Skip to content

Instantly share code, notes, and snippets.

@Pharap

Pharap/sslKeyExchange.c

Created May 26, 2018 11:19
Show Gist options
  • Save Pharap/683087514b0cc94b670b6cf0cf9d5b37 to your computer and use it in GitHub Desktop.
Save Pharap/683087514b0cc94b670b6cf0cf9d5b37 to your computer and use it in GitHub Desktop.
Download ZIP
Apple's infamous goto fail; code
Raw
sslKeyExchange.c
/*
* Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* sslKeyExchange.c - Support for key exchange and server key exchange
*/
#include "ssl.h"
#include "sslContext.h"
#include "sslHandshake.h"
#include "sslMemory.h"
#include "sslDebug.h"
#include "sslUtils.h"
#include "sslCrypto.h"
#include "sslRand.h"
#include "sslDigests.h"
#include <assert.h>
#include <string.h>
#include <stdio.h>
#include <utilities/SecCFRelease.h>
#include <corecrypto/ccdh_gp.h>
#ifdef USE_CDSA_CRYPTO
//#include <utilities/globalizer.h>
//#include <utilities/threading.h>
#include <Security/cssmapi.h>
#include <Security/SecKeyPriv.h>
#include "ModuleAttacher.h"
#else
#include <AssertMacros.h>
#include <Security/oidsalg.h>
#if APPLE_DH
#if TARGET_OS_IPHONE
#include <Security/SecRSAKey.h>
#endif
static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx);
static size_t SSLEncodedDHKeyParamsLen(SSLContext *ctx);
static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, uint8_t *charPtr);
#endif /* APPLE_DH */
#endif /* USE_CDSA_CRYPTO */
// MARK: -
// MARK: Forward Static Declarations
#if APPLE_DH
#if USE_CDSA_CRYPTO
static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx);
static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, uint8_t *charPtr);
#endif
static OSStatus SSLDecodeDHKeyParams(SSLContext *ctx, uint8_t **charPtr,
size_t length);
#endif
static OSStatus SSLDecodeECDHKeyParams(SSLContext *ctx, uint8_t **charPtr,
size_t length);
#define DH_PARAM_DUMP 0
#if DH_PARAM_DUMP
static void dumpBuf(const char *name, SSLBuffer *buf)
{
printf("%s:\n", name);
uint8_t *cp = buf->data;
uint8_t *endCp = cp + buf->length;
do {
unsigned i;
for(i=0; i<16; i++) {
printf("%02x ", *cp++);
if(cp == endCp) {
break;
}
}
if(cp == endCp) {
break;
}
printf("\n");
} while(cp < endCp);
printf("\n");
}
#else
#define dumpBuf(n, b)
#endif /* DH_PARAM_DUMP */
#if APPLE_DH
// MARK: -
// MARK: Local Diffie-Hellman Parameter Generator
/*
* Process-wide server-supplied Diffie-Hellman parameters.
* This might be overridden by some API_supplied parameters
* in the future.
*/
struct ServerDhParams
{
/* these two for sending over the wire */
SSLBuffer prime;
SSLBuffer generator;
/* this one for sending to the CSP at key gen time */
SSLBuffer paramBlock;
};
#endif /* APPLE_DH */
// MARK: -
// MARK: RSA Key Exchange
/*
* Client RSA Key Exchange msgs actually start with a two-byte
* length field, contrary to the first version of RFC 2246, dated
* January 1999. See RFC 2246, March 2002, section 7.4.7.1 for
* updated requirements.
*/
#define RSA_CLIENT_KEY_ADD_LENGTH 1
static OSStatus
SSLEncodeRSAKeyParams(SSLBuffer *keyParams, SSLPubKey *key, SSLContext *ctx)
{
#if 0
SSLBuffer modulus, exponent;
uint8_t *charPtr;
#ifdef USE_CDSA_CRYPTO
if(err = attachToCsp(ctx)) {
return err;
}
/* Note currently ALL public keys are raw, obtained from the CL... */
assert((*key)->KeyHeader.BlobType == CSSM_KEYBLOB_RAW);
#endif /* USE_CDSA_CRYPTO */
err = sslGetPubKeyBits(ctx,
key,
&modulus,
&exponent);
if(err) {
SSLFreeBuffer(&modulus);
SSLFreeBuffer(&exponent);
return err;
}
if ((err = SSLAllocBuffer(keyParams,
modulus.length + exponent.length + 4, ctx)) != 0) {
return err;
}
charPtr = keyParams->data;
charPtr = SSLEncodeInt(charPtr, modulus.length, 2);
memcpy(charPtr, modulus.data, modulus.length);
charPtr += modulus.length;
charPtr = SSLEncodeInt(charPtr, exponent.length, 2);
memcpy(charPtr, exponent.data, exponent.length);
/* these were mallocd by sslGetPubKeyBits() */
SSLFreeBuffer(&modulus);
SSLFreeBuffer(&exponent);
return errSecSuccess;
#else
CFDataRef modulus = SecKeyCopyModulus(SECKEYREF(key));
if (!modulus) {
sslErrorLog("SSLEncodeRSAKeyParams: SecKeyCopyModulus failed\n");
return errSSLCrypto;
}
CFDataRef exponent = SecKeyCopyExponent(SECKEYREF(key));
if (!exponent) {
sslErrorLog("SSLEncodeRSAKeyParams: SecKeyCopyExponent failed\n");
CFRelease(modulus);
return errSSLCrypto;
}
CFIndex modulusLength = CFDataGetLength(modulus);
CFIndex exponentLength = CFDataGetLength(exponent);
sslDebugLog("SSLEncodeRSAKeyParams: modulus len=%ld, exponent len=%ld\n",
modulusLength, exponentLength);
OSStatus err;
if ((err = SSLAllocBuffer(keyParams,
modulusLength + exponentLength + 4)) != 0) {
CFReleaseSafe(exponent);
CFReleaseSafe(modulus);
return err;
}
uint8_t *charPtr = keyParams->data;
charPtr = SSLEncodeSize(charPtr, modulusLength, 2);
memcpy(charPtr, CFDataGetBytePtr(modulus), modulusLength);
charPtr += modulusLength;
charPtr = SSLEncodeSize(charPtr, exponentLength, 2);
memcpy(charPtr, CFDataGetBytePtr(exponent), exponentLength);
CFRelease(modulus);
CFRelease(exponent);
return errSecSuccess;
#endif
}
static OSStatus
SSLEncodeRSAPremasterSecret(SSLContext *ctx)
{ SSLBuffer randData;
OSStatus err;
if ((err = SSLAllocBuffer(&ctx->preMasterSecret,
SSL_RSA_PREMASTER_SECRET_SIZE)) != 0)
return err;
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
SSLEncodeInt(ctx->preMasterSecret.data, ctx->clientReqProtocol, 2);
randData.data = ctx->preMasterSecret.data+2;
randData.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2;
if ((err = sslRand(&randData)) != 0)
return err;
return errSecSuccess;
}
/*
* Generate a server key exchange message signed by our RSA or DSA private key.
