SSLRecordInternal.c   [plain text]

//
//  SSLRecordInternal.c
//  Security
//
//  Created by Fabrice Gautier on 10/25/11.
//  Copyright (c) 2011 Apple, Inc. All rights reserved.
//

/* THIS FILE CONTAINS KERNEL CODE */

#include "sslBuildFlags.h"
#include "SSLRecordInternal.h"
#include "sslDebug.h"
#include "cipherSpecs.h"
#include "symCipher.h"
#include "sslUtils.h"
#include "tls_record.h"

#include <AssertMacros.h>
#include <string.h>

#include <inttypes.h>

#define DEFAULT_BUFFER_SIZE 4096


/*
 * Redirect SSLBuffer-based I/O call to user-supplied I/O.
 */
static
int sslIoRead(SSLBuffer                        buf,
              size_t                           *actualLength,
              struct SSLRecordInternalContext  *ctx)
{
	size_t  dataLength = buf.length;
	int     ortn;

	*actualLength = 0;
	ortn = (ctx->read)(ctx->ioRef,
                       buf.data,
                       &dataLength);
	*actualLength = dataLength;
	return ortn;
}

static
int sslIoWrite(SSLBuffer                       buf,
               size_t                          *actualLength,
               struct SSLRecordInternalContext *ctx)
{
	size_t  dataLength = buf.length;
	int     ortn;

	*actualLength = 0;
	ortn = (ctx->write)(ctx->ioRef,
                        buf.data,
                        &dataLength);
	*actualLength = dataLength;
	return ortn;
}


static int
SSLDisposeCipherSuite(CipherContext *cipher, struct SSLRecordInternalContext *ctx)
{   int      err;

	/* symmetric encryption context */
	if(cipher->symCipher) {
		if ((err = cipher->symCipher->finish(cipher->cipherCtx)) != 0) {
			return err;
		}
	}

	/* per-record hash/hmac context */
	ctx->sslTslCalls->freeMac(cipher);

    return 0;
}



/* common for sslv3 and tlsv1, except for the computeMac callout */
int SSLVerifyMac(uint8_t type,
                 SSLBuffer *data,
                 uint8_t *compareMAC,
                 struct SSLRecordInternalContext *ctx)
{
	int        err;
    uint8_t           macData[SSL_MAX_DIGEST_LEN];
    SSLBuffer       secret, mac;

    secret.data = ctx->readCipher.macSecret;
    secret.length = ctx->readCipher.macRef->hash->digestSize;
    mac.data = macData;
    mac.length = ctx->readCipher.macRef->hash->digestSize;

	check(ctx->sslTslCalls != NULL);
    if ((err = ctx->sslTslCalls->computeMac(type,
                                            *data,
                                            mac,
                                            &ctx->readCipher,
                                            ctx->readCipher.sequenceNum,
                                            ctx)) != 0)
        return err;

    if ((memcmp(mac.data, compareMAC, mac.length)) != 0) {
		sslErrorLog("SSLVerifyMac: Mac verify failure\n");
        return errSSLRecordProtocol;
    }
    return 0;
}

#include "cipherSpecs.h"
#include "symCipher.h"

static const HashHmacReference *sslCipherSuiteGetHashHmacReference(uint16_t selectedCipher)
{
    HMAC_Algs alg = sslCipherSuiteGetMacAlgorithm(selectedCipher);

    switch (alg) {
        case HA_Null:
            return &HashHmacNull;
        case HA_MD5:
            return &HashHmacMD5;
        case HA_SHA1:
            return &HashHmacSHA1;
        case HA_SHA256:
            return &HashHmacSHA256;
        case HA_SHA384:
            return &HashHmacSHA384;
        default:
            sslErrorLog("Invalid hashAlgorithm %d", alg);
            check(0);
            return &HashHmacNull;
    }
}

static const SSLSymmetricCipher *sslCipherSuiteGetSymmetricCipher(uint16_t selectedCipher)
{

    SSL_CipherAlgorithm alg = sslCipherSuiteGetSymmetricCipherAlgorithm(selectedCipher);
    switch(alg) {
        case SSL_CipherAlgorithmNull:
            return &SSLCipherNull;
#if ENABLE_RC2
        case SSL_CipherAlgorithmRC2_128:
            return &SSLCipherRC2_128;
#endif
#if ENABLE_RC4
        case SSL_CipherAlgorithmRC4_128:
            return &SSLCipherRC4_128;
#endif
#if ENABLE_DES
        case SSL_CipherAlgorithmDES_CBC:
            return &SSLCipherDES_CBC;
#endif
        case SSL_CipherAlgorithm3DES_CBC:
            return &SSLCipher3DES_CBC;
        case SSL_CipherAlgorithmAES_128_CBC:
            return &SSLCipherAES_128_CBC;
        case SSL_CipherAlgorithmAES_256_CBC:
            return &SSLCipherAES_256_CBC;
#if ENABLE_AES_GCM
        case SSL_CipherAlgorithmAES_128_GCM:
            return &SSLCipherAES_128_GCM;
        case SSL_CipherAlgorithmAES_256_GCM:
            return &SSLCipherAES_256_GCM;
#endif
        default:
            check(0);
            return &SSLCipherNull;
    }
}

static void InitCipherSpec(struct SSLRecordInternalContext *ctx, uint16_t selectedCipher)
{
    SSLRecordCipherSpec *dst = &ctx->selectedCipherSpec;

    ctx->selectedCipher = selectedCipher;
    dst->cipher = sslCipherSuiteGetSymmetricCipher(selectedCipher);
    dst->macAlgorithm = sslCipherSuiteGetHashHmacReference(selectedCipher);
};

/* Entry points to Record Layer */

static int SSLRecordReadInternal(SSLRecordContextRef ref, SSLRecord *rec)
{   int        err;
    size_t          len, contentLen;
    uint8_t           *charPtr;
    SSLBuffer       readData, cipherFragment;
    size_t          head=5;
    int             skipit=0;
    struct SSLRecordInternalContext *ctx = ref;

    if(ctx->isDTLS)
        head+=8;

    if (!ctx->partialReadBuffer.data || ctx->partialReadBuffer.length < head)
    {   if (ctx->partialReadBuffer.data)
        if ((err = SSLFreeBuffer(&ctx->partialReadBuffer)) != 0)
        {
            return err;
        }
        if ((err = SSLAllocBuffer(&ctx->partialReadBuffer,
                                  DEFAULT_BUFFER_SIZE)) != 0)
        {
            return err;
        }
    }

    if (ctx->negProtocolVersion == SSL_Version_Undetermined) {
        if (ctx->amountRead < 1)
        {   readData.length = 1 - ctx->amountRead;
            readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
            len = readData.length;
            err = sslIoRead(readData, &len, ctx);
            if(err != 0)
            {   if (err == errSSLRecordWouldBlock) {
                ctx->amountRead += len;
                return err;
            }
            else {
                /* abort */
                err = errSSLRecordClosedAbort;
#if 0 // TODO: revisit this in the transport layer
                if((ctx->protocolSide == kSSLClientSide) &&
                   (ctx->amountRead == 0) &&
                   (len == 0)) {
                    /*
                     * Detect "server refused to even try to negotiate"
                     * error, when the server drops the connection before
                     * sending a single byte.
                     */
                    switch(ctx->state) {
                        case SSL_HdskStateServerHello:
                            sslHdskStateDebug("Server dropped initial connection\n");
                            err = errSSLConnectionRefused;
                            break;
                        default:
                            break;
                    }
                }
#endif
                return err;
            }
            }
            ctx->amountRead += len;
        }
    }

    if (ctx->amountRead < head)
    {   readData.length = head - ctx->amountRead;
        readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
        len = readData.length;
        err = sslIoRead(readData, &len, ctx);
        if(err != 0)
        {
			switch(err) {
				case errSSLRecordWouldBlock:
					ctx->amountRead += len;
					break;
#if	SSL_ALLOW_UNNOTICED_DISCONNECT
				case errSSLClosedGraceful:
					/* legal if we're on record boundary and we've gotten past
					 * the handshake */
					if((ctx->amountRead == 0) && 				/* nothing pending */
					   (len == 0) &&							/* nothing new */
					   (ctx->state == SSL_HdskStateClientReady)) {	/* handshake done */
					    /*
						 * This means that the server has disconnected without
						 * sending a closure alert notice. This is technically
						 * illegal per the SSL3 spec, but about half of the
						 * servers out there do it, so we report it as a separate
						 * error which most clients - including (currently)
						 * URLAccess - ignore by treating it the same as
						 * a errSSLClosedGraceful error. Paranoid
						 * clients can detect it and handle it however they
						 * want to.
						 */
						SSLChangeHdskState(ctx, SSL_HdskStateNoNotifyClose);
						err = errSSLClosedNoNotify;
						break;
					}
					else {
						/* illegal disconnect */
						err = errSSLClosedAbort;
						/* and drop thru to default: fatal alert */
					}
#endif	/* SSL_ALLOW_UNNOTICED_DISCONNECT */
				default:
					break;
            }
            return err;
        }
        ctx->amountRead += len;
    }

    check(ctx->amountRead >= head);

    charPtr = ctx->partialReadBuffer.data;
    rec->contentType = *charPtr++;
    if (rec->contentType < SSL_RecordTypeV3_Smallest ||
        rec->contentType > SSL_RecordTypeV3_Largest)
        return errSSLRecordProtocol;

    rec->protocolVersion = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
    charPtr += 2;

    if(rec->protocolVersion == DTLS_Version_1_0)
    {
        sslUint64 seqNum;
        SSLDecodeUInt64(charPtr, 8, &seqNum);
        charPtr += 8;
        sslLogRecordIo("Read DTLS Record %016llx (seq is: %016llx)",
                       seqNum, ctx->readCipher.sequenceNum);

        /* if the epoch of the record is different of current read cipher, just drop it */
        if((seqNum>>48)!=(ctx->readCipher.sequenceNum>>48)) {
            skipit=1;
        } else {
            ctx->readCipher.sequenceNum=seqNum;
        }
    }

    contentLen = SSLDecodeInt(charPtr, 2);
    charPtr += 2;
    if (contentLen > (16384 + 2048))    /* Maximum legal length of an
										 * SSLCipherText payload */
    {
        return errSSLRecordRecordOverflow;
    }

    if (ctx->partialReadBuffer.length < head + contentLen)
    {   if ((err = SSLReallocBuffer(&ctx->partialReadBuffer, head + contentLen)) != 0)
    {
        return err;
    }
    }

    if (ctx->amountRead < head + contentLen)
    {   readData.length = head + contentLen - ctx->amountRead;
        readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
        len = readData.length;
        err = sslIoRead(readData, &len, ctx);
        if(err != 0)
        {   if (err == errSSLRecordWouldBlock)
            ctx->amountRead += len;
            return err;
        }
        ctx->amountRead += len;
    }

    check(ctx->amountRead >= head + contentLen);

    cipherFragment.data = ctx->partialReadBuffer.data + head;
    cipherFragment.length = contentLen;

    ctx->amountRead = 0;        /* We've used all the data in the cache */

    /* We dont decrypt if we were told to skip this record */
    if(skipit) {
        return errSSLRecordUnexpectedRecord;
    }
	/*
	 * Decrypt the payload & check the MAC, modifying the length of the
	 * buffer to indicate the amount of plaintext data after adjusting
	 * for the block size and removing the MAC */
	check(ctx->sslTslCalls != NULL);
    if ((err = ctx->sslTslCalls->decryptRecord(rec->contentType,
                                               &cipherFragment, ctx)) != 0)
        return err;

	/*
	 * We appear to have sucessfully received a record; increment the
	 * sequence number
	 */
    IncrementUInt64(&ctx->readCipher.sequenceNum);

	/* Allocate a buffer to return the plaintext in and return it */
    if ((err = SSLAllocBuffer(&rec->contents, cipherFragment.length)) != 0)
    {
        return err;
    }
    memcpy(rec->contents.data, cipherFragment.data, cipherFragment.length);


    return 0;
}

static int SSLRecordWriteInternal(SSLRecordContextRef ref, SSLRecord rec)
{
    int err;
    struct SSLRecordInternalContext *ctx = ref;

    err=ctx->sslTslCalls->writeRecord(rec, ctx);

    check_noerr(err);

    return err;
}

/* Record Layer Entry Points */

static int
SSLRollbackInternalRecordLayerWriteCipher(SSLRