+++ /dev/null
-/*
- * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- File: ssl2Protocol.cpp
-
- Contains: Protocol engine for SSL 2
-
- Written by: Doug Mitchell
-
- Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
-
-*/
-
-#include "ssl.h"
-#include "ssl2.h"
-#include "sslRecord.h"
-#include "sslMemory.h"
-#include "sslContext.h"
-#include "sslHandshake.h"
-#include "sslSession.h"
-#include "sslAlertMessage.h"
-#include "sslDebug.h"
-#include "appleCdsa.h"
-#include "sslUtils.h"
-#include "sslDigests.h"
-#include <string.h>
-#include <assert.h>
-
-#ifndef NDEBUG
-
-static char *sslHdskMsgToStr(SSL2MessageType msg)
-{
- static char badStr[100];
-
- switch(msg) {
- case SSL2_MsgError:
- return "SSL2_MsgError";
- case SSL2_MsgClientHello:
- return "SSL2_MsgClientHello";
- case SSL2_MsgClientMasterKey:
- return "SSL2_MsgClientMasterKey";
- case SSL2_MsgClientFinished:
- return "SSL2_MsgClientFinished";
- case SSL2_MsgServerHello:
- return "SSL2_MsgServerHello";
- case SSL2_MsgServerVerify:
- return "SSL2_MsgServerVerify";
- case SSL2_MsgServerFinished:
- return "SSL2_MsgServerFinished";
- case SSL2_MsgRequestCert:
- return "SSL2_MsgRequestCert";
- case SSL2_MsgClientCert:
- return "SSL2_MsgClientCert";
- case SSL2_MsgKickstart:
- return "SSL2_MsgKickstart";
- default:
- sprintf(badStr, "Unknown msg (%d(d)", msg);
- return badStr;
- }
-}
-
-static void logSsl2Msg(SSL2MessageType msg, char sent)
-{
- char *ms = sslHdskMsgToStr(msg);
- sslHdskMsgDebug("...msg %s: %s", (sent ? "sent" : "recd"), ms);
-}
-
-#else
-
-#define logSsl2Msg(m, s)
-
-#endif /* NDEBUG */
-
-OSStatus
-SSL2ProcessMessage(SSLRecord &rec, SSLContext *ctx)
-{ OSStatus err = 0;
- SSL2MessageType msg;
- SSLBuffer contents;
-
- if (rec.contents.length < 2)
- return errSSLProtocol;
-
- msg = (SSL2MessageType)rec.contents.data[0];
- contents.data = rec.contents.data + 1;
- contents.length = rec.contents.length - 1;
-
- logSsl2Msg(msg, 0);
-
- switch (msg)
- { case SSL2_MsgError:
- err = errSSLClosedAbort;
- break;
- case SSL2_MsgClientHello:
- if (ctx->state != SSL_HdskStateServerUninit)
- return errSSLProtocol;
- err = SSL2ProcessClientHello(contents, ctx);
- if (err == errSSLNegotiation)
- SSL2SendError(SSL2_ErrNoCipher, ctx);
- break;
- case SSL2_MsgClientMasterKey:
- if (ctx->state != SSL2_HdskStateClientMasterKey)
- return errSSLProtocol;
- err = SSL2ProcessClientMasterKey(contents, ctx);
- break;
- case SSL2_MsgClientFinished:
- if (ctx->state != SSL2_HdskStateClientFinished)
- return errSSLProtocol;
- err = SSL2ProcessClientFinished(contents, ctx);
- break;
- case SSL2_MsgServerHello:
- if (ctx->state != SSL2_HdskStateServerHello &&
- ctx->state != SSL_HdskStateServerHelloUnknownVersion)
- return errSSLProtocol;
- err = SSL2ProcessServerHello(contents, ctx);
- if (err == errSSLNegotiation)
- SSL2SendError(SSL2_ErrNoCipher, ctx);
- break;
- case SSL2_MsgServerVerify:
- if (ctx->state != SSL2_HdskStateServerVerify)
- return errSSLProtocol;
- err = SSL2ProcessServerVerify(contents, ctx);
- break;
- case SSL2_MsgServerFinished:
- if (ctx->state != SSL2_HdskStateServerFinished) {
- /* FIXME - this ifndef should not be necessary */
- #ifndef NDEBUG
- sslHdskStateDebug("SSL2_MsgServerFinished; state %s",
