+++ /dev/null
-/*
- * Copyright (c) 2002 Apple Computer, Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- File: ssl3Callouts.cpp
-
- Contains: SSLv3-specific routines for SslTlsCallouts.
-
- Written by: Doug Mitchell
-*/
-
-#include "sslMemory.h"
-#include "tls_ssl.h"
-#include "sslUtils.h"
-#include "sslDigests.h"
-#include "ssl2.h"
-#include "sslDebug.h"
-#include "sslAlertMessage.h"
-
-#include <assert.h>
-#include <strings.h>
-
-/*
- * ssl3WriteRecord does not send alerts on failure, out of the assumption/fear
- * that this might result in a loop (since sending an alert causes ssl3WriteRecord
- * to be called).
- *
- * As far as I can tell, we can use this same routine for SSLv3 and TLSv1, as long
- * as we're not trying to use the "variable length padding" feature of TLSv1.
- * OpenSSL doesn't use that feature; for now, neither will we. Thus this routine
- * is used for the SslTlsCallouts.writeRecord function for both protocols.
- */
-OSStatus ssl3WriteRecord(
- SSLRecord rec,
- SSLContext *ctx)
-{
- OSStatus err;
- int padding = 0, i;
- WaitingRecord *out, *queue;
- SSLBuffer buf, payload, mac;
- UInt8 *charPtr;
- UInt16 payloadSize,blockSize;
-
- switch(rec.protocolVersion) {
- case SSL_Version_2_0:
- return SSL2WriteRecord(rec, ctx);
- case SSL_Version_3_0:
- case TLS_Version_1_0:
- break;
- default:
- assert(0);
- return errSSLInternal;
- }
- assert(rec.contents.length <= 16384);
-
- out = 0;
- /* Allocate a WaitingRecord to store our ready-to-send record in */
- if ((err = SSLAllocBuffer(buf, sizeof(WaitingRecord), ctx)) != 0)
- return err;
- out = (WaitingRecord*)buf.data;
- out->next = 0;
- out->sent = 0;
- /* Allocate enough room for the transmitted record, which will be:
- * 5 bytes of header +
- * encrypted contents +
- * macLength +
- * padding [block ciphers only] +
- * padding length field (1 byte) [block ciphers only]
- */
- payloadSize = (UInt16) (rec.contents.length + ctx->writeCipher.macRef->hash->digestSize);
- blockSize = ctx->writeCipher.symCipher->blockSize;
- if (blockSize > 0)
- { padding = blockSize - (payloadSize % blockSize) - 1;
- payloadSize += padding + 1;
- }
- out->data.data = 0;
- if ((err = SSLAllocBuffer(out->data, 5 + payloadSize, ctx)) != 0)
- goto fail;
-
- charPtr = out->data.data;
- *(charPtr++) = rec.contentType;
- charPtr = SSLEncodeInt(charPtr, rec.protocolVersion, 2);
- charPtr = SSLEncodeInt(charPtr, payloadSize, 2);
-
- /* Copy the contents into the output buffer */
- memcpy(charPtr, rec.contents.data, rec.contents.length);
- payload.data = charPtr;
- payload.length = rec.contents.length;
-
- charPtr += rec.contents.length;
- /* MAC immediately follows data */
- mac.data = charPtr;
- mac.length = ctx->writeCipher.macRef->hash->digestSize;
- charPtr += mac.length;
-
- /* MAC the data */
- if (mac.length > 0) /* Optimize away null case */
- {
- assert(ctx->sslTslCalls != NULL);
- if ((err = ctx->sslTslCalls->computeMac(rec.contentType,
- payload,
- mac,
- &ctx->writeCipher,
- ctx->writeCipher.sequenceNum,
- ctx)) != 0)
- goto fail;
- }
-
- /* Update payload to reflect encrypted data: contents, mac & padding */
- payload.length = payloadSize;
-
- /* Fill in the padding bytes & padding length field with the padding value; the
- * protocol only requires the last byte,