*/
static OSStatus
SSLSignServerKeyExchangeTls12(SSLContext *ctx, SSLSignatureAndHashAlgorithm sigAlg, SSLBuffer exchangeParams, SSLBuffer signature, size_t *actSigLen)
{
OSStatus err;
SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
uint8_t hashes[SSL_MAX_DIGEST_LEN];
SSLBuffer signedHashes;
uint8_t *dataToSign;
size_t dataToSignLen;
const HashReference *hashRef;
SecAsn1AlgId algId;
signedHashes.data = 0;
hashCtx.data = 0;
clientRandom.data = ctx->clientRandom;
clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
serverRandom.data = ctx->serverRandom;
serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
switch (sigAlg.hash) {
case SSL_HashAlgorithmSHA1:
hashRef = &SSLHashSHA1;
algId.algorithm = CSSMOID_SHA1WithRSA;
break;
case SSL_HashAlgorithmSHA256:
hashRef = &SSLHashSHA256;
algId.algorithm = CSSMOID_SHA256WithRSA;
break;
case SSL_HashAlgorithmSHA384:
hashRef = &SSLHashSHA384;
algId.algorithm = CSSMOID_SHA384WithRSA;
break;
default:
sslErrorLog("SSLVerifySignedServerKeyExchangeTls12: unsupported hash %d\n", sigAlg.hash);
return errSSLProtocol;
}
dataToSign = hashes;
dataToSignLen = hashRef->digestSize;
hashOut.data = hashes;
hashOut.length = hashRef->digestSize;
if ((err = ReadyHash(hashRef, &hashCtx)) != 0)
goto fail;
if ((err = hashRef->update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = hashRef->update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = hashRef->update(&hashCtx, &exchangeParams)) != 0)
goto fail;
if ((err = hashRef->final(&hashCtx, &hashOut)) != 0)
goto fail;
if(sigAlg.signature==SSL_SignatureAlgorithmRSA) {
err = sslRsaSign(ctx,
ctx->signingPrivKeyRef,
&algId,
dataToSign,
dataToSignLen,
signature.data,
signature.length,
actSigLen);
} else {
err = sslRawSign(ctx,
ctx->signingPrivKeyRef,
dataToSign, // one or two hashes
dataToSignLen,
signature.data,
signature.length,
actSigLen);
}
if(err) {
sslErrorLog("SSLDecodeSignedServerKeyExchangeTls12: sslRawVerify "
"returned %d\n", (int)err);
goto fail;
}
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
static OSStatus
SSLSignServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer exchangeParams, SSLBuffer signature, size_t *actSigLen)
{
OSStatus err;
uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
SSLBuffer clientRandom,serverRandom,hashCtx, hash;
uint8_t *dataToSign;
size_t dataToSignLen;
hashCtx.data = 0;
/* cook up hash(es) for raw sign */
clientRandom.data = ctx->clientRandom;
clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
serverRandom.data = ctx->serverRandom;
serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
if(isRsa) {
/* skip this if signing with DSA */
dataToSign = hashes;
dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
hash.data = &hashes[0];
hash.length = SSL_MD5_DIGEST_LEN;
if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &exchangeParams)) != 0)
goto fail;
if ((err = SSLHashMD5.final(&hashCtx, &hash)) != 0)
goto fail;
if ((err = SSLFreeBuffer(&hashCtx)) != 0)
goto fail;
}
else {
/* DSA - just use the SHA1 hash */
dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
dataToSignLen = SSL_SHA1_DIGEST_LEN;
}
hash.data = &hashes[SSL_MD5_DIGEST_LEN];
hash.length = SSL_SHA1_DIGEST_LEN;
if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &exchangeParams)) != 0)
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hash)) != 0)
goto fail;
if ((err = SSLFreeBuffer(&hashCtx)) != 0)
goto fail;
err = sslRawSign(ctx,
ctx->signingPrivKeyRef,
dataToSign, // one or two hashes
dataToSignLen,
signature.data,
signature.length,
actSigLen);
if(err) {
goto fail;
}
fail:
SSLFreeBuffer(&hashCtx);
return err;
}
static
OSStatus FindSigAlg(SSLContext *ctx,
SSLSignatureAndHashAlgorithm *alg)
{
unsigned i;
assert(ctx->protocolSide == kSSLServerSide);
assert(ctx->negProtocolVersion >= TLS_Version_1_2);
assert(!ctx->isDTLS);
if((ctx->numClientSigAlgs==0) ||(ctx->clientSigAlgs==NULL))
return errSSLInternal;
//FIXME: Need a better way to select here
for(i=0; i<ctx->numClientSigAlgs; i++) {
alg->hash = ctx->clientSigAlgs[i].hash;
alg->signature = ctx->clientSigAlgs[i].signature;
//We only support RSA for certs on the server side - but we should test against the cert type
if(ctx->clientSigAlgs[i].signature != SSL_SignatureAlgorithmRSA)
continue;
//Let's only support SHA1 and SHA256. SHA384 does not work with 512 bits keys.
// We should actually test against what the cert can do.
if((alg->hash==SSL_HashAlgorithmSHA1) || (alg->hash==SSL_HashAlgorithmSHA256)) {
return errSecSuccess;
}
}
// We could not find a supported signature and hash algorithm
return errSSLProtocol;
}
static OSStatus
SSLEncodeSignedServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx)
{ OSStatus err;
uint8_t *charPtr;
size_t outputLen;
bool isRsa = true;
size_t maxSigLen;
size_t actSigLen;
SSLBuffer signature;
int head = 4;
SSLBuffer exchangeParams;
assert(ctx->protocolSide == kSSLServerSide);
assert(ctx->signingPubKey != NULL);
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
exchangeParams.data = 0;
signature.data = 0;
#if ENABLE_DTLS
if(ctx->negProtocolVersion == DTLS_Version_1_0) {
head+=8;
}
#endif
/* Set up parameter block to hash ==> exchangeParams */
switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
case SSL_RSA:
case SSL_RSA_EXPORT:
/*
* Parameter block = encryption public key.
* If app hasn't supplied a separate encryption cert, abort.
*/
if(ctx->encryptPubKey == NULL) {
sslErrorLog("RSAServerKeyExchange: no encrypt cert\n");
return errSSLBadConfiguration;
}
err = SSLEncodeRSAKeyParams(&exchangeParams,
ctx->encryptPubKey, ctx);
break;
#if APPLE_DH
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
isRsa = false;
/* and fall through */
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
{
/*
* Parameter block = {prime, generator, public key}
* Obtain D-H parameters (if we don't have them) and a key pair.
