);
+ if(serr) {
+ goto fail;
+ }
+ mac.length = macLength;
+fail:
+ return serr;
+}
+
+const SslRecordCallouts Tls1RecordCallouts = {
+ tls1DecryptRecord,
+ ssl3WriteRecord,
+ tls1InitMac,
+ tls1FreeMac,
+ tls1ComputeMac,
+};
+
projects / apple / security.git / blobdiff