- hdskStateToStr(ctx->state));
- #endif
- return errSSLProtocol;
- }
- err = SSL2ProcessServerFinished(contents, ctx);
- break;
- case SSL2_MsgRequestCert:
- /* Don't process the request; we don't support client certification */
- break;
- case SSL2_MsgClientCert:
- return errSSLProtocol;
- break;
- default:
- return errSSLProtocol;
- break;
- }
-
- if (err == 0)
- {
- if ((msg == SSL2_MsgClientHello) &&
- (ctx->negProtocolVersion >= SSL_Version_3_0))
- { /* Promote this message to SSL 3 protocol */
- if ((err = SSL3ReceiveSSL2ClientHello(rec, ctx)) != 0)
- return err;
- }
- else
- err = SSL2AdvanceHandshake(msg, ctx);
- }
- return err;
-}
-
-OSStatus
-SSL2AdvanceHandshake(SSL2MessageType msg, SSLContext *ctx)
-{ OSStatus err;
-
- err = noErr;
-
- switch (msg)
- { case SSL2_MsgKickstart:
- assert(ctx->negProtocolVersion == SSL_Version_Undetermined);
- assert(ctx->versionSsl2Enable);
- if (ctx->versionSsl3Enable || ctx->versionTls1Enable) {
- /* prepare for possible v3 upgrade */
- if ((err = SSLInitMessageHashes(ctx)) != 0)
- return err;
- }
- if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeClientHello, ctx)) != 0)
- return err;
- if (ctx->versionSsl3Enable || ctx->versionTls1Enable) {
- SSLChangeHdskState(ctx, SSL_HdskStateServerHelloUnknownVersion);
- }
- else {
- /* v2 only */
- SSLChangeHdskState(ctx, SSL2_HdskStateServerHello);
- }
- break;
- case SSL2_MsgClientHello:
- if ((err = SSL2CompareSessionIDs(ctx)) != 0)
- return err;
- if (ctx->sessionMatch == 0)
- if ((err = SSL2GenerateSessionID(ctx)) != 0)
- return err;
- if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeServerHello, ctx)) != 0)
- return err;
- if (ctx->sessionMatch == 0)
- { SSLChangeHdskState(ctx, SSL2_HdskStateClientMasterKey);
- break;
- }
- sslLogResumSessDebug("===RESUMING SSL2 server-side session");
- if ((err = SSL2InstallSessionKey(ctx)) != 0)
- return err;
- /* Fall through for matching session; lame, but true */
- case SSL2_MsgClientMasterKey:
- if ((err = SSL2InitCiphers(ctx)) != 0)
- return err;
- if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeServerVerify, ctx)) != 0)
- return err;
- if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeServerFinished, ctx)) != 0)
- return err;
- SSLChangeHdskState(ctx, SSL2_HdskStateClientFinished);
- break;
- case SSL2_MsgServerHello:
- if (ctx->sessionMatch == 0)
- { if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeClientMasterKey, ctx)) != 0)
- return err;
- }
- else
- {
- sslLogResumSessDebug("===RESUMING SSL2 client-side session");
- if ((err = SSL2InstallSessionKey(ctx)) != 0)
- return err;
- }
- if ((err = SSL2InitCiphers(ctx)) != 0)
- return err;
- if ((err = SSL2PrepareAndQueueMessage(SSL2EncodeClientFinished, ctx)) != 0)
- return err;
- SSLChangeHdskState(ctx, SSL2_HdskStateServerVerify);
- break;
- case SSL2_MsgClientFinished:
- /* Handshake is complete; turn ciphers on */
- ctx->writeCipher.ready = 1;
- ctx->readCipher.ready = 1;
- /* original code never got out of SSL2_MsgClientFinished state */
- assert(ctx->protocolSide == SSL_ServerSide);
- SSLChangeHdskState(ctx, SSL_HdskStateServerReady);
- if (ctx->peerID.data != 0)
- SSLAddSessionData(ctx);
- break;
- case SSL2_MsgServerVerify:
- SSLChangeHdskState(ctx, SSL2_HdskStateServerFinished);
- break;
- case SSL2_MsgRequestCert:
- if ((err = SSL2SendError(SSL2_ErrNoCert, ctx)) != 0)
- return err;
- break;
- case SSL2_MsgServerFinished:
- /* Handshake is complete; turn ciphers on */
- ctx->writeCipher.ready = 1;
- ctx->readCipher.ready = 1;
- /* original code never got out of SSL2_MsgServerFinished state */
- assert(ctx->protocolSide == SSL_ClientSide);
- SSLChangeHdskState(ctx, SSL_HdskStateClientReady);
- if (ctx->peerID.data != 0)
- SSLAddSessionData(ctx);
- break;
- case SSL2_MsgError:
- case SSL2_MsgClientCert:
- return errSSLProtocol;
- break;
- }
-
- return noErr;
-}
-
-OSStatus
-SSL2PrepareAndQueueMessage(EncodeSSL2MessageFunc encodeFunc, SSLContext *ctx)
-{ OSStatus err;
- SSLRecord rec;
-
- rec.contentType = SSL_RecordTypeV2_0;
- rec.protocolVersion = SSL_Version_2_0;
- if ((err = encodeFunc(rec.contents, ctx)) != 0)
- return err;
-
- logSsl2Msg((SSL2MessageType)rec.contents.data[0], 1);
-
- assert(ctx->sslTslCalls != NULL);
- if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
- { SSLFreeBuffer(rec.contents, ctx);
- return err;
- }
-
- assert((ctx->negProtocolVersion == SSL_Version_Undetermined) ||
- (ctx->negProtocolVersion == SSL_Version_2_0));
- if((ctx->negProtocolVersion == SSL_Version_Undetermined) &&
- (ctx->versionSsl3Enable || ctx->versionTls1Enable)) {
- /* prepare for possible V3/TLS1 upgrade */
- if ((err = SSLHashSHA1.update(ctx->shaState, rec.contents)) != 0 ||
- (err = SSLHashMD5.update(ctx->md5State, rec.contents)) != 0)
- return err;
- }
- err = SSLFreeBuffer(rec.contents, ctx);
- return err;
-}
-
-OSStatus
-SSL2CompareSessionIDs(SSLContext *ctx)
-{ OSStatus err;
- SSLBuffer sessionIdentifier;
-
- ctx->sessionMatch = 0;
-
- if (ctx->resumableSession.data == 0)
- return noErr;
-
- if ((err = SSLRetrieveSessionID(ctx->resumableSession,
- &sessionIdentifier, ctx)) != 0)
- return err;
-
- if (sessionIdentifier.length == ctx->sessionID.length &&
- memcmp(sessionIdentifier.data, ctx->sessionID.data, sessionIdentifier.length) == 0)
- ctx->sessionMatch = 1;
-
- if ((err = SSLFreeBuffer(sessionIdentifier, ctx)) != 0)
- return err;
-
- return noErr;
-}
-
-OSStatus
-SSL2InstallSessionKey(SSLContext *ctx)
-{ OSStatus err;
-
- assert(ctx->sessionMatch != 0);
- assert(ctx->resumableSession.data != 0);
- if ((err = SSLInstallSessionFromData(ctx->resumableSession, ctx)) != 0)
- return err;
- return noErr;
-}
-
-OSStatus
-SSL2GenerateSessionID(SSLContext *ctx)
-{ OSStatus err;
-
- if ((err = SSLFreeBuffer(ctx->sessionID, ctx)) != 0)
- return err;
- if ((err = SSLAllocBuffer(ctx->sessionID, SSL_SESSION_ID_LEN, ctx)) != 0)
- return err;
- if ((err = sslRand(ctx, &ctx->sessionID)) != 0)
- return err;
- return noErr;
-}
-
-OSStatus
-SSL2InitCiphers(SSLContext *ctx)
-{ OSStatus err;
- int keyMaterialLen;
- SSLBuffer keyData;
- uint8 variantChar, *charPtr, *readKey, *writeKey, *iv;
- SSLBuffer hashDigest, hashContext, masterKey, challenge, connectionID, variantData;
-
- keyMaterialLen = 2 * ctx->selectedCipherSpec->cipher->keySize;
- if ((err = SSLAllocBuffer(keyData, keyMaterialLen, ctx)) != 0)
- return err;
-
- /* Can't have % in assertion string... */
- #if SSL_DEBUG
- {
- UInt32 keyModDigestSize = keyMaterialLen % SSLHashMD5.digestSize;