*/
err = SSLGenServerDHParamsAndKey(ctx);
if(err) {
return err;
}
size_t len = SSLEncodedDHKeyParamsLen(ctx);
err = SSLAllocBuffer(&exchangeParams, len);
if(err) {
goto fail;
}
err = SSLEncodeDHKeyParams(ctx, exchangeParams.data);
break;
}
#endif /* APPLE_DH */
default:
/* shouldn't be here */
assert(0);
return errSSLInternal;
}
SSLSignatureAndHashAlgorithm sigAlg;
/* preallocate a buffer for signing */
err = sslGetMaxSigSize(ctx->signingPrivKeyRef, &maxSigLen);
if(err) {
goto fail;
}
err = SSLAllocBuffer(&signature, maxSigLen);
if(err) {
goto fail;
}
outputLen = exchangeParams.length + 2;
if (sslVersionIsLikeTls12(ctx))
{
err=FindSigAlg(ctx, &sigAlg);
if(err)
goto fail;
outputLen += 2;
err = SSLSignServerKeyExchangeTls12(ctx, sigAlg, exchangeParams,
signature, &actSigLen);
} else {
err = SSLSignServerKeyExchange(ctx, isRsa, exchangeParams,
signature, &actSigLen);
}
if(err)
goto fail;
assert(actSigLen <= maxSigLen);
outputLen += actSigLen;
/* package it all up */
keyExch->protocolVersion = ctx->negProtocolVersion;
keyExch->contentType = SSL_RecordTypeHandshake;
if ((err = SSLAllocBuffer(&keyExch->contents, outputLen+head)) != 0)
goto fail;
charPtr = SSLEncodeHandshakeHeader(ctx, keyExch, SSL_HdskServerKeyExchange, outputLen);
memcpy(charPtr, exchangeParams.data, exchangeParams.length);
charPtr += exchangeParams.length;
if (sslVersionIsLikeTls12(ctx))
{
*charPtr++=sigAlg.hash;
*charPtr++=sigAlg.signature;
}
charPtr = SSLEncodeInt(charPtr, actSigLen, 2);
memcpy(charPtr, signature.data, actSigLen);
assert((charPtr + actSigLen) ==
(keyExch->contents.data + keyExch->contents.length));
err = errSecSuccess;
fail:
SSLFreeBuffer(&exchangeParams);
SSLFreeBuffer(&signature);
return err;
}
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
SSLBuffer signedHashes;
uint8_t *dataToSign;
size_t dataToSignLen;
signedHashes.data = 0;
hashCtx.data = 0;
clientRandom.data = ctx->clientRandom;
clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
serverRandom.data = ctx->serverRandom;
serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
if(isRsa) {
/* skip this if signing with DSA */
dataToSign = hashes;
dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
hashOut.data = hashes;
hashOut.length = SSL_MD5_DIGEST_LEN;
if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0)
goto fail;
if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0)
goto fail;
}
else {
/* DSA, ECDSA - just use the SHA1 hash */
dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
dataToSignLen = SSL_SHA1_DIGEST_LEN;
}
hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
hashOut.length = SSL_SHA1_DIGEST_LEN;
if ((err = SSLFreeBuffer(&hashCtx)) != 0)
goto fail;
if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
err = sslRawVerify(ctx,
ctx->peerPubKey,
dataToSign, /* plaintext */
dataToSignLen, /* plaintext length */
signature,
signatureLen);
if(err) {
sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify "
"returned %d\n", (int)err);
goto fail;
}
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
static OSStatus
SSLVerifySignedServerKeyExchangeTls12(SSLContext *ctx, SSLSignatureAndHashAlgorithm sigAlg, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
uint8_t hashes[SSL_MAX_DIGEST_LEN];
SSLBuffer signedHashes;
uint8_t *dataToSign;
size_t dataToSignLen;
const HashReference *hashRef;
SecAsn1AlgId algId;
signedHashes.data = 0;
hashCtx.data = 0;
clientRandom.data = ctx->clientRandom;
clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
serverRandom.data = ctx->serverRandom;
serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
switch (sigAlg.hash) {
case SSL_HashAlgorithmSHA1:
hashRef = &SSLHashSHA1;
algId.algorithm = CSSMOID_SHA1WithRSA;
break;
case SSL_HashAlgorithmSHA256:
hashRef = &SSLHashSHA256;
algId.algorithm = CSSMOID_SHA256WithRSA;
break;
case SSL_HashAlgorithmSHA384:
hashRef = &SSLHashSHA384;
algId.algorithm = CSSMOID_SHA384WithRSA;
break;
default:
sslErrorLog("SSLVerifySignedServerKeyExchangeTls12: unsupported hash %d\n", sigAlg.hash);
return errSSLProtocol;
}
dataToSign = hashes;
dataToSignLen = hashRef->digestSize;
hashOut.data = hashes;
hashOut.length = hashRef->digestSize;
if ((err = ReadyHash(hashRef, &hashCtx)) != 0)
goto fail;
if ((err = hashRef->update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = hashRef->update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = hashRef->update(&hashCtx, &signedParams)) != 0)
goto fail;
if ((err = hashRef->final(&hashCtx, &hashOut)) != 0)
goto fail;
if(sigAlg.signature==SSL_SignatureAlgorithmRSA) {
err = sslRsaVerify(ctx,
ctx->peerPubKey,
&algId,
dataToSign,
dataToSignLen,
signature,
signatureLen);
} else {
err = sslRawVerify(ctx,
ctx->peerPubKey,
dataToSign, /* plaintext */
dataToSignLen, /* plaintext length */
signature,
signatureLen);
}
if(err) {
sslErrorLog("SSLDecodeSignedServerKeyExchangeTls12: sslRawVerify "
"returned %d\n", (int)err);
goto fail;
}
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
/*
* Decode and verify a server key exchange message signed by server's
* public key.
