/* * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ */ /* * sslKeyExchange.c - Support for key exchange and server key exchange */ #include "ssl.h" #include "sslContext.h" #include "sslHandshake.h" #include "sslMemory.h" #include "sslDebug.h" #include "sslUtils.h" #include "sslCrypto.h" #include "sslRand.h" #include "sslDigests.h" #include <assert.h> #include <string.h> #include <stdio.h> #include <utilities/SecCFRelease.h> #include <corecrypto/ccdh_gp.h> #ifdef USE_CDSA_CRYPTO //#include <utilities/globalizer.h> //#include <utilities/threading.h> #include <Security/cssmapi.h> #include <Security/SecKeyPriv.h> #include "ModuleAttacher.h" #else #include <AssertMacros.h> #include <Security/oidsalg.h> #if APPLE_DH #if TARGET_OS_IPHONE #include <Security/SecRSAKey.h> #endif static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx); static size_t SSLEncodedDHKeyParamsLen(SSLContext *ctx); static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, uint8_t *charPtr); #endif /* APPLE_DH */ #endif /* USE_CDSA_CRYPTO */ // MARK: - // MARK: Forward Static Declarations #if APPLE_DH #if USE_CDSA_CRYPTO static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx); static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, uint8_t *charPtr); #endif static OSStatus SSLDecodeDHKeyParams(SSLContext *ctx, uint8_t **charPtr, size_t length); #endif static OSStatus SSLDecodeECDHKeyParams(SSLContext *ctx, uint8_t **charPtr, size_t length); #define DH_PARAM_DUMP 0 #if DH_PARAM_DUMP static void dumpBuf(const char *name, SSLBuffer *buf) { printf("%s:\n", name); uint8_t *cp = buf->data; uint8_t *endCp = cp + buf->length; do { unsigned i; for(i=0; i<16; i++) { printf("%02x ", *cp++); if(cp == endCp) { break; } } if(cp == endCp) { break; } printf("\n"); } while(cp < endCp); printf("\n"); } #else #define dumpBuf(n, b) #endif /* DH_PARAM_DUMP */ #if APPLE_DH // MARK: - // MARK: Local Diffie-Hellman Parameter Generator /* * Process-wide server-supplied Diffie-Hellman parameters. * This might be overridden by some API_supplied parameters * in the future. */ struct ServerDhParams { /* these two for sending over the wire */ SSLBuffer prime; SSLBuffer generator; /* this one for sending to the CSP at key gen time */ SSLBuffer paramBlock; }; #endif /* APPLE_DH */ // MARK: - // MARK: RSA Key Exchange /* * Client RSA Key Exchange msgs actually start with a two-byte * length field, contrary to the first version of RFC 2246, dated * January 1999. See RFC 2246, March 2002, section 7.4.7.1 for * updated requirements. */ #define RSA_CLIENT_KEY_ADD_LENGTH 1 static OSStatus SSLEncodeRSAKeyParams(SSLBuffer *keyParams, SSLPubKey *key, SSLContext *ctx) { #if 0 SSLBuffer modulus, exponent; uint8_t *charPtr; #ifdef USE_CDSA_CRYPTO if(err = attachToCsp(ctx)) { return err; } /* Note currently ALL public keys are raw, obtained from the CL... */ assert((*key)->KeyHeader.BlobType == CSSM_KEYBLOB_RAW); #endif /* USE_CDSA_CRYPTO */ err = sslGetPubKeyBits(ctx, key, &modulus, &exponent); if(err) { SSLFreeBuffer(&modulus); SSLFreeBuffer(&exponent); return err; } if ((err = SSLAllocBuffer(keyParams, modulus.length + exponent.length + 4, ctx)) != 0) { return err; } charPtr = keyParams->data; charPtr = SSLEncodeInt(charPtr, modulus.length, 2); memcpy(charPtr, modulus.data, modulus.length); charPtr += modulus.length; charPtr = SSLEncodeInt(charPtr, exponent.length, 2); memcpy(charPtr, exponent.data, exponent.length); /* these were mallocd by sslGetPubKeyBits() */ SSLFreeBuffer(&modulus); SSLFreeBuffer(&exponent); return errSecSuccess; #else CFDataRef modulus = SecKeyCopyModulus(SECKEYREF(key)); if (!modulus) { sslErrorLog("SSLEncodeRSAKeyParams: SecKeyCopyModulus failed\n"); return errSSLCrypto; } CFDataRef exponent = SecKeyCopyExponent(SECKEYREF(key)); if (!exponent) { sslErrorLog("SSLEncodeRSAKeyParams: SecKeyCopyExponent failed\n"); CFRelease(modulus); return errSSLCrypto; } CFIndex modulusLength = CFDataGetLength(modulus); CFIndex exponentLength = CFDataGetLength(exponent); sslDebugLog("SSLEncodeRSAKeyParams: modulus len=%ld, exponent len=%ld\n", modulusLength, exponentLength); OSStatus err; if ((err = SSLAllocBuffer(keyParams, modulusLength + exponentLength + 4)) != 0) { CFReleaseSafe(exponent); CFReleaseSafe(modulus); return err; } uint8_t *charPtr = keyParams->data; charPtr = SSLEncodeSize(charPtr, modulusLength, 2); memcpy(charPtr, CFDataGetBytePtr(modulus), modulusLength); charPtr += modulusLength; charPtr = SSLEncodeSize(charPtr, exponentLength, 2); memcpy(charPtr, CFDataGetBytePtr(exponent), exponentLength); CFRelease(modulus); CFRelease(exponent); return errSecSuccess; #endif } static OSStatus SSLEncodeRSAPremasterSecret(SSLContext *ctx) { SSLBuffer randData; OSStatus err; if ((err = SSLAllocBuffer(&ctx->preMasterSecret, SSL_RSA_PREMASTER_SECRET_SIZE)) != 0) return err; assert(ctx->negProtocolVersion >= SSL_Version_3_0); SSLEncodeInt(ctx->preMasterSecret.data, ctx->clientReqProtocol, 2); randData.data = ctx->preMasterSecret.data+2; randData.