- assert(keyModDigestSize == 0);
- }
- #endif
-
- masterKey.data = ctx->masterSecret;
- masterKey.length = ctx->selectedCipherSpec->cipher->keySize;
- challenge.data = ctx->clientRandom + SSL_CLIENT_SRVR_RAND_SIZE -
- ctx->ssl2ChallengeLength;
- challenge.length = ctx->ssl2ChallengeLength;
- connectionID.data = ctx->serverRandom;
- connectionID.length = ctx->ssl2ConnectionIDLength;
- variantData.data = &variantChar;
- variantData.length = 1;
- if ((err = SSLAllocBuffer(hashContext, SSLHashMD5.contextSize, ctx)) != 0)
- { SSLFreeBuffer(keyData, ctx);
- return err;
- }
-
- variantChar = 0x30; /* '0' */
- charPtr = keyData.data;
- while (keyMaterialLen)
- { hashDigest.data = charPtr;
- hashDigest.length = SSLHashMD5.digestSize;
- if ((err = SSLHashMD5.init(hashContext, ctx)) != 0 ||
- (err = SSLHashMD5.update(hashContext, masterKey)) != 0 ||
- (err = SSLHashMD5.update(hashContext, variantData)) != 0 ||
- (err = SSLHashMD5.update(hashContext, challenge)) != 0 ||
- (err = SSLHashMD5.update(hashContext, connectionID)) != 0 ||
- (err = SSLHashMD5.final(hashContext, hashDigest)) != 0)
- { SSLFreeBuffer(keyData, ctx);
- SSLFreeBuffer(hashContext, ctx);
- return err;
- }
- charPtr += hashDigest.length;
- ++variantChar;
- keyMaterialLen -= hashDigest.length;
- }
-
- assert(charPtr == keyData.data + keyData.length);
-
- if ((err = SSLFreeBuffer(hashContext, ctx)) != 0)
- { SSLFreeBuffer(keyData, ctx);
- return err;
- }
-
- ctx->readPending.macRef = ctx->selectedCipherSpec->macAlgorithm;
- ctx->writePending.macRef = ctx->selectedCipherSpec->macAlgorithm;
- ctx->readPending.symCipher = ctx->selectedCipherSpec->cipher;
- ctx->writePending.symCipher = ctx->selectedCipherSpec->cipher;
- ctx->readPending.sequenceNum = ctx->readCipher.sequenceNum;
- ctx->writePending.sequenceNum = ctx->writeCipher.sequenceNum;
-
- if (ctx->protocolSide == SSL_ServerSide)
- { writeKey = keyData.data;
- readKey = keyData.data + ctx->selectedCipherSpec->cipher->keySize;
- }
- else
- { readKey = keyData.data;
- writeKey = keyData.data + ctx->selectedCipherSpec->cipher->keySize;
- }
-
- iv = ctx->masterSecret + ctx->selectedCipherSpec->cipher->keySize;
-
- if ((err = ctx->readPending.symCipher->initialize(readKey, iv,
- &ctx->readPending, ctx)) != 0 ||
- (err = ctx->writePending.symCipher->initialize(writeKey, iv,
- &ctx->writePending, ctx)) != 0)
- { SSLFreeBuffer(keyData, ctx);
- return err;
- }
-
- /*
- * HEY! macSecret is only 20 bytes. This blows up when key size
- * is greater than 20, e.g., 3DES.
- * I'll increase the size of macSecret to 24, 'cause it appears
- * from the SSL v23 spec that the macSecret really the same size as
- * CLIENT-WRITE-KEY and SERVER-READ-KEY (see 1.2 of the spec).
- */
- memcpy(ctx->readPending.macSecret, readKey, ctx->selectedCipherSpec->cipher->keySize);
- memcpy(ctx->writePending.macSecret, writeKey, ctx->selectedCipherSpec->cipher->keySize);
-
- if ((err = SSLFreeBuffer(keyData, ctx)) != 0)
- return err;
-
- ctx->readCipher = ctx->readPending;
- ctx->writeCipher = ctx->writePending;
- memset(&ctx->readPending, 0, sizeof(CipherContext)); /* Zero out old data */
- memset(&ctx->writePending, 0, sizeof(CipherContext)); /* Zero out old data */
-
- return noErr;
-}
projects / apple / security.git / blobdiff