*/
static OSStatus
SSLDecodeSignedServerKeyExchange(SSLBuffer message, SSLContext *ctx)
{
OSStatus err;
UInt16 modulusLen = 0, exponentLen = 0, signatureLen;
uint8_t *modulus = NULL, *exponent = NULL, *signature;
bool isRsa = true;
assert(ctx->protocolSide == kSSLClientSide);
if (message.length < 2) {
sslErrorLog("SSLDecodeSignedServerKeyExchange: msg len error 1\n");
return errSSLProtocol;
}
/* first extract the key-exchange-method-specific parameters */
uint8_t *charPtr = message.data;
uint8_t *endCp = charPtr + message.length;
switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
case SSL_RSA:
case SSL_RSA_EXPORT:
modulusLen = SSLDecodeInt(charPtr, 2);
charPtr += 2;
if((charPtr + modulusLen) > endCp) {
sslErrorLog("signedServerKeyExchange: msg len error 2\n");
return errSSLProtocol;
}
modulus = charPtr;
charPtr += modulusLen;
exponentLen = SSLDecodeInt(charPtr, 2);
charPtr += 2;
if((charPtr + exponentLen) > endCp) {
sslErrorLog("signedServerKeyExchange: msg len error 3\n");
return errSSLProtocol;
}
exponent = charPtr;
charPtr += exponentLen;
break;
#if APPLE_DH
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
isRsa = false;
/* and fall through */
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
err = SSLDecodeDHKeyParams(ctx, &charPtr, message.length);
if(err) {
return err;
}
break;
#endif /* APPLE_DH */
case SSL_ECDHE_ECDSA:
isRsa = false;
/* and fall through */
case SSL_ECDHE_RSA:
err = SSLDecodeECDHKeyParams(ctx, &charPtr, message.length);
if(err) {
return err;
}
break;
default:
assert(0);
return errSSLInternal;
}
/* this is what's hashed */
SSLBuffer signedParams;
signedParams.data = message.data;
signedParams.length = charPtr - message.data;
SSLSignatureAndHashAlgorithm sigAlg;
if (sslVersionIsLikeTls12(ctx)) {
/* Parse the algorithm field added in TLS1.2 */
if((charPtr + 2) > endCp) {
sslErrorLog("signedServerKeyExchange: msg len error 499\n");
return errSSLProtocol;
}
sigAlg.hash = *charPtr++;
sigAlg.signature = *charPtr++;
}
signatureLen = SSLDecodeInt(charPtr, 2);
charPtr += 2;
if((charPtr + signatureLen) != endCp) {
sslErrorLog("signedServerKeyExchange: msg len error 4\n");
return errSSLProtocol;
}
signature = charPtr;
if (sslVersionIsLikeTls12(ctx))
{
err = SSLVerifySignedServerKeyExchangeTls12(ctx, sigAlg, signedParams,
signature, signatureLen);
} else {
err = SSLVerifySignedServerKeyExchange(ctx, isRsa, signedParams,
signature, signatureLen);
}
if(err)
goto fail;
/* Signature matches; now replace server key with new key (RSA only) */
switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
case SSL_RSA:
case SSL_RSA_EXPORT:
{
SSLBuffer modBuf;
SSLBuffer expBuf;
/* first free existing peerKey */
sslFreePubKey(&ctx->peerPubKey); /* no KCItem */
/* and cook up a new one from raw bits */
modBuf.data = modulus;
modBuf.length = modulusLen;
expBuf.data = exponent;
expBuf.length = exponentLen;
err = sslGetPubKeyFromBits(ctx,
&modBuf,
&expBuf,
&ctx->peerPubKey);
break;
}
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
case SSL_ECDHE_ECDSA:
case SSL_ECDHE_RSA:
break; /* handled above */
default:
assert(0);
}
fail:
return err;
}
static OSStatus
SSLDecodeRSAKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{ OSStatus err;
size_t outputLen, localKeyModulusLen;
SSLProtocolVersion version;
Boolean useEncryptKey = false;
uint8_t *src = NULL;
SSLPrivKey *keyRef = NULL;
assert(ctx->protocolSide == kSSLServerSide);
if (ctx->encryptPrivKeyRef) {
useEncryptKey = true;
}
if (useEncryptKey) {
keyRef = ctx->encryptPrivKeyRef;
/* FIXME: when 3420180 is implemented, pick appropriate creds here */
}
else {
keyRef = ctx->signingPrivKeyRef;
/* FIXME: when 3420180 is implemented, pick appropriate creds here */
}
localKeyModulusLen = sslPrivKeyLengthInBytes(keyRef);
if (localKeyModulusLen == 0) {
sslErrorLog("SSLDecodeRSAKeyExchange: private key modulus is 0\n");
return errSSLCrypto;
}
/*
* We have to tolerate incoming key exchange msgs with and without the
* two-byte "encrypted length" field.
*/
if (keyExchange.length == localKeyModulusLen) {
/* no length encoded */
src = keyExchange.data;
}
else if((keyExchange.length == (localKeyModulusLen + 2)) &&
(ctx->negProtocolVersion >= TLS_Version_1_0)) {
/* TLS only - skip the length bytes */
src = keyExchange.data + 2;
}
else {
sslErrorLog("SSLDecodeRSAKeyExchange: length error (exp %u got %u)\n",
(unsigned)localKeyModulusLen, (unsigned)keyExchange.length);
return errSSLProtocol;
}
err = SSLAllocBuffer(&ctx->preMasterSecret, SSL_RSA_PREMASTER_SECRET_SIZE);
if(err != 0) {
return err;
}
/*
* From this point on, to defend against the Bleichenbacher attack
* and its Klima-Pokorny-Rosa variant, any errors we detect are *not*
* reported to the caller or the peer. If we detect any error during
* decryption (e.g., bad PKCS1 padding) or in the testing of the version
* number in the premaster secret, we proceed by generating a random
* premaster secret, with the correct version number, and tell our caller
* that everything is fine. This session will fail as soon as the
* finished messages are sent, since we will be using a bogus premaster
* secret (and hence bogus session and MAC keys). Meanwhile we have
* not provided any side channel information relating to the cause of
* the failure.
*
* See http://eprint.iacr.org/2003/052/ for more info.
*/
err = sslRsaDecrypt(ctx,
keyRef,
#if USE_CDSA_CRYPTO
CSSM_PADDING_PKCS1,
#else
kSecPaddingPKCS1,
#endif
src,
localKeyModulusLen, // ciphertext len
ctx->preMasterSecret.data,
SSL_RSA_PREMASTER_SECRET_SIZE, // plaintext buf available
&outputLen);
if(err != errSecSuccess) {
/* possible Bleichenbacher attack */
sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: RSA decrypt fail");
}
else if(outputLen != SSL_RSA_PREMASTER_SECRET_SIZE) {
sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: premaster secret size error");
err = errSSLProtocol; // not passed back to caller
}
if(err == errSecSuccess) {
/*
* Two legal values here - the one we actually negotiated (which is
* technically incorrect but not uncommon), and the one the client
* sent as its preferred version in the client hello msg.
*/
version = (SSLProtocolVersion)SSLDecodeInt(ctx->preMasterSecret.data, 2);
if((version != ctx->negProtocolVersion) &&
(version != ctx->clientReqProtocol)) {
/* possible Klima-Pokorny-Rosa attack */
sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: version error");
err = errSSLProtocol;
}
}
if(err != errSecSuccess) {
/*
* Obfuscate failures for defense against Bleichenbacher and
* Klima-Pokorny-Rosa attacks.