- * but filling them all in avoids leaking data
- */
- if (ctx->writeCipher.symCipher->blockSize > 0)
- for (i = 1; i <= padding + 1; ++i)
- payload.data[payload.length - i] = padding;
-
- /* Encrypt the data */
- if ((err = ctx->writeCipher.symCipher->encrypt(payload,
- payload,
- &ctx->writeCipher,
- ctx)) != 0)
- goto fail;
-
- /* Enqueue the record to be written from the idle loop */
- if (ctx->recordWriteQueue == 0)
- ctx->recordWriteQueue = out;
- else
- { queue = ctx->recordWriteQueue;
- while (queue->next != 0)
- queue = queue->next;
- queue->next = out;
- }
-
- /* Increment the sequence number */
- IncrementUInt64(&ctx->writeCipher.sequenceNum);
-
- return noErr;
-
-fail:
- /*
- * Only for if we fail between when the WaitingRecord is allocated and when
- * it is queued
- */
- SSLFreeBuffer(out->data, ctx);
- buf.data = (UInt8*)out;
- buf.length = sizeof(WaitingRecord);
- SSLFreeBuffer(buf, ctx);
- return err;
-}
-
-static OSStatus ssl3DecryptRecord(
- UInt8 type,
- SSLBuffer *payload,
- SSLContext *ctx)
-{
- OSStatus err;
- SSLBuffer content;
-
- if ((ctx->readCipher.symCipher->blockSize > 0) &&
- ((payload->length % ctx->readCipher.symCipher->blockSize) != 0))
- { SSLFatalSessionAlert(SSL_AlertUnexpectedMsg, ctx);
- return errSSLProtocol;
- }
-
- /* Decrypt in place */
- if ((err = ctx->readCipher.symCipher->decrypt(*payload,
- *payload,
- &ctx->readCipher,
- ctx)) != 0)
- { SSLFatalSessionAlert(SSL_AlertDecryptionFail, ctx);
- return err;
- }
-
- /* Locate content within decrypted payload */
- content.data = payload->data;
- content.length = payload->length - ctx->readCipher.macRef->hash->digestSize;
- if (ctx->readCipher.symCipher->blockSize > 0)
- { /* padding can't be equal to or more than a block */
- if (payload->data[payload->length - 1] >= ctx->readCipher.symCipher->blockSize)
- { SSLFatalSessionAlert(SSL_AlertDecryptionFail, ctx);
- sslErrorLog("DecryptSSLRecord: bad padding length (%d)\n",
- (unsigned)payload->data[payload->length - 1]);
- return errSSLDecryptionFail;
- }
- content.length -= 1 + payload->data[payload->length - 1];
- /* Remove block size padding */
- }
-
- /* Verify MAC on payload */
- if (ctx->readCipher.macRef->hash->digestSize > 0)
- /* Optimize away MAC for null case */
- if ((err = SSLVerifyMac(type, content,
- payload->data + content.length, ctx)) != 0)
- { SSLFatalSessionAlert(SSL_AlertBadRecordMac, ctx);
- return errSSLBadRecordMac;
- }
-
- *payload = content; /* Modify payload buffer to indicate content length */
-
- return noErr;
-}
-
-/* initialize a per-CipherContext HashHmacContext for use in MACing each record */
-static OSStatus ssl3InitMac (
- CipherContext *cipherCtx, // macRef, macSecret valid on entry
- // macCtx valid on return
- SSLContext *ctx)
-{
- const HashReference *hash;
- SSLBuffer *hashCtx;
- OSStatus serr;
-
- assert(cipherCtx->macRef != NULL);
- hash = cipherCtx->macRef->hash;
- assert(hash != NULL);
-
- hashCtx = &cipherCtx->macCtx.hashCtx;
- if(hashCtx->data != NULL) {
- SSLFreeBuffer(*hashCtx, ctx);
- }
- serr = SSLAllocBuffer(*hashCtx, hash->contextSize, ctx);
- if(serr) {
- return serr;
- }
- return noErr;
-}
-
-static OSStatus ssl3FreeMac (
- CipherContext *cipherCtx)
-{
- SSLBuffer *hashCtx;
-
- assert(cipherCtx != NULL);
- /* this can be called on a completely zeroed out CipherContext... */
- if(cipherCtx->macRef == NULL) {
- return noErr;
- }
- hashCtx = &cipherCtx->macCtx.hashCtx;
- if(hashCtx->data != NULL) {
- sslFree(hashCtx->data);
- hashCtx->data = NULL;
- }
- hashCtx->length = 0;
- return noErr;
-}
-
-static OSStatus ssl3ComputeMac (
- UInt8 type,
- SSLBuffer data,
- SSLBuffer mac, // caller mallocs data
- CipherContext *cipherCtx, // assumes macCtx, macRef
- sslUint64 seqNo,
- SSLContext *ctx)
-{
- OSStatus err;
- UInt8 innerDigestData[SSL_MAX_DIGEST_LEN];
- UInt8 scratchData[11], *charPtr;
- SSLBuffer digest, digestCtx, scratch;
- SSLBuffer secret;
-
- const HashReference *hash;
-
- assert(cipherCtx != NULL);
- assert(cipherCtx->macRef != NULL);
- hash = cipherCtx->macRef->hash;
- assert(hash != NULL);
- assert(hash->macPadSize <= MAX_MAC_PADDING);
- assert(hash->digestSize <= SSL_MAX_DIGEST_LEN);
- digestCtx = cipherCtx->macCtx.hashCtx; // may be NULL, for null cipher
- secret.data = cipherCtx->macSecret;
- secret.length = hash->digestSize;
-
- /* init'd early in SSLNewContext() */
- assert(SSLMACPad1[0] == 0x36 && SSLMACPad2[0] == 0x5C);
-
- /*
- * MAC = hash( MAC_write_secret + pad_2 +
- * hash( MAC_write_secret + pad_1 + seq_num + type +
- * length + content )
- * )
- */
- if ((err = hash->init(digestCtx, ctx)) != 0)
- goto exit;
- if ((err = hash->update(digestCtx, secret)) != 0) /* MAC secret */
- goto exit;
- scratch.data = (UInt8 *)SSLMACPad1;
- scratch.length = hash->macPadSize;
- if ((err = hash->update(digestCtx, scratch)) != 0) /* pad1 */
- goto exit;
- charPtr = scratchData;
- charPtr = SSLEncodeUInt64(charPtr, seqNo);
- *charPtr++ = type;
- charPtr = SSLEncodeInt(charPtr, data.length, 2);
- scratch.data = scratchData;
- scratch.length = 11;
- assert(charPtr = scratchData+11);
- if ((err = hash->update(digestCtx, scratch)) != 0)
- /* sequenceNo, type & length */
- goto exit;
- if ((err = hash->update(digestCtx, data)) != 0) /* content */
- goto exit;
- digest.data = innerDigestData;
- digest.length = hash->digestSize;
- if ((err = hash->final(digestCtx, digest)) != 0) /* figure inner digest */
- goto exit;
-
- if ((err = hash->init(digestCtx, ctx)) != 0)
- goto exit;
- if ((err = hash->update(digestCtx, secret)) != 0) /* MAC secret */
- goto exit;
- scratch.data = (UInt8 *)SSLMACPad2;
- scratch.length = hash->macPadSize;
- if ((err = hash->update(digestCtx, scratch)) != 0) /* pad2 */
- goto exit;
- if ((err = hash->update(digestCtx, digest)) != 0) /* inner digest */
- goto exit;
- if ((err = hash->final(digestCtx, mac)) != 0) /* figure the mac */
- goto exit;
-
- err = noErr; /* redundant, I know */
-
-exit:
- return err;
-}
-
-#define LOG_GEN_KEY 0
-
-/*
- * On input, the following are valid:
- * MasterSecret[48]
- * ClientHello.random[32]
- * ServerHello.random[32]
- *
- * key_block =
- * MD5(master_secret + SHA(`A' + master_secret +
- * ServerHello.random +
- * ClientHello.random)) +
- * MD5(master_secret + SHA(`BB' + master_secret +
- * ServerHello.random +
- * ClientHello.random)) +
- * MD5(master_secret + SHA(`CCC' + master_secret +
- * ServerHello.random +
- * ClientHello.random)) + [...];
- */
-static OSStatus ssl3GenerateKeyMaterial (
- SSLBuffer key, // caller mallocs and specifies length of
- // required key material here
- SSLContext *ctx)
-{
- OSStatus err;
- UInt8 leaderData[10]; /* Max of 10 hashes
- * (* 16 bytes/hash = 160 bytes of key) */
- UInt8 shaHashData[20], md5HashData[16];
- SSLBuffer shaContext, md5Context;
- UInt8 *keyProgress;
- int i,j,remaining, satisfied;
- SSLBuffer leader, masterSecret, serverRandom, clientRandom, shaHash, md5Hash;
-
- #if LOG_GEN_KEY
- printf("GenerateKey: master ");
- for(i=0; i<SSL_MASTER_SECRET_SIZE; i++) {
- printf("%02X ", ctx->masterSecret[i]);
- }
- printf("\n");
- #endif
-
- assert(key.length <= 16 * sizeof(leaderData));
-
- leader.data = leaderData;
- masterSecret.data = ctx->masterSecret;
- masterSecret.length = SSL_MASTER_SECRET_SIZE;
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- shaHash.data = shaHashData;
- shaHash.length = 20;
- md5Hash.data = md5HashData;
- md5Hash.length = 16;
-
- md5Context.data = 0;
- shaContext.data = 0;
- if ((err = ReadyHash(SSLHashMD5, md5Context, ctx)) != 0)
- goto fail;
- if ((err = ReadyHash(SSLHashSHA1, shaContext, ctx)) != 0)
- goto fail;
-
- keyProgress = key.data;
- remaining = key.length;
-
- for (i = 0; remaining > 0; ++i)
- { for (j = 0; j <= i; j++)
- leaderData[j] = 0x41 + i; /* 'A', 'BB', 'CCC', etc. */
- leader.length = i+1;
-
- if ((err = SSLHashSHA1.update(shaContext, leader)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(shaContext, masterSecret)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(shaContext, serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(shaContext, clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.final(shaContext, shaHash)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(md5Context, masterSecret)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(md5Context, shaHash)) != 0)
- goto fail;
- if ((err = SSLHashMD5.final(md5Context, md5Hash)) != 0)
- goto fail;
-
- satisfied = 16;
- if (remaining < 16)
- satisfied = remaining;
- memcpy(keyProgress, md5HashData, satisfied);
- remaining -= satisfied;
- keyProgress += satisfied;
-
- if(remaining > 0) {
- /* at top of loop, this was done in ReadyHash() */
- if ((err = SSLHashMD5.init(md5Context, ctx)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.init(shaContext, ctx)) != 0)
- goto fail;
- }
- }
-
- assert(remaining == 0 && keyProgress == (key.data + key.length));
- err = noErr;
-fail:
- SSLFreeBuffer(md5Context, ctx);
- SSLFreeBuffer(shaContext, ctx);
-
- #if LOG_GEN_KEY
- printf("GenerateKey: DONE\n");
- #endif
- return err;
-}
-
-static OSStatus ssl3GenerateExportKeyAndIv (
- SSLContext *ctx, // clientRandom, serverRandom valid
- const SSLBuffer clientWriteKey,
- const SSLBuffer serverWriteKey,
- SSLBuffer finalClientWriteKey, // RETURNED, mallocd by caller
- SSLBuffer finalServerWriteKey, // RETURNED, mallocd by caller
- SSLBuffer finalClientIV, // RETURNED, mallocd by caller
- SSLBuffer finalServerIV) // RETURNED, mallocd by caller
-{
- OSStatus err;
- SSLBuffer hashCtx, serverRandom, clientRandom;
-
- /* random blobs are 32 bytes */
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
-
- if ((err = SSLAllocBuffer(hashCtx, SSLHashMD5.contextSize, ctx)) != 0)
- return err;
- /* client write key */
- if ((err = SSLHashMD5.init(hashCtx, ctx)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, clientWriteKey)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, serverRandom)) != 0)
- goto fail;
- finalClientWriteKey.length = 16;
- if ((err = SSLHashMD5.final(hashCtx, finalClientWriteKey)) != 0)
- goto fail;
-
- /* optional client IV */
- if (ctx->selectedCipherSpec->cipher->ivSize > 0)
- { if ((err = SSLHashMD5.init(hashCtx, ctx)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, serverRandom)) != 0)
- goto fail;
- finalClientIV.length = 16;
- if ((err = SSLHashMD5.final(hashCtx, finalClientIV)) != 0)
- goto fail;
- }
-
- /* server write key */
- if ((err = SSLHashMD5.init(hashCtx, ctx)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, serverWriteKey)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, clientRandom)) != 0)
- goto fail;
- finalServerWriteKey.length = 16;
- if ((err = SSLHashMD5.final(hashCtx, finalServerWriteKey)) != 0)
- goto fail;
-
- /* optional server IV */
- if (ctx->selectedCipherSpec->cipher->ivSize > 0)
- { if ((err = SSLHashMD5.init(hashCtx, ctx)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(hashCtx, clientRandom)) != 0)
- goto fail;
- finalServerIV.length = 16;
- if ((err = SSLHashMD5.final(hashCtx, finalServerIV)) != 0)
- goto fail;
- }
-
- err = noErr;
-fail:
- SSLFreeBuffer(hashCtx, ctx);
- return err;
-}
-
-/*
- * On entry: clientRandom, serverRandom, preMasterSecret valid
- * On return: masterSecret valid
- */
-static OSStatus ssl3GenerateMasterSecret (
- SSLContext *ctx)
-{
- OSStatus err;
- SSLBuffer shaState, md5State, clientRandom,
- serverRandom, shaHash, md5Hash, leader;
- UInt8 *masterProgress, shaHashData[20], leaderData[3];
- int i;
-
- md5State.data = shaState.data = 0;
- if ((err = SSLAllocBuffer(md5State, SSLHashMD5.contextSize, ctx)) != 0)
- goto fail;
- if ((err = SSLAllocBuffer(shaState, SSLHashSHA1.contextSize, ctx)) != 0)
- goto fail;
-
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- shaHash.data = shaHashData;
- shaHash.length = 20;
-
- masterProgress = ctx->masterSecret;
-
- for (i = 1; i <= 3; i++)
- { if ((err = SSLHashMD5.init(md5State, ctx)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.init(shaState, ctx)) != 0)
- goto fail;
-
- leaderData[0] = leaderData[1] = leaderData[2] = 0x40 + i; /* 'A', 'B', etc. */
- leader.data = leaderData;
- leader.length = i;
-
- if ((err = SSLHashSHA1.update(shaState, leader)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(shaState, ctx->preMasterSecret)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(shaState, clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(shaState, serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.final(shaState, shaHash)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(md5State, ctx->preMasterSecret)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(md5State, shaHash)) != 0)
- goto fail;
- md5Hash.data = masterProgress;
- md5Hash.length = 16;
- if ((err = SSLHashMD5.final(md5State, md5Hash)) != 0)
- goto fail;
- masterProgress += 16;
- }
-
- err = noErr;
-fail:
- SSLFreeBuffer(shaState, ctx);
- SSLFreeBuffer(md5State, ctx);
- return err;
-}
-
-/* common routine to compute a Mac for finished message and cert verify message */
-static OSStatus
-ssl3CalculateFinishedMessage(
- SSLContext *ctx,
- SSLBuffer finished, // mallocd by caller
- SSLBuffer shaMsgState, // running total
- SSLBuffer md5MsgState, // ditto
- UInt32 senderID) // optional, nonzero for finished message
-{
- OSStatus err;
- SSLBuffer hash, input;
- UInt8 sender[4], md5Inner[16], shaInner[20];
-
- // assert(finished.length == 36);
-
- if (senderID != 0) {
- SSLEncodeInt(sender, senderID, 4);
- input.data = sender;
- input.length = 4;
- if ((err = SSLHashMD5.update(md5MsgState, input)) != 0)
- return err;
- if ((err = SSLHashSHA1.update(shaMsgState, input)) != 0)
- return err;
- }
- input.data = ctx->masterSecret;
- input.length = SSL_MASTER_SECRET_SIZE;
- if ((err = SSLHashMD5.update(md5MsgState, input)) != 0)
- return err;
- if ((err = SSLHashSHA1.update(shaMsgState, input)) != 0)
- return err;
- input.data = (UInt8 *)SSLMACPad1;
- input.length = SSLHashMD5.macPadSize;
- if ((err = SSLHashMD5.update(md5MsgState, input)) != 0)
- return err;
- input.length = SSLHashSHA1.macPadSize;
- if ((err = SSLHashSHA1.update(shaMsgState, input)) != 0)
- return err;
- hash.data = md5Inner;
- hash.length = 16;
- if ((err = SSLHashMD5.final(md5MsgState, hash)) != 0)
- return err;
- hash.data = shaInner;
- hash.length = 20;
- if ((err = SSLHashSHA1.final(shaMsgState, hash)) != 0)
- return err;
- if ((err = SSLHashMD5.init(md5MsgState, ctx)) != 0)
- return err;
- if ((err = SSLHashSHA1.init(shaMsgState, ctx)) != 0)
- return err;
- input.data = ctx->masterSecret;
- input.length = SSL_MASTER_SECRET_SIZE;
- if ((err = SSLHashMD5.update(md5MsgState, input)) != 0)
- return err;
- if ((err = SSLHashSHA1.update(shaMsgState, input)) != 0)
- return err;
- input.data = (UInt8 *)SSLMACPad2;
- input.length = SSLHashMD5.macPadSize;
- if ((err = SSLHashMD5.update(md5MsgState, input)) != 0)
- return err;
- input.length = SSLHashSHA1.macPadSize;
- if ((err = SSLHashSHA1.update(shaMsgState, input)) != 0)
- return err;
- input.data = md5Inner;
- input.length = 16;
- if ((err = SSLHashMD5.update(md5MsgState, input)) != 0)
- return err;
- hash.data = finished.data;
- hash.length = 16;
- if ((err = SSLHashMD5.final(md5MsgState, hash)) != 0)
- return err;
- input.data = shaInner;
- input.length = 20;
- if ((err = SSLHashSHA1.update(shaMsgState, input)) != 0)
- return err;
- hash.data = finished.data + 16;
- hash.length = 20;
- if ((err = SSLHashSHA1.final(shaMsgState, hash)) != 0)
- return err;
- return noErr;
-}
-
-
-static OSStatus ssl3ComputeFinishedMac (
- SSLContext *ctx,
- SSLBuffer finished, // output - mallocd by caller
- SSLBuffer shaMsgState, // clone of running digest of all handshake msgs
- SSLBuffer md5MsgState, // ditto
- Boolean isServer) // refers to message, not us
-{
- return ssl3CalculateFinishedMessage(ctx, finished, shaMsgState, md5MsgState,
- isServer ? SSL_Finished_Sender_Server : SSL_Finished_Sender_Client);
-}
-
-static OSStatus ssl3ComputeCertVfyMac (
- SSLContext *ctx,
- SSLBuffer finished, // output - mallocd by caller
- SSLBuffer shaMsgState, // clone of running digest of all handshake msgs
- SSLBuffer md5MsgState) // ditto
-{
- return ssl3CalculateFinishedMessage(ctx, finished, shaMsgState, md5MsgState, 0);
-}
-
-const SslTlsCallouts Ssl3Callouts = {
- ssl3DecryptRecord,
- ssl3WriteRecord,
- ssl3InitMac,
- ssl3FreeMac,
- ssl3ComputeMac,
- ssl3GenerateKeyMaterial,
- ssl3GenerateExportKeyAndIv,
- ssl3GenerateMasterSecret,
- ssl3ComputeFinishedMac,
- ssl3ComputeCertVfyMac
-};
projects / apple / security.git / blobdiff