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2; if ((err = sslRand(&randData)) != 0) return err; return errSecSuccess; } /* * Generate a server key exchange message signed by our RSA or DSA private key. */ static OSStatus SSLSignServerKeyExchangeTls12(SSLContext *ctx, SSLSignatureAndHashAlgorithm sigAlg, SSLBuffer exchangeParams, SSLBuffer signature, size_t *actSigLen) { OSStatus err; SSLBuffer hashOut, hashCtx, clientRandom, serverRandom; uint8_t hashes[SSL_MAX_DIGEST_LEN]; SSLBuffer signedHashes; uint8_t *dataToSign; size_t dataToSignLen; const HashReference *hashRef; SecAsn1AlgId algId; signedHashes.data = 0; hashCtx.data = 0; clientRandom.data = ctx->clientRandom; clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; serverRandom.data = ctx->serverRandom; serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; switch (sigAlg.hash) { case SSL_HashAlgorithmSHA1: hashRef = &SSLHashSHA1; algId.algorithm = CSSMOID_SHA1WithRSA; break; case SSL_HashAlgorithmSHA256: hashRef = &SSLHashSHA256; algId.algorithm = CSSMOID_SHA256WithRSA; break; case SSL_HashAlgorithmSHA384: hashRef = &SSLHashSHA384; algId.algorithm = CSSMOID_SHA384WithRSA; break; default: sslErrorLog("SSLVerifySignedServerKeyExchangeTls12: unsupported hash %d\n", sigAlg.hash); return errSSLProtocol; } dataToSign = hashes; dataToSignLen = hashRef->digestSize; hashOut.data = hashes; hashOut.length = hashRef->digestSize; if ((err = ReadyHash(hashRef, &hashCtx)) != 0) goto fail; if ((err = hashRef->update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = hashRef->update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = hashRef->update(&hashCtx, &exchangeParams)) != 0) goto fail; if ((err = hashRef->final(&hashCtx, &hashOut)) != 0) goto fail; if(sigAlg.signature==SSL_SignatureAlgorithmRSA) { err = sslRsaSign(ctx, ctx->signingPrivKeyRef, &algId, dataToSign, dataToSignLen, signature.data, signature.length, actSigLen); } else { err = sslRawSign(ctx, ctx->signingPrivKeyRef, dataToSign, // one or two hashes dataToSignLen, signature.data, signature.length, actSigLen); } if(err) { sslErrorLog("SSLDecodeSignedServerKeyExchangeTls12: sslRawVerify " "returned %d\n", (int)err); goto fail; } fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } static OSStatus SSLSignServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer exchangeParams, SSLBuffer signature, size_t *actSigLen) { OSStatus err; uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN]; SSLBuffer clientRandom,serverRandom,hashCtx, hash; uint8_t *dataToSign; size_t dataToSignLen; hashCtx.data = 0; /* cook up hash(es) for raw sign */ clientRandom.data = ctx->clientRandom; clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; serverRandom.data = ctx->serverRandom; serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; if(isRsa) { /* skip this if signing with DSA */ dataToSign = hashes; dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN; hash.data = &hashes[0]; hash.length = SSL_MD5_DIGEST_LEN; if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0) goto fail; if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashMD5.update(&hashCtx, &exchangeParams)) != 0) goto fail; if ((err = SSLHashMD5.final(&hashCtx, &hash)) != 0) goto fail; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; } else { /* DSA - just use the SHA1 hash */ dataToSign = &hashes[SSL_MD5_DIGEST_LEN]; dataToSignLen = SSL_SHA1_DIGEST_LEN; } hash.data = &hashes[SSL_MD5_DIGEST_LEN]; hash.length = SSL_SHA1_DIGEST_LEN; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &exchangeParams)) != 0) goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hash)) != 0) goto fail; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; err = sslRawSign(ctx, ctx->signingPrivKeyRef, dataToSign, // one or two hashes dataToSignLen, signature.data, signature.length, actSigLen); if(err) { goto fail; } fail: SSLFreeBuffer(&hashCtx); return err; } static OSStatus FindSigAlg(SSLContext *ctx, SSLSignatureAndHashAlgorithm *alg) { unsigned i; assert(ctx->protocolSide == kSSLServerSide); assert(ctx->negProtocolVersion >= TLS_Version_1_2); assert(!ctx->isDTLS); if((ctx->numClientSigAlgs==0) ||(ctx->clientSigAlgs==NULL)) return errSSLInternal; //FIXME: Need a better way to select here for(i=0; i<ctx->numClientSigAlgs; i++) { alg->hash = ctx->clientSigAlgs[i].hash; alg->signature = ctx->clientSigAlgs[i].signature; //We only support RSA for certs on the server side - but we should test against the cert type if(ctx->clientSigAlgs[i].signature != SSL_SignatureAlgorithmRSA) continue; //Let's only support SHA1 and SHA256. SHA384 does not work with 512 bits keys. // We should actually test against what the cert can do. if((alg->hash==SSL_HashAlgorithmSHA1) || (alg->hash==SSL_HashAlgorithmSHA256)) { return errSecSuccess; } } // We could not find a supported signature and hash algorithm return errSSLProtocol; } static OSStatus SSLEncodeSignedServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx) { OSStatus err; uint8_t *charPtr; size_t outputLen; bool isRsa = true; size_t maxSigLen; size_t actSigLen; SSLBuffer signature; int head = 4; SSLBuffer exchangeParams; assert(ctx->protocolSide == kSSLServerSide); assert(ctx->signingPubKey != NULL); assert(ctx->negProtocolVersion >= SSL_Version_3_0); exchangeParams.data = 0; signature.data = 0; #if ENABLE_DTLS if(ctx->negProtocolVersion == DTLS_Version_1_0) { head+=8; } #endif /* Set up parameter block to hash ==> exchangeParams */ switch(ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: /* * Parameter block = encryption public key. * If app hasn't supplied a separate encryption cert, abort. */ if(ctx->encryptPubKey == NULL) { sslErrorLog("RSAServerKeyExchange: no encrypt cert\n"); return errSSLBadConfiguration; } err = SSLEncodeRSAKeyParams(&exchangeParams, ctx->encryptPubKey, ctx); break; #if APPLE_DH case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: isRsa = false; /* and fall through */ case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: { /* * Parameter block = {prime, generator, public key} * Obtain D-H parameters (if we don't have them) and a key pair. */ err = SSLGenServerDHParamsAndKey(ctx); if(err) { return err; } size_t len = SSLEncodedDHKeyParamsLen(ctx); err = SSLAllocBuffer(&exchangeParams, len); if(err) { goto fail; } err = SSLEncodeDHKeyParams(ctx, exchangeParams.data); break; } #endif /* APPLE_DH */ default: /* shouldn't be here */ assert(0); return errSSLInternal; } SSLSignatureAndHashAlgorithm sigAlg; /* preallocate a buffer for signing */ err = sslGetMaxSigSize(ctx->signingPrivKeyRef, &maxSigLen); if(err) { goto fail; } err = SSLAllocBuffer(&signature, maxSigLen); if(err) { goto fail; } outputLen = exchangeParams.length + 2; if (sslVersionIsLikeTls12(ctx)) { err=FindSigAlg(ctx, &sigAlg); if(err) goto fail; outputLen += 2; err = SSLSignServerKeyExchangeTls12(ctx, sigAlg, exchangeParams, signature, &actSigLen); } else { err = SSLSignServerKeyExchange(ctx, isRsa, exchangeParams, signature, &actSigLen); } if(err) goto fail; assert(actSigLen <= maxSigLen); outputLen += actSigLen; /* package it all up */ keyExch->protocolVersion = ctx->negProtocolVersion; keyExch->contentType = SSL_RecordTypeHandshake; if ((err = SSLAllocBuffer(&keyExch->contents, outputLen+head)) != 0) goto fail; charPtr = SSLEncodeHandshakeHeader(ctx, keyExch, SSL_HdskServerKeyExchange, outputLen); memcpy(charPtr, exchangeParams.data, exchangeParams.length); charPtr += exchangeParams.length; if (sslVersionIsLikeTls12(ctx)) { *charPtr++=sigAlg.hash; *charPtr++=sigAlg.signature; } charPtr = SSLEncodeInt(charPtr, actSigLen, 2); memcpy(charPtr, signature.data, actSigLen); assert((charPtr + actSigLen) == (keyExch->contents.data + keyExch->contents.length)); err = errSecSuccess; fail: SSLFreeBuffer(&exchangeParams); SSLFreeBuffer(&signature); return err; } static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; SSLBuffer hashOut, hashCtx, clientRandom, serverRandom; uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN]; SSLBuffer signedHashes; uint8_t *dataToSign; size_t dataToSignLen; signedHashes.data = 0; hashCtx.data = 0; clientRandom.data = ctx->clientRandom; clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; serverRandom.data = ctx->serverRandom; serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; if(isRsa) { /* skip this if signing with DSA */ dataToSign = hashes; dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN; hashOut.data = hashes; hashOut.length = SSL_MD5_DIGEST_LEN; if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0) goto fail; if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0) goto fail; } else { /* DSA, ECDSA - just use the SHA1 hash */ dataToSign = &hashes[SSL_MD5_DIGEST_LEN]; dataToSignLen = SSL_SHA1_DIGEST_LEN; } hashOut.data = hashes + SSL_MD5_DIGEST_LEN; hashOut.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, /* plaintext */ dataToSignLen, /* plaintext length */ signature, signatureLen); if(err) { sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify " "returned %d\n", (int)err); goto fail; } fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } static OSStatus SSLVerifySignedServerKeyExchangeTls12(SSLContext *ctx, SSLSignatureAndHashAlgorithm sigAlg, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; SSLBuffer hashOut, hashCtx, clientRandom, serverRandom; uint8_t hashes[SSL_MAX_DIGEST_LEN]; SSLBuffer signedHashes; uint8_t *dataToSign; size_t dataToSignLen; const HashReference *hashRef; SecAsn1AlgId algId; signedHashes.data = 0; hashCtx.data = 0; clientRandom.data = ctx->clientRandom; clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; serverRandom.data = ctx->serverRandom; serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; switch (sigAlg.hash) { case SSL_HashAlgorithmSHA1: hashRef = &SSLHashSHA1; algId.algorithm = CSSMOID_SHA1WithRSA; break; case SSL_HashAlgorithmSHA256: hashRef = &SSLHashSHA256; algId.algorithm = CSSMOID_SHA256WithRSA; break; case SSL_HashAlgorithmSHA384: hashRef = &SSLHashSHA384; algId.algorithm = CSSMOID_SHA384WithRSA; break; default: sslErrorLog("SSLVerifySignedServerKeyExchangeTls12: unsupported hash %d\n", sigAlg.hash); return errSSLProtocol; } dataToSign = hashes; dataToSignLen = hashRef->digestSize; hashOut.data = hashes; hashOut.length = hashRef->digestSize; if ((err = ReadyHash(hashRef, &hashCtx)) != 0) goto fail; if ((err = hashRef->update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = hashRef->update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = hashRef->update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = hashRef->final(&hashCtx, &hashOut)) != 0) goto fail; if(sigAlg.signature==SSL_SignatureAlgorithmRSA) { err = sslRsaVerify(ctx, ctx->peerPubKey, &algId, dataToSign, dataToSignLen, signature, signatureLen); } else { err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, /* plaintext */ dataToSignLen, /* plaintext length */ signature, signatureLen); } if(err) { sslErrorLog("SSLDecodeSignedServerKeyExchangeTls12: sslRawVerify " "returned %d\n", (int)err); goto fail; } fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } /* * Decode and verify a server key exchange message signed by server's * public key. */ static OSStatus SSLDecodeSignedServerKeyExchange(SSLBuffer message, SSLContext *ctx) { OSStatus err; UInt16 modulusLen = 0, exponentLen = 0, signatureLen; uint8_t *modulus = NULL, *exponent = NULL, *signature; bool isRsa = true; assert(ctx->protocolSide == kSSLClientSide); if (message.length < 2) { sslErrorLog("SSLDecodeSignedServerKeyExchange: msg len error 1\n"); return errSSLProtocol; } /* first extract the key-exchange-method-specific parameters */ uint8_t *charPtr = message.data; uint8_t *endCp = charPtr + message.length; switch(ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: modulusLen = SSLDecodeInt(charPtr, 2); charPtr += 2; if((charPtr + modulusLen) > endCp) { sslErrorLog("signedServerKeyExchange: msg len error 2\n"); return errSSLProtocol; } modulus = charPtr; charPtr += modulusLen; exponentLen = SSLDecodeInt(charPtr, 2); charPtr += 2; if((charPtr + exponentLen) > endCp) { sslErrorLog("signedServerKeyExchange: msg len error 3\n"); return errSSLProtocol; } exponent = charPtr; charPtr += exponentLen; break; #if APPLE_DH case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: isRsa = false; /* and fall through */ case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: err = SSLDecodeDHKeyParams(ctx, &charPtr, message.length); if(err) { return err; } break; #endif /* APPLE_DH */ case SSL_ECDHE_ECDSA: isRsa = false; /* and fall through */ case SSL_ECDHE_RSA: err = SSLDecodeECDHKeyParams(ctx, &charPtr, message.length); if(err) { return err; } break; default: assert(0); return errSSLInternal; } /* this is what's hashed */ SSLBuffer signedParams; signedParams.data = message.data; signedParams.length = charPtr - message.data; SSLSignatureAndHashAlgorithm sigAlg; if (sslVersionIsLikeTls12(ctx)) { /* Parse the algorithm field added in TLS1.2 */ if((charPtr + 2) > endCp) { sslErrorLog("signedServerKeyExchange: msg len error 499\n"); return errSSLProtocol; } sigAlg.hash = *charPtr++; sigAlg.signature = *charPtr++; } signatureLen = SSLDecodeInt(charPtr, 2); charPtr += 2; if((charPtr + signatureLen) != endCp) { sslErrorLog("signedServerKeyExchange: msg len error 4\n"); return errSSLProtocol; } signature = charPtr; if (sslVersionIsLikeTls12(ctx)) { err = SSLVerifySignedServerKeyExchangeTls12(ctx, sigAlg, signedParams, signature, signatureLen); } else { err = SSLVerifySignedServerKeyExchange(ctx, isRsa, signedParams, signature, signatureLen); } if(err) goto fail; /* Signature matches; now replace server key with new key (RSA only) */ switch(ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: { SSLBuffer modBuf; SSLBuffer expBuf; /* first free existing peerKey */ sslFreePubKey(&ctx->peerPubKey); /* no KCItem */ /* and cook up a new one from raw bits */ modBuf.data = modulus; modBuf.length = modulusLen; expBuf.data = exponent; expBuf.length = exponentLen; err = sslGetPubKeyFromBits(ctx, &modBuf, &expBuf, &ctx->peerPubKey); break; } case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: case SSL_ECDHE_ECDSA: case SSL_ECDHE_RSA: break; /* handled above */ default: assert(0); } fail: return err; } static OSStatus SSLDecodeRSAKeyExchange(SSLBuffer keyExchange, SSLContext *ctx) { OSStatus err; size_t outputLen, localKeyModulusLen; SSLProtocolVersion version; Boolean useEncryptKey = false; uint8_t *src = NULL; SSLPrivKey *keyRef = NULL; assert(ctx->protocolSide == kSSLServerSide); if (ctx->encryptPrivKeyRef) { useEncryptKey = true; } if (useEncryptKey) { keyRef = ctx->encryptPrivKeyRef; /* FIXME: when 3420180 is implemented, pick appropriate creds here */ } else { keyRef = ctx->signingPrivKeyRef; /* FIXME: when 3420180 is implemented, pick appropriate creds here */ } localKeyModulusLen = sslPrivKeyLengthInBytes(keyRef); if (localKeyModulusLen == 0) { sslErrorLog("SSLDecodeRSAKeyExchange: private key modulus is 0\n"); return errSSLCrypto; } /* * We have to tolerate incoming key exchange msgs with and without the * two-byte "encrypted length" field. */ if (keyExchange.length == localKeyModulusLen) { /* no length encoded */ src = keyExchange.data; } else if((keyExchange.length == (localKeyModulusLen + 2)) && (ctx->negProtocolVersion >= TLS_Version_1_0)) { /* TLS only - skip the length bytes */ src = keyExchange.data + 2; } else { sslErrorLog("SSLDecodeRSAKeyExchange: length error (exp %u got %u)\n", (unsigned)localKeyModulusLen, (unsigned)keyExchange.length); return errSSLProtocol; } err = SSLAllocBuffer(&ctx->preMasterSecret, SSL_RSA_PREMASTER_SECRET_SIZE); if(err != 0) { return err; } /* * From this point on, to defend against the Bleichenbacher attack * and its Klima-Pokorny-Rosa variant, any errors we detect are *not* * reported to the caller or the peer. If we detect any error during * decryption (e.g., bad PKCS1 padding) or in the testing of the version * number in the premaster secret, we proceed by generating a random * premaster secret, with the correct version number, and tell our caller * that everything is fine. This session will fail as soon as the * finished messages are sent, since we will be using a bogus premaster * secret (and hence bogus session and MAC keys). Meanwhile we have * not provided any side channel information relating to the cause of * the failure. * * See http://eprint.iacr.org/2003/052/ for more info. */ err = sslRsaDecrypt(ctx, keyRef, #if USE_CDSA_CRYPTO CSSM_PADDING_PKCS1, #else kSecPaddingPKCS1, #endif src, localKeyModulusLen, // ciphertext len ctx->preMasterSecret.data, SSL_RSA_PREMASTER_SECRET_SIZE, // plaintext buf available &outputLen); if(err != errSecSuccess) { /* possible Bleichenbacher attack */ sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: RSA decrypt fail"); } else if(outputLen != SSL_RSA_PREMASTER_SECRET_SIZE) { sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: premaster secret size error"); err = errSSLProtocol; // not passed back to caller } if(err == errSecSuccess) { /* * Two legal values here - the one we actually negotiated (which is * technically incorrect but not uncommon), and the one the client * sent as its preferred version in the client hello msg. */ version = (SSLProtocolVersion)SSLDecodeInt(ctx->preMasterSecret.data, 2); if((version != ctx->negProtocolVersion) && (version != ctx->clientReqProtocol)) { /* possible Klima-Pokorny-Rosa attack */ sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: version error"); err = errSSLProtocol; } } if(err != errSecSuccess) { /* * Obfuscate failures for defense against Bleichenbacher and * Klima-Pokorny-Rosa attacks. */ SSLEncodeInt(ctx->preMasterSecret.data, ctx->negProtocolVersion, 2); SSLBuffer tmpBuf; tmpBuf.data = ctx->preMasterSecret.data + 2; tmpBuf.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2; /* must ignore failures here */ sslRand(&tmpBuf); } /* in any case, save premaster secret (good or bogus) and proceed */ return errSecSuccess; } static OSStatus SSLEncodeRSAKeyExchange(SSLRecord *keyExchange, SSLContext *ctx) { OSStatus err; size_t outputLen, peerKeyModulusLen; size_t bufLen; uint8_t *dst; bool encodeLen = false; uint8_t *p; int head; size_t msglen; assert(ctx->protocolSide == kSSLClientSide); if ((err = SSLEncodeRSAPremasterSecret(ctx)) != 0) return err; keyExchange->contentType = SSL_RecordTypeHandshake; assert(ctx->negProtocolVersion >= SSL_Version_3_0); keyExchange->protocolVersion = ctx->negProtocolVersion; peerKeyModulusLen = sslPubKeyLengthInBytes(ctx->peerPubKey); if (peerKeyModulusLen == 0) { sslErrorLog("SSLEncodeRSAKeyExchange: peer key modulus is 0\n"); /* FIXME: we don't return an error here... is this condition ever expected? */ } #if SSL_DEBUG sslDebugLog("SSLEncodeRSAKeyExchange: peer key modulus length = %lu\n", peerKeyModulusLen); #endif msglen = peerKeyModulusLen; #if RSA_CLIENT_KEY_ADD_LENGTH if(ctx->negProtocolVersion >= TLS_Version_1_0) { msglen += 2; encodeLen = true; } #endif head = SSLHandshakeHeaderSize(keyExchange); bufLen = msglen + head; if ((err = SSLAllocBuffer(&keyExchange->contents, bufLen)) != 0) { return err; } dst = keyExchange->contents.data + head; if(encodeLen) { dst += 2; } /* FIXME: can this line be removed? */ p = keyExchange->contents.data; p = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, msglen); if(encodeLen) { /* the length of the encrypted pre_master_secret */ SSLEncodeSize(keyExchange->contents.data + head, peerKeyModulusLen, 2); } err = sslRsaEncrypt(ctx, ctx->peerPubKey, #if USE_CDSA_CRYPTO CSSM_PADDING_PKCS1, #else kSecPaddingPKCS1, #endif ctx->preMasterSecret.data, SSL_RSA_PREMASTER_SECRET_SIZE, dst, peerKeyModulusLen, &outputLen); if(err) { sslErrorLog("SSLEncodeRSAKeyExchange: error %d\n", (int)err); return err; } assert(outputLen == (encodeLen ? msglen - 2 : msglen)); return errSecSuccess; } #if APPLE_DH // MARK: - // MARK: Diffie-Hellman Key Exchange /* * Diffie-Hellman setup, server side. On successful return, the * following SSLContext members are valid: * * dhParamsPrime * dhParamsGenerator * dhPrivate * dhExchangePublic */ static OSStatus SSLGenServerDHParamsAndKey( SSLContext *ctx) { OSStatus ortn; assert(ctx->protocolSide == kSSLServerSide); /* * Obtain D-H parameters if we don't have them. */ if(ctx->dhParamsEncoded.data == NULL) { /* TODO: Pick appropriate group based on cipher suite */ ccdh_const_gp_t gp = ccdh_gp_rfc5114_MODP_2048_256(); cc_size n = ccdh_gp_n(gp); size_t s = ccdh_gp_prime_size(gp); uint8_t p[s]; uint8_t g[s]; ccn_write_uint(n, ccdh_gp_prime(gp), s, p); ccn_write_uint(n, ccdh_gp_g(gp), s, g); const SSLBuffer prime = { .data = p, .length = s, }; const SSLBuffer generator = { .data = g, .length = s, }; ortn=sslEncodeDhParams(&ctx->dhParamsEncoded, /* data mallocd and RETURNED PKCS-3 encoded */ &prime, /* Wire format */ &generator); /* Wire format */ if(ortn) return ortn; } #if USE_CDSA_CRYPTO /* generate per-session D-H key pair */ sslFreeKey(ctx->cspHand, &ctx->dhPrivate, NULL); SSLFreeBuffer(&ctx->dhExchangePublic); ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY)); CSSM_KEY pubKey; ortn = sslDhGenerateKeyPair(ctx, &ctx->dhParamsEncoded, ctx->dhParamsPrime.length * 8, &pubKey, ctx->dhPrivate); if(ortn) { return ortn; } CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic); #else if (!ctx->secDHContext) { ortn = sslDhCreateKey(ctx); if(ortn) return ortn; } return sslDhGenerateKeyPair(ctx); #endif return errSecSuccess; } /* * size of DH param and public key, in wire format */ static size_t SSLEncodedDHKeyParamsLen(SSLContext *ctx) { SSLBuffer prime; SSLBuffer generator; sslDecodeDhParams(&ctx->dhParamsEncoded, &prime, &generator); return (2+prime.length+2+generator.length+2+ctx->dhExchangePublic.length); } /* * Encode DH params and public key, in wire format, in caller-supplied buffer. */ static OSStatus SSLEncodeDHKeyParams( SSLContext *ctx, uint8_t *charPtr) { assert(ctx->protocolSide == kSSLServerSide); assert(ctx->dhParamsEncoded.data != NULL); assert(ctx->dhExchangePublic.data != NULL); SSLBuffer prime; SSLBuffer generator; sslDecodeDhParams(&ctx->dhParamsEncoded, &prime, &generator); charPtr = SSLEncodeInt(charPtr, prime.length, 2); memcpy(charPtr, prime.data, prime.length); charPtr += prime.length; charPtr = SSLEncodeInt(charPtr, generator.length, 2); memcpy(charPtr, generator.data, generator.length); charPtr += generator.length; /* TODO: hum.... sounds like this one should be in the SecDHContext */ charPtr = SSLEncodeInt(charPtr, ctx->dhExchangePublic.length, 2); memcpy(charPtr, ctx->dhExchangePublic.data, ctx->dhExchangePublic.length); dumpBuf("server prime", &prime); dumpBuf("server generator", &generator); dumpBuf("server pub key", &ctx->dhExchangePublic); return errSecSuccess; } /* * Decode DH params and server public key. */ static OSStatus SSLDecodeDHKeyParams( SSLContext *ctx, uint8_t **charPtr, // IN/OUT size_t length) { OSStatus err = errSecSuccess; SSLBuffer prime; SSLBuffer generator; assert(ctx->protocolSide == kSSLClientSide); uint8_t *endCp = *charPtr + length; /* Allow reuse via renegotiation */ SSLFreeBuffer(&ctx->dhPeerPublic); /* Prime, with a two-byte length */ UInt32 len = SSLDecodeInt(*charPtr, 2); (*charPtr) += 2; if((*charPtr + len) > endCp) { return errSSLProtocol; } prime.data = *charPtr; prime.length = len; (*charPtr) += len; /* Generator, with a two-byte length */ len = SSLDecodeInt(*charPtr, 2); (*charPtr) += 2; if((*charPtr + len) > endCp) { return errSSLProtocol; } generator.data = *charPtr; generator.length = len; (*charPtr) += len; sslEncodeDhParams(&ctx->dhParamsEncoded, &prime, &generator); /* peer public key, with a two-byte length */ len = SSLDecodeInt(*charPtr, 2); (*charPtr) += 2; err = SSLAllocBuffer(&ctx->dhPeerPublic, len); if(err) { return err; } memmove(ctx->dhPeerPublic.data, *charPtr, len); (*charPtr) += len; dumpBuf("client peer pub", &ctx->dhPeerPublic); // dumpBuf("client prime", &ctx->dhParamsPrime); // dumpBuf("client generator", &ctx->dhParamsGenerator); return err; } /* * Given the server's Diffie-Hellman parameters, generate our * own DH key pair, and perform key exchange using the server's * public key and our private key. The result is the premaster * secret. * * SSLContext members valid on entry: * dhParamsPrime * dhParamsGenerator * dhPeerPublic * * SSLContext members valid on successful return: * dhPrivate * dhExchangePublic * preMasterSecret */ static OSStatus SSLGenClientDHKeyAndExchange(SSLContext *ctx) { OSStatus ortn; #if USE_CDSA_CRYPTO if((ctx->dhParamsPrime.data == NULL) || (ctx->dhParamsGenerator.data == NULL) || (ctx->dhPeerPublic.data == NULL)) { sslErrorLog("SSLGenClientDHKeyAndExchange: incomplete server params\n"); return errSSLProtocol; } /* generate two keys */ CSSM_KEY pubKey; ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY)); ortn = sslDhGenKeyPairClient(ctx, &ctx->dhParamsPrime, &ctx->dhParamsGenerator, &pubKey, ctx->dhPrivate); if(ortn) { sslFree(ctx->dhPrivate); ctx->dhPrivate = NULL; return ortn; } /* do the exchange, size of prime */ ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8, &ctx->preMasterSecret); if(ortn) { return ortn; } CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic); #else ortn=errSSLProtocol; require(ctx->dhParamsEncoded.data, out); require_noerr(ortn = sslDhCreateKey(ctx), out); require_noerr(ortn = sslDhGenerateKeyPair(ctx), out); require_noerr(ortn = sslDhKeyExchange(ctx), out); out: #endif return ortn; } static OSStatus SSLEncodeDHanonServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx) { OSStatus ortn = errSecSuccess; int head; assert(ctx->negProtocolVersion >= SSL_Version_3_0); assert(ctx->protocolSide == kSSLServerSide); /* * Obtain D-H parameters (if we don't have them) and a key pair. */ ortn = SSLGenServerDHParamsAndKey(ctx); if(ortn) { return ortn; } size_t length = SSLEncodedDHKeyParamsLen(ctx); keyExch->protocolVersion = ctx->negProtocolVersion; keyExch->contentType = SSL_RecordTypeHandshake; head = SSLHandshakeHeaderSize(keyExch); if ((ortn = SSLAllocBuffer(&keyExch->contents, length+head))) return ortn; uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExch, SSL_HdskServerKeyExchange, length); /* encode prime, generator, our public key */ return SSLEncodeDHKeyParams(ctx, charPtr); } static OSStatus SSLDecodeDHanonServerKeyExchange(SSLBuffer message, SSLContext *ctx) { OSStatus err = errSecSuccess; assert(ctx->protocolSide == kSSLClientSide); if (message.length < 6) { sslErrorLog("SSLDecodeDHanonServerKeyExchange error: msg len %u\n", (unsigned)message.length); return errSSLProtocol; } uint8_t *charPtr = message.data; err = SSLDecodeDHKeyParams(ctx, &charPtr, message.length); if(err == errSecSuccess) { if((message.data + message.length) != charPtr) { err = errSSLProtocol; } } return err; } static OSStatus SSLDecodeDHClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx) { OSStatus ortn = errSecSuccess; unsigned int publicLen; assert(ctx->protocolSide == kSSLServerSide); if(ctx->dhParamsEncoded.data == NULL) { /* should never happen */ assert(0); return errSSLInternal; } /* this message simply contains the client's public DH key */ uint8_t *charPtr = keyExchange.data; publicLen = SSLDecodeInt(charPtr, 2); charPtr += 2; /* TODO : Check the len here ? Will fail in sslDhKeyExchange anyway */ /* if((keyExchange.length != publicLen + 2) || (publicLen > ctx->dhParamsPrime.length)) { return errSSLProtocol; } */ SSLFreeBuffer(&ctx->dhPeerPublic); // allow reuse via renegotiation ortn = SSLAllocBuffer(&ctx->dhPeerPublic, publicLen); if(ortn) { return ortn; } memmove(ctx->dhPeerPublic.data, charPtr, publicLen); /* DH Key exchange, result --> premaster secret */ SSLFreeBuffer(&ctx->preMasterSecret); #if USE_CDSA_CRYPTO ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8, &ctx->preMasterSecret); #else ortn = sslDhKeyExchange(ctx); #endif dumpBuf("server peer pub", &ctx->dhPeerPublic); dumpBuf("server premaster", &ctx->preMasterSecret); return ortn; } static OSStatus SSLEncodeDHClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx) { OSStatus err; size_t outputLen; int head; assert(ctx->protocolSide == kSSLClientSide); assert(ctx->negProtocolVersion >= SSL_Version_3_0); keyExchange->contentType = SSL_RecordTypeHandshake; keyExchange->protocolVersion = ctx->negProtocolVersion; if ((err = SSLGenClientDHKeyAndExchange(ctx)) != 0) return err; outputLen = ctx->dhExchangePublic.length + 2; head = SSLHandshakeHeaderSize(keyExchange); if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head))) return err; uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen); charPtr = SSLEncodeSize(charPtr, ctx->dhExchangePublic.length, 2); memcpy(charPtr, ctx->dhExchangePublic.data, ctx->dhExchangePublic.length); dumpBuf("client pub key", &ctx->dhExchangePublic); dumpBuf("client premaster", &ctx->preMasterSecret); return errSecSuccess; } #endif /* APPLE_DH */ // MARK: - // MARK: ECDSA Key Exchange /* * Given the server's ECDH curve params and public key, generate our * own ECDH key pair, and perform key exchange using the server's * public key and our private key. The result is the premaster * secret. * * SSLContext members valid on entry: * if keyExchangeMethod == SSL_ECDHE_ECDSA or SSL_ECDHE_RSA: * ecdhPeerPublic * ecdhPeerCurve * if keyExchangeMethod == SSL_ECDH_ECDSA or SSL_ECDH_RSA: * peerPubKey, from which we infer ecdhPeerCurve * * SSLContext members valid on successful return: * ecdhPrivate * ecdhExchangePublic * preMasterSecret */ static OSStatus SSLGenClientECDHKeyAndExchange(SSLContext *ctx) { OSStatus ortn; assert(ctx->protocolSide == kSSLClientSide); switch(ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_ECDHE_ECDSA: case SSL_ECDHE_RSA: /* Server sent us an ephemeral key with peer curve specified */ if(ctx->ecdhPeerPublic.data == NULL) { sslErrorLog("SSLGenClientECDHKeyAndExchange: incomplete server params\n"); return errSSLProtocol; } break; case SSL_ECDH_ECDSA: case SSL_ECDH_RSA: { /* No server key exchange; we have to get the curve from the key */ if(ctx->peerPubKey == NULL) { sslErrorLog("SSLGenClientECDHKeyAndExchange: no peer key\n"); return errSSLInternal; } /* The peer curve is in the key's CSSM_X509_ALGORITHM_IDENTIFIER... */ ortn = sslEcdsaPeerCurve(ctx->peerPubKey, &ctx->ecdhPeerCurve); if(ortn) { return ortn; } sslEcdsaDebug("SSLGenClientECDHKeyAndExchange: derived peerCurve %u", (unsigned)ctx->ecdhPeerCurve); break; } default: /* shouldn't be here */ assert(0); return errSSLInternal; } /* Generate our (ephemeral) pair, or extract it from our signing identity */ if((ctx->negAuthType == SSLClientAuth_RSAFixedECDH) || (ctx->negAuthType == SSLClientAuth_ECDSAFixedECDH)) { /* * Client auth with a fixed ECDH key in the cert. Convert private key * from SecKeyRef to CSSM format. We don't need ecdhExchangePublic * because the server gets that from our cert. */ assert(ctx->signingPrivKeyRef != NULL); #if USE_CDSA_CRYPTO //assert(ctx->cspHand != 0); sslFreeKey(ctx->cspHand, &ctx->ecdhPrivate, NULL); SSLFreeBuffer(&ctx->ecdhExchangePublic); ortn = SecKeyGetCSSMKey(ctx->signingPrivKeyRef, (const CSSM_KEY **)&ctx->ecdhPrivate); if(ortn) { return ortn; } ortn = SecKeyGetCSPHandle(ctx->signingPrivKeyRef, &ctx->ecdhPrivCspHand); if(ortn) { sslErrorLog("SSLGenClientECDHKeyAndExchange: SecKeyGetCSPHandle err %d\n", (int)ortn); } #endif sslEcdsaDebug("+++ Extracted ECDH private key"); } else { /* generate a new pair */ ortn = sslEcdhGenerateKeyPair(ctx, ctx->ecdhPeerCurve); if(ortn) { return ortn; } #if USE_CDSA_CRYPTO sslEcdsaDebug("+++ Generated %u bit (%u byte) ECDH key pair", (unsigned)ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits, (unsigned)((ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits + 7) / 8)); #endif } /* do the exchange --> premaster secret */ ortn = sslEcdhKeyExchange(ctx, &ctx->preMasterSecret); if(ortn) { return ortn; } return errSecSuccess; } /* * Decode ECDH params and server public key. */ static OSStatus SSLDecodeECDHKeyParams( SSLContext *ctx, uint8_t **charPtr, // IN/OUT size_t length) { OSStatus err = errSecSuccess; sslEcdsaDebug("+++ Decoding ECDH Server Key Exchange"); assert(ctx->protocolSide == kSSLClientSide); uint8_t *endCp = *charPtr + length; /* Allow reuse via renegotiation */ SSLFreeBuffer(&ctx->ecdhPeerPublic); /*** ECParameters - just a curveType and a named curve ***/ /* 1-byte curveType, we only allow one type */ uint8_t curveType = **charPtr; if(curveType != SSL_CurveTypeNamed) { sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: Bad curveType (%u)\n", (unsigned)curveType); return errSSLProtocol; } (*charPtr)++; if(*charPtr > endCp) { return errSSLProtocol; } /* two-byte curve */ ctx->ecdhPeerCurve = SSLDecodeInt(*charPtr, 2); (*charPtr) += 2; if(*charPtr > endCp) { return errSSLProtocol; } switch(ctx->ecdhPeerCurve) { case SSL_Curve_secp256r1: case SSL_Curve_secp384r1: case SSL_Curve_secp521r1: break; default: sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: Bad curve (%u)\n", (unsigned)ctx->ecdhPeerCurve); return errSSLProtocol; } sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: ecdhPeerCurve %u", (unsigned)ctx->ecdhPeerCurve); /*** peer public key as an ECPoint ***/ /* * The spec says the the max length of an ECPoint is 255 bytes, limiting * this whole mechanism to a max modulus size of 1020 bits, which I find * hard to believe... */ UInt32 len = SSLDecodeInt(*charPtr, 1); (*charPtr)++; if((*charPtr + len) > endCp) { return errSSLProtocol; } err = SSLAllocBuffer(&ctx->ecdhPeerPublic, len); if(err) { return err; } memmove(ctx->ecdhPeerPublic.data, *charPtr, len); (*charPtr) += len; dumpBuf("client peer pub", &ctx->ecdhPeerPublic); return err; } static OSStatus SSLEncodeECDHClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx) { OSStatus err; size_t outputLen; int head; assert(ctx->protocolSide == kSSLClientSide); if ((err = SSLGenClientECDHKeyAndExchange(ctx)) != 0) return err; /* * Per RFC 4492 5.7, if we're doing ECDSA_fixed_ECDH or RSA_fixed_ECDH * client auth, we still send this message, but it's empty (because the * server gets our public key from our cert). */ bool emptyMsg = false; switch(ctx->negAuthType) { case SSLClientAuth_RSAFixedECDH: case SSLClientAuth_ECDSAFixedECDH: emptyMsg = true; break; default: break; } if(emptyMsg) { outputLen = 0; } else { outputLen = ctx->ecdhExchangePublic.length + 1; } keyExchange->contentType = SSL_RecordTypeHandshake; assert(ctx->negProtocolVersion >= SSL_Version_3_0); keyExchange->protocolVersion = ctx->negProtocolVersion; head = SSLHandshakeHeaderSize(keyExchange); if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head))) return err; uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen); if(emptyMsg) { sslEcdsaDebug("+++ Sending EMPTY ECDH Client Key Exchange"); } else { /* just a 1-byte length here... */ charPtr = SSLEncodeSize(charPtr, ctx->ecdhExchangePublic.length, 1); memcpy(charPtr, ctx->ecdhExchangePublic.data, ctx->ecdhExchangePublic.length); sslEcdsaDebug("+++ Encoded ECDH Client Key Exchange"); } dumpBuf("client pub key", &ctx->ecdhExchangePublic); dumpBuf("client premaster", &ctx->preMasterSecret); return errSecSuccess; } static OSStatus SSLDecodePSKClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx) { OSStatus ortn = errSecSuccess; unsigned int identityLen; assert(ctx->protocolSide == kSSLServerSide); /* this message simply contains the client's PSK identity */ uint8_t *charPtr = keyExchange.data; identityLen = SSLDecodeInt(charPtr, 2); charPtr += 2; SSLFreeBuffer(&ctx->pskIdentity); // allow reuse via renegotiation ortn = SSLAllocBuffer(&ctx->pskIdentity, identityLen); if(ortn) { return ortn; } memmove(ctx->pskIdentity.data, charPtr, identityLen); /* TODO: At this point we know the identity of the PSK client, we should break out of the handshake, so we can select the appropriate PreShared secret. As this stands, the preshared secret needs to be known before the handshake starts. */ size_t n=ctx->pskSharedSecret.length; if(n==0) return errSSLBadConfiguration; if ((ortn = SSLAllocBuffer(&ctx->preMasterSecret, 2*(n+2))) != 0) return ortn; uint8_t *p=ctx->preMasterSecret.data; p = SSLEncodeInt(p, n, 2); memset(p, 0, n); p+=n; p = SSLEncodeInt(p, n, 2); memcpy(p, ctx->pskSharedSecret.data, n); dumpBuf("server premaster (PSK)", &ctx->preMasterSecret); return ortn; } static OSStatus SSLEncodePSKClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx) { OSStatus err; size_t outputLen; int head; assert(ctx->protocolSide == kSSLClientSide); outputLen = ctx->pskIdentity.length+2; keyExchange->contentType = SSL_RecordTypeHandshake; assert(ctx->negProtocolVersion >= SSL_Version_3_0); keyExchange->protocolVersion = ctx->negProtocolVersion; head = SSLHandshakeHeaderSize(keyExchange); if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head))) return err; uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen); charPtr = SSLEncodeSize(charPtr, ctx->pskIdentity.length, 2); memcpy(charPtr, ctx->pskIdentity.data, ctx->pskIdentity.length); /* We better have a pskSharedSecret already */ size_t n=ctx->pskSharedSecret.length; if(n==0) return errSSLBadConfiguration; if ((err = SSLAllocBuffer(&ctx->preMasterSecret, 2*(n+2))) != 0) return err; uint8_t *p=ctx->preMasterSecret.data; p = SSLEncodeInt(p, n, 2); memset(p, 0, n); p+=n; p = SSLEncodeInt(p, n, 2); memcpy(p, ctx->pskSharedSecret.data, n); dumpBuf("client premaster (PSK)", &ctx->preMasterSecret); return errSecSuccess; } // MARK: - // MARK: Public Functions OSStatus SSLEncodeServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx) { OSStatus err; switch (ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: #if APPLE_DH case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: #endif /* APPLE_DH */ if ((err = SSLEncodeSignedServerKeyExchange(keyExch, ctx)) != 0) return err; break; #if APPLE_DH case SSL_DH_anon: case SSL_DH_anon_EXPORT: if ((err = SSLEncodeDHanonServerKeyExchange(keyExch, ctx)) != 0) return err; break; #endif default: return errSecUnimplemented; } return errSecSuccess; } OSStatus SSLProcessServerKeyExchange(SSLBuffer message, SSLContext *ctx) { OSStatus err; switch (ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: #if APPLE_DH case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: #endif case SSL_ECDHE_ECDSA: case SSL_ECDHE_RSA: err = SSLDecodeSignedServerKeyExchange(message, ctx); break; #if APPLE_DH case SSL_DH_anon: case SSL_DH_anon_EXPORT: err = SSLDecodeDHanonServerKeyExchange(message, ctx); break; #endif default: err = errSecUnimplemented; break; } return err; } OSStatus SSLEncodeKeyExchange(SSLRecord *keyExchange, SSLContext *ctx) { OSStatus err; assert(ctx->protocolSide == kSSLClientSide); switch (ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: sslDebugLog("SSLEncodeKeyExchange: RSA method\n"); err = SSLEncodeRSAKeyExchange(keyExchange, ctx); break; #if APPLE_DH case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: case SSL_DH_anon: case SSL_DH_anon_EXPORT: sslDebugLog("SSLEncodeKeyExchange: DH method\n"); err = SSLEncodeDHClientKeyExchange(keyExchange, ctx); break; #endif case SSL_ECDH_ECDSA: case SSL_ECDHE_ECDSA: case SSL_ECDH_RSA: case SSL_ECDHE_RSA: case SSL_ECDH_anon: sslDebugLog("SSLEncodeKeyExchange: ECDH method\n"); err = SSLEncodeECDHClientKeyExchange(keyExchange, ctx); break; case TLS_PSK: err = SSLEncodePSKClientKeyExchange(keyExchange, ctx); break; default: sslErrorLog("SSLEncodeKeyExchange: unknown method (%d)\n", ctx->selectedCipherSpecParams.keyExchangeMethod); err = errSecUnimplemented; } return err; } OSStatus SSLProcessKeyExchange(SSLBuffer keyExchange, SSLContext *ctx) { OSStatus err; switch (ctx->selectedCipherSpecParams.keyExchangeMethod) { case SSL_RSA: case SSL_RSA_EXPORT: if ((err = SSLDecodeRSAKeyExchange(keyExchange, ctx)) != 0) return err; break; #if APPLE_DH case SSL_DH_anon: case SSL_DHE_DSS: case SSL_DHE_DSS_EXPORT: case SSL_DHE_RSA: case SSL_DHE_RSA_EXPORT: case SSL_DH_anon_EXPORT: sslDebugLog("SSLProcessKeyExchange: processing DH key exchange (%d)\n", ctx->selectedCipherSpecParams.keyExchangeMethod); if ((err = SSLDecodeDHClientKeyExchange(keyExchange, ctx)) != 0) return err; break; #endif case TLS_PSK: if ((err = SSLDecodePSKClientKeyExchange(keyExchange, ctx)) != 0) return err; break; default: sslErrorLog("SSLProcessKeyExchange: unknown keyExchangeMethod (%d)\n", ctx->selectedCipherSpecParams.keyExchangeMethod); return errSecUnimplemented; } return errSecSuccess; } OSStatus SSLInitPendingCiphers(SSLContext *ctx) { OSStatus err; SSLBuffer key; int keyDataLen; err = errSecSuccess; key.data = 0; keyDataLen = ctx->selectedCipherSpecParams.macSize + ctx->selectedCipherSpecParams.keySize + ctx->selectedCipherSpecParams.ivSize; keyDataLen *= 2; /* two of everything */ if ((err = SSLAllocBuffer(&key, keyDataLen))) return err; assert(ctx->sslTslCalls != NULL); if ((err = ctx->sslTslCalls->generateKeyMaterial(key, ctx)) != 0) goto fail; if((err = ctx->recFuncs->initPendingCiphers(ctx->recCtx, ctx->selectedCipher, (ctx->protocolSide==kSSLServerSide), key)) != 0) goto fail; ctx->writePending_ready = 1; ctx->readPending_ready = 1; fail: SSLFreeBuffer(&key); return err; }