*/
SSLEncodeInt(ctx->preMasterSecret.data, ctx->negProtocolVersion, 2);
SSLBuffer tmpBuf;
tmpBuf.data = ctx->preMasterSecret.data + 2;
tmpBuf.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2;
/* must ignore failures here */
sslRand(&tmpBuf);
}
/* in any case, save premaster secret (good or bogus) and proceed */
return errSecSuccess;
}
static OSStatus
SSLEncodeRSAKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
{ OSStatus err;
size_t outputLen, peerKeyModulusLen;
size_t bufLen;
uint8_t *dst;
bool encodeLen = false;
uint8_t *p;
int head;
size_t msglen;
assert(ctx->protocolSide == kSSLClientSide);
if ((err = SSLEncodeRSAPremasterSecret(ctx)) != 0)
return err;
keyExchange->contentType = SSL_RecordTypeHandshake;
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
keyExchange->protocolVersion = ctx->negProtocolVersion;
peerKeyModulusLen = sslPubKeyLengthInBytes(ctx->peerPubKey);
if (peerKeyModulusLen == 0) {
sslErrorLog("SSLEncodeRSAKeyExchange: peer key modulus is 0\n");
/* FIXME: we don't return an error here... is this condition ever expected? */
}
#if SSL_DEBUG
sslDebugLog("SSLEncodeRSAKeyExchange: peer key modulus length = %lu\n", peerKeyModulusLen);
#endif
msglen = peerKeyModulusLen;
#if RSA_CLIENT_KEY_ADD_LENGTH
if(ctx->negProtocolVersion >= TLS_Version_1_0) {
msglen += 2;
encodeLen = true;
}
#endif
head = SSLHandshakeHeaderSize(keyExchange);
bufLen = msglen + head;
if ((err = SSLAllocBuffer(&keyExchange->contents,
bufLen)) != 0)
{
return err;
}
dst = keyExchange->contents.data + head;
if(encodeLen) {
dst += 2;
}
/* FIXME: can this line be removed? */
p = keyExchange->contents.data;
p = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, msglen);
if(encodeLen) {
/* the length of the encrypted pre_master_secret */
SSLEncodeSize(keyExchange->contents.data + head,
peerKeyModulusLen, 2);
}
err = sslRsaEncrypt(ctx,
ctx->peerPubKey,
#if USE_CDSA_CRYPTO
CSSM_PADDING_PKCS1,
#else
kSecPaddingPKCS1,
#endif
ctx->preMasterSecret.data,
SSL_RSA_PREMASTER_SECRET_SIZE,
dst,
peerKeyModulusLen,
&outputLen);
if(err) {
sslErrorLog("SSLEncodeRSAKeyExchange: error %d\n", (int)err);
return err;
}
assert(outputLen == (encodeLen ? msglen - 2 : msglen));
return errSecSuccess;
}
#if APPLE_DH
// MARK: -
// MARK: Diffie-Hellman Key Exchange
/*
* Diffie-Hellman setup, server side. On successful return, the
* following SSLContext members are valid:
*
* dhParamsPrime
* dhParamsGenerator
* dhPrivate
* dhExchangePublic
*/
static OSStatus
SSLGenServerDHParamsAndKey(
SSLContext *ctx)
{
OSStatus ortn;
assert(ctx->protocolSide == kSSLServerSide);
/*
* Obtain D-H parameters if we don't have them.
*/
if(ctx->dhParamsEncoded.data == NULL) {
/* TODO: Pick appropriate group based on cipher suite */
ccdh_const_gp_t gp = ccdh_gp_rfc5114_MODP_2048_256();
cc_size n = ccdh_gp_n(gp);
size_t s = ccdh_gp_prime_size(gp);
uint8_t p[s];
uint8_t g[s];
ccn_write_uint(n, ccdh_gp_prime(gp), s, p);
ccn_write_uint(n, ccdh_gp_g(gp), s, g);
const SSLBuffer prime = {
.data = p,
.length = s,
};
const SSLBuffer generator = {
.data = g,
.length = s,
};
ortn=sslEncodeDhParams(&ctx->dhParamsEncoded, /* data mallocd and RETURNED PKCS-3 encoded */
&prime, /* Wire format */
&generator); /* Wire format */
if(ortn)
return ortn;
}
#if USE_CDSA_CRYPTO
/* generate per-session D-H key pair */
sslFreeKey(ctx->cspHand, &ctx->dhPrivate, NULL);
SSLFreeBuffer(&ctx->dhExchangePublic);
ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));
CSSM_KEY pubKey;
ortn = sslDhGenerateKeyPair(ctx,
&ctx->dhParamsEncoded,
ctx->dhParamsPrime.length * 8,
&pubKey, ctx->dhPrivate);
if(ortn) {
return ortn;
}
CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic);
#else
if (!ctx->secDHContext) {
ortn = sslDhCreateKey(ctx);
if(ortn)
return ortn;
}
return sslDhGenerateKeyPair(ctx);
#endif
return errSecSuccess;
}
/*
* size of DH param and public key, in wire format
*/
static size_t
SSLEncodedDHKeyParamsLen(SSLContext *ctx)
{
SSLBuffer prime;
SSLBuffer generator;
sslDecodeDhParams(&ctx->dhParamsEncoded, &prime, &generator);
return (2+prime.length+2+generator.length+2+ctx->dhExchangePublic.length);
}
/*
* Encode DH params and public key, in wire format, in caller-supplied buffer.
*/
static OSStatus
SSLEncodeDHKeyParams(
SSLContext *ctx,
uint8_t *charPtr)
{
assert(ctx->protocolSide == kSSLServerSide);
assert(ctx->dhParamsEncoded.data != NULL);
assert(ctx->dhExchangePublic.data != NULL);
SSLBuffer prime;
SSLBuffer generator;
sslDecodeDhParams(&ctx->dhParamsEncoded, &prime, &generator);
charPtr = SSLEncodeInt(charPtr, prime.length, 2);
memcpy(charPtr, prime.data, prime.length);
charPtr += prime.length;
charPtr = SSLEncodeInt(charPtr, generator.length, 2);
memcpy(charPtr, generator.data,
generator.length);
charPtr += generator.length;
/* TODO: hum.... sounds like this one should be in the SecDHContext */
charPtr = SSLEncodeInt(charPtr, ctx->dhExchangePublic.length, 2);
memcpy(charPtr, ctx->dhExchangePublic.data,
ctx->dhExchangePublic.length);
dumpBuf("server prime", &prime);
dumpBuf("server generator", &generator);
dumpBuf("server pub key", &ctx->dhExchangePublic);
return errSecSuccess;
}
/*
* Decode DH params and server public key.
*/
static OSStatus
SSLDecodeDHKeyParams(
SSLContext *ctx,
uint8_t **charPtr, // IN/OUT
size_t length)
{
OSStatus err = errSecSuccess;
SSLBuffer prime;
SSLBuffer generator;
assert(ctx->protocolSide == kSSLClientSide);
uint8_t *endCp = *charPtr + length;
/* Allow reuse via renegotiation */
SSLFreeBuffer(&ctx->dhPeerPublic);
/* Prime, with a two-byte length */
UInt32 len = SSLDecodeInt(*charPtr, 2);
(*charPtr) += 2;
if((*charPtr + len) > endCp) {
return errSSLProtocol;
}
prime.data = *charPtr;
prime.length = len;
(*charPtr) += len;
/* Generator, with a two-byte length */
len = SSLDecodeInt(*charPtr, 2);
(*charPtr) += 2;
if((*charPtr + len) > endCp) {
return errSSLProtocol;
}
generator.data = *charPtr;
generator.length = len;
(*charPtr) += len;
sslEncodeDhParams(&ctx->dhParamsEncoded, &prime, &generator);
/* peer public key, with a two-byte length */
len = SSLDecodeInt(*charPtr, 2);
(*charPtr) += 2;
err = SSLAllocBuffer(&ctx->dhPeerPublic, len);
if(err) {
return err;
}
memmove(ctx->dhPeerPublic.data, *charPtr, len);
(*charPtr) += len;
dumpBuf("client peer pub", &ctx->dhPeerPublic);
// dumpBuf("client prime", &ctx->dhParamsPrime);
// dumpBuf("client generator", &ctx->dhParamsGenerator);
return err;
}
/*
* Given the server's Diffie-Hellman parameters, generate our
* own DH key pair, and perform key exchange using the server's
* public key and our private key. The result is the premaster
* secret.
*
* SSLContext members valid on entry:
* dhParamsPrime
* dhParamsGenerator
* dhPeerPublic
*
* SSLContext members valid on successful return:
* dhPrivate
* dhExchangePublic
* preMasterSecret
*/
static OSStatus
SSLGenClientDHKeyAndExchange(SSLContext *ctx)
{
OSStatus ortn;
#if USE_CDSA_CRYPTO
if((ctx->dhParamsPrime.data == NULL) ||
(ctx->dhParamsGenerator.data == NULL) ||
(ctx->dhPeerPublic.data == NULL)) {
sslErrorLog("SSLGenClientDHKeyAndExchange: incomplete server params\n");
return errSSLProtocol;
}
/* generate two keys */
CSSM_KEY pubKey;
ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));
ortn = sslDhGenKeyPairClient(ctx,
&ctx->dhParamsPrime,
&ctx->dhParamsGenerator,
&pubKey, ctx->dhPrivate);
if(ortn) {
sslFree(ctx->dhPrivate);
ctx->dhPrivate = NULL;
return ortn;
}
/* do the exchange, size of prime */
ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8,
&ctx->preMasterSecret);
if(ortn) {
return ortn;
}
CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic);
#else
ortn=errSSLProtocol;
require(ctx->dhParamsEncoded.data, out);
require_noerr(ortn = sslDhCreateKey(ctx), out);
require_noerr(ortn = sslDhGenerateKeyPair(ctx), out);
require_noerr(ortn = sslDhKeyExchange(ctx), out);
out:
#endif
return ortn;
}
static OSStatus
SSLEncodeDHanonServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx)
{
OSStatus ortn = errSecSuccess;
int head;
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
assert(ctx->protocolSide == kSSLServerSide);
/*
* Obtain D-H parameters (if we don't have them) and a key pair.
*/
ortn = SSLGenServerDHParamsAndKey(ctx);
if(ortn) {
return ortn;
}
size_t length = SSLEncodedDHKeyParamsLen(ctx);
keyExch->protocolVersion = ctx->negProtocolVersion;
keyExch->contentType = SSL_RecordTypeHandshake;
head = SSLHandshakeHeaderSize(keyExch);
if ((ortn = SSLAllocBuffer(&keyExch->contents, length+head)))
return ortn;
uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExch, SSL_HdskServerKeyExchange, length);
/* encode prime, generator, our public key */
return SSLEncodeDHKeyParams(ctx, charPtr);
}
static OSStatus
SSLDecodeDHanonServerKeyExchange(SSLBuffer message, SSLContext *ctx)
{
OSStatus err = errSecSuccess;
assert(ctx->protocolSide == kSSLClientSide);
if (message.length < 6) {
sslErrorLog("SSLDecodeDHanonServerKeyExchange error: msg len %u\n",
(unsigned)message.length);
return errSSLProtocol;
}
uint8_t *charPtr = message.data;
err = SSLDecodeDHKeyParams(ctx, &charPtr, message.length);
if(err == errSecSuccess) {
if((message.data + message.length) != charPtr) {
err = errSSLProtocol;
}
}
return err;
}
static OSStatus
SSLDecodeDHClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{
OSStatus ortn = errSecSuccess;
unsigned int publicLen;
assert(ctx->protocolSide == kSSLServerSide);
if(ctx->dhParamsEncoded.data == NULL) {
/* should never happen */
assert(0);
return errSSLInternal;
}
/* this message simply contains the client's public DH key */
uint8_t *charPtr = keyExchange.data;
publicLen = SSLDecodeInt(charPtr, 2);
charPtr += 2;
/* TODO : Check the len here ? Will fail in sslDhKeyExchange anyway */
/*
if((keyExchange.length != publicLen + 2) ||
(publicLen > ctx->dhParamsPrime.length)) {
return errSSLProtocol;
}
*/
SSLFreeBuffer(&ctx->dhPeerPublic); // allow reuse via renegotiation
ortn = SSLAllocBuffer(&ctx->dhPeerPublic, publicLen);
if(ortn) {
return ortn;
}
memmove(ctx->dhPeerPublic.data, charPtr, publicLen);
/* DH Key exchange, result --> premaster secret */
SSLFreeBuffer(&ctx->preMasterSecret);
#if USE_CDSA_CRYPTO
ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8,
&ctx->preMasterSecret);
#else
ortn = sslDhKeyExchange(ctx);
#endif
dumpBuf("server peer pub", &ctx->dhPeerPublic);
dumpBuf("server premaster", &ctx->preMasterSecret);
return ortn;
}
static OSStatus
SSLEncodeDHClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
{ OSStatus err;
size_t outputLen;
int head;
assert(ctx->protocolSide == kSSLClientSide);
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
keyExchange->contentType = SSL_RecordTypeHandshake;
keyExchange->protocolVersion = ctx->negProtocolVersion;
if ((err = SSLGenClientDHKeyAndExchange(ctx)) != 0)
return err;
outputLen = ctx->dhExchangePublic.length + 2;
head = SSLHandshakeHeaderSize(keyExchange);
if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head)))
return err;
uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen);
charPtr = SSLEncodeSize(charPtr, ctx->dhExchangePublic.length, 2);
memcpy(charPtr, ctx->dhExchangePublic.data, ctx->dhExchangePublic.length);
dumpBuf("client pub key", &ctx->dhExchangePublic);
dumpBuf("client premaster", &ctx->preMasterSecret);
return errSecSuccess;
}
#endif /* APPLE_DH */
// MARK: -
// MARK: ECDSA Key Exchange
/*
* Given the server's ECDH curve params and public key, generate our
* own ECDH key pair, and perform key exchange using the server's
* public key and our private key. The result is the premaster
* secret.
*
* SSLContext members valid on entry:
* if keyExchangeMethod == SSL_ECDHE_ECDSA or SSL_ECDHE_RSA:
* ecdhPeerPublic
* ecdhPeerCurve
* if keyExchangeMethod == SSL_ECDH_ECDSA or SSL_ECDH_RSA:
* peerPubKey, from which we infer ecdhPeerCurve
*
* SSLContext members valid on successful return:
* ecdhPrivate
* ecdhExchangePublic
* preMasterSecret
*/
static OSStatus
SSLGenClientECDHKeyAndExchange(SSLContext *ctx)
{
OSStatus ortn;
assert(ctx->protocolSide == kSSLClientSide);
switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
case SSL_ECDHE_ECDSA:
case SSL_ECDHE_RSA:
/* Server sent us an ephemeral key with peer curve specified */
if(ctx->ecdhPeerPublic.data == NULL) {
sslErrorLog("SSLGenClientECDHKeyAndExchange: incomplete server params\n");
return errSSLProtocol;
}
break;
case SSL_ECDH_ECDSA:
case SSL_ECDH_RSA:
{
/* No server key exchange; we have to get the curve from the key */
if(ctx->peerPubKey == NULL) {
sslErrorLog("SSLGenClientECDHKeyAndExchange: no peer key\n");
return errSSLInternal;
}
/* The peer curve is in the key's CSSM_X509_ALGORITHM_IDENTIFIER... */
ortn = sslEcdsaPeerCurve(ctx->peerPubKey, &ctx->ecdhPeerCurve);
if(ortn) {
return ortn;
}
sslEcdsaDebug("SSLGenClientECDHKeyAndExchange: derived peerCurve %u",
(unsigned)ctx->ecdhPeerCurve);
break;
}
default:
/* shouldn't be here */
assert(0);
return errSSLInternal;
}
/* Generate our (ephemeral) pair, or extract it from our signing identity */
if((ctx->negAuthType == SSLClientAuth_RSAFixedECDH) ||
(ctx->negAuthType == SSLClientAuth_ECDSAFixedECDH)) {
/*
* Client auth with a fixed ECDH key in the cert. Convert private key
* from SecKeyRef to CSSM format. We don't need ecdhExchangePublic
* because the server gets that from our cert.
*/
assert(ctx->signingPrivKeyRef != NULL);
#if USE_CDSA_CRYPTO
//assert(ctx->cspHand != 0);
sslFreeKey(ctx->cspHand, &ctx->ecdhPrivate, NULL);
SSLFreeBuffer(&ctx->ecdhExchangePublic);
ortn = SecKeyGetCSSMKey(ctx->signingPrivKeyRef, (const CSSM_KEY **)&ctx->ecdhPrivate);
if(ortn) {
return ortn;
}
ortn = SecKeyGetCSPHandle(ctx->signingPrivKeyRef, &ctx->ecdhPrivCspHand);
if(ortn) {
sslErrorLog("SSLGenClientECDHKeyAndExchange: SecKeyGetCSPHandle err %d\n",
(int)ortn);
}
#endif
sslEcdsaDebug("+++ Extracted ECDH private key");
}
else {
/* generate a new pair */
ortn = sslEcdhGenerateKeyPair(ctx, ctx->ecdhPeerCurve);
if(ortn) {
return ortn;
}
#if USE_CDSA_CRYPTO
sslEcdsaDebug("+++ Generated %u bit (%u byte) ECDH key pair",
(unsigned)ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits,
(unsigned)((ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits + 7) / 8));
#endif
}
/* do the exchange --> premaster secret */
ortn = sslEcdhKeyExchange(ctx, &ctx->preMasterSecret);
if(ortn) {
return ortn;
}
return errSecSuccess;
}
/*
* Decode ECDH params and server public key.
*/
static OSStatus
SSLDecodeECDHKeyParams(
SSLContext *ctx,
uint8_t **charPtr, // IN/OUT
size_t length)
{
OSStatus err = errSecSuccess;
sslEcdsaDebug("+++ Decoding ECDH Server Key Exchange");
assert(ctx->protocolSide == kSSLClientSide);
uint8_t *endCp = *charPtr + length;
/* Allow reuse via renegotiation */
SSLFreeBuffer(&ctx->ecdhPeerPublic);
/*** ECParameters - just a curveType and a named curve ***/
/* 1-byte curveType, we only allow one type */
uint8_t curveType = **charPtr;
if(curveType != SSL_CurveTypeNamed) {
sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: Bad curveType (%u)\n", (unsigned)curveType);
return errSSLProtocol;
}
(*charPtr)++;
if(*charPtr > endCp) {
return errSSLProtocol;
}
/* two-byte curve */
ctx->ecdhPeerCurve = SSLDecodeInt(*charPtr, 2);
(*charPtr) += 2;
if(*charPtr > endCp) {
return errSSLProtocol;
}
switch(ctx->ecdhPeerCurve) {
case SSL_Curve_secp256r1:
case SSL_Curve_secp384r1:
case SSL_Curve_secp521r1:
break;
default:
sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: Bad curve (%u)\n",
(unsigned)ctx->ecdhPeerCurve);
return errSSLProtocol;
}
sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: ecdhPeerCurve %u",
(unsigned)ctx->ecdhPeerCurve);
/*** peer public key as an ECPoint ***/
/*
* The spec says the the max length of an ECPoint is 255 bytes, limiting
* this whole mechanism to a max modulus size of 1020 bits, which I find
* hard to believe...
*/
UInt32 len = SSLDecodeInt(*charPtr, 1);
(*charPtr)++;
if((*charPtr + len) > endCp) {
return errSSLProtocol;
}
err = SSLAllocBuffer(&ctx->ecdhPeerPublic, len);
if(err) {
return err;
}
memmove(ctx->ecdhPeerPublic.data, *charPtr, len);
(*charPtr) += len;
dumpBuf("client peer pub", &ctx->ecdhPeerPublic);
return err;
}
static OSStatus
SSLEncodeECDHClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
{ OSStatus err;
size_t outputLen;
int head;
assert(ctx->protocolSide == kSSLClientSide);
if ((err = SSLGenClientECDHKeyAndExchange(ctx)) != 0)
return err;
/*
* Per RFC 4492 5.7, if we're doing ECDSA_fixed_ECDH or RSA_fixed_ECDH
* client auth, we still send this message, but it's empty (because the
* server gets our public key from our cert).
*/
bool emptyMsg = false;
switch(ctx->negAuthType) {
case SSLClientAuth_RSAFixedECDH:
case SSLClientAuth_ECDSAFixedECDH:
emptyMsg = true;
break;
default:
break;
}
if(emptyMsg) {
outputLen = 0;
}
else {
outputLen = ctx->ecdhExchangePublic.length + 1;
}
keyExchange->contentType = SSL_RecordTypeHandshake;
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
keyExchange->protocolVersion = ctx->negProtocolVersion;
head = SSLHandshakeHeaderSize(keyExchange);
if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head)))
return err;
uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen);
if(emptyMsg) {
sslEcdsaDebug("+++ Sending EMPTY ECDH Client Key Exchange");
}
else {
/* just a 1-byte length here... */
charPtr = SSLEncodeSize(charPtr, ctx->ecdhExchangePublic.length, 1);
memcpy(charPtr, ctx->ecdhExchangePublic.data, ctx->ecdhExchangePublic.length);
sslEcdsaDebug("+++ Encoded ECDH Client Key Exchange");
}
dumpBuf("client pub key", &ctx->ecdhExchangePublic);
dumpBuf("client premaster", &ctx->preMasterSecret);
return errSecSuccess;
}
static OSStatus
SSLDecodePSKClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{
OSStatus ortn = errSecSuccess;
unsigned int identityLen;
assert(ctx->protocolSide == kSSLServerSide);
/* this message simply contains the client's PSK identity */
uint8_t *charPtr = keyExchange.data;
identityLen = SSLDecodeInt(charPtr, 2);
charPtr += 2;
SSLFreeBuffer(&ctx->pskIdentity); // allow reuse via renegotiation
ortn = SSLAllocBuffer(&ctx->pskIdentity, identityLen);
if(ortn) {
return ortn;
}
memmove(ctx->pskIdentity.data, charPtr, identityLen);
/* TODO: At this point we know the identity of the PSK client,
we should break out of the handshake, so we can select the appropriate
PreShared secret. As this stands, the preshared secret needs to be known
before the handshake starts. */
size_t n=ctx->pskSharedSecret.length;
if(n==0) return errSSLBadConfiguration;
if ((ortn = SSLAllocBuffer(&ctx->preMasterSecret, 2*(n+2))) != 0)
return ortn;
uint8_t *p=ctx->preMasterSecret.data;
p = SSLEncodeInt(p, n, 2);
memset(p, 0, n); p+=n;
p = SSLEncodeInt(p, n, 2);
memcpy(p, ctx->pskSharedSecret.data, n);
dumpBuf("server premaster (PSK)", &ctx->preMasterSecret);
return ortn;
}
static OSStatus
SSLEncodePSKClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
{
OSStatus err;
size_t outputLen;
int head;
assert(ctx->protocolSide == kSSLClientSide);
outputLen = ctx->pskIdentity.length+2;
keyExchange->contentType = SSL_RecordTypeHandshake;
assert(ctx->negProtocolVersion >= SSL_Version_3_0);
keyExchange->protocolVersion = ctx->negProtocolVersion;
head = SSLHandshakeHeaderSize(keyExchange);
if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head)))
return err;
uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen);
charPtr = SSLEncodeSize(charPtr, ctx->pskIdentity.length, 2);
memcpy(charPtr, ctx->pskIdentity.data, ctx->pskIdentity.length);
/* We better have a pskSharedSecret already */
size_t n=ctx->pskSharedSecret.length;
if(n==0) return errSSLBadConfiguration;
if ((err = SSLAllocBuffer(&ctx->preMasterSecret, 2*(n+2))) != 0)
return err;
uint8_t *p=ctx->preMasterSecret.data;
p = SSLEncodeInt(p, n, 2);
memset(p, 0, n); p+=n;
p = SSLEncodeInt(p, n, 2);
memcpy(p, ctx->pskSharedSecret.data, n);
dumpBuf("client premaster (PSK)", &ctx->preMasterSecret);
return errSecSuccess;
}
// MARK: -
// MARK: Public Functions
OSStatus
SSLEncodeServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx)
{ OSStatus err;
switch (ctx->selectedCipherSpecParams.keyExchangeMethod)
{ case SSL_RSA:
case SSL_RSA_EXPORT:
#if APPLE_DH
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
#endif /* APPLE_DH */
if ((err = SSLEncodeSignedServerKeyExchange(keyExch, ctx)) != 0)
return err;
break;
#if APPLE_DH
case SSL_DH_anon:
case SSL_DH_anon_EXPORT:
if ((err = SSLEncodeDHanonServerKeyExchange(keyExch, ctx)) != 0)
return err;
break;
#endif
default:
return errSecUnimplemented;
}
return errSecSuccess;
}
OSStatus
SSLProcessServerKeyExchange(SSLBuffer message, SSLContext *ctx)
{
OSStatus err;
switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
case SSL_RSA:
case SSL_RSA_EXPORT:
#if APPLE_DH
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
#endif
case SSL_ECDHE_ECDSA:
case SSL_ECDHE_RSA:
err = SSLDecodeSignedServerKeyExchange(message, ctx);
break;
#if APPLE_DH
case SSL_DH_anon:
case SSL_DH_anon_EXPORT:
err = SSLDecodeDHanonServerKeyExchange(message, ctx);
break;
#endif
default:
err = errSecUnimplemented;
break;
}
return err;
}
OSStatus
SSLEncodeKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
{ OSStatus err;
assert(ctx->protocolSide == kSSLClientSide);
switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
case SSL_RSA:
case SSL_RSA_EXPORT:
sslDebugLog("SSLEncodeKeyExchange: RSA method\n");
err = SSLEncodeRSAKeyExchange(keyExchange, ctx);
break;
#if APPLE_DH
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
case SSL_DH_anon:
case SSL_DH_anon_EXPORT:
sslDebugLog("SSLEncodeKeyExchange: DH method\n");
err = SSLEncodeDHClientKeyExchange(keyExchange, ctx);
break;
#endif
case SSL_ECDH_ECDSA:
case SSL_ECDHE_ECDSA:
case SSL_ECDH_RSA:
case SSL_ECDHE_RSA:
case SSL_ECDH_anon:
sslDebugLog("SSLEncodeKeyExchange: ECDH method\n");
err = SSLEncodeECDHClientKeyExchange(keyExchange, ctx);
break;
case TLS_PSK:
err = SSLEncodePSKClientKeyExchange(keyExchange, ctx);
break;
default:
sslErrorLog("SSLEncodeKeyExchange: unknown method (%d)\n",
ctx->selectedCipherSpecParams.keyExchangeMethod);
err = errSecUnimplemented;
}
return err;
}
OSStatus
SSLProcessKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{ OSStatus err;
switch (ctx->selectedCipherSpecParams.keyExchangeMethod)
{ case SSL_RSA:
case SSL_RSA_EXPORT:
if ((err = SSLDecodeRSAKeyExchange(keyExchange, ctx)) != 0)
return err;
break;
#if APPLE_DH
case SSL_DH_anon:
case SSL_DHE_DSS:
case SSL_DHE_DSS_EXPORT:
case SSL_DHE_RSA:
case SSL_DHE_RSA_EXPORT:
case SSL_DH_anon_EXPORT:
sslDebugLog("SSLProcessKeyExchange: processing DH key exchange (%d)\n",
ctx->selectedCipherSpecParams.keyExchangeMethod);
if ((err = SSLDecodeDHClientKeyExchange(keyExchange, ctx)) != 0)
return err;
break;
#endif
case TLS_PSK:
if ((err = SSLDecodePSKClientKeyExchange(keyExchange, ctx)) != 0)
return err;
break;
default:
sslErrorLog("SSLProcessKeyExchange: unknown keyExchangeMethod (%d)\n",
ctx->selectedCipherSpecParams.keyExchangeMethod);
return errSecUnimplemented;
}
return errSecSuccess;
}
OSStatus
SSLInitPendingCiphers(SSLContext *ctx)
{ OSStatus err;
SSLBuffer key;
int keyDataLen;
err = errSecSuccess;
key.data = 0;
keyDataLen = ctx->selectedCipherSpecParams.macSize +
ctx->selectedCipherSpecParams.keySize +
ctx->selectedCipherSpecParams.ivSize;
keyDataLen *= 2; /* two of everything */
if ((err = SSLAllocBuffer(&key, keyDataLen)))
return err;
assert(ctx->sslTslCalls != NULL);
if ((err = ctx->sslTslCalls->generateKeyMaterial(key, ctx)) != 0)
goto fail;
if((err = ctx->recFuncs->initPendingCiphers(ctx->recCtx, ctx->selectedCipher, (ctx->protocolSide==kSSLServerSide), key)) != 0)
goto fail;
ctx->writePending_ready = 1;
ctx->readPending_ready = 1;
fail:
SSLFreeBuffer(&key);
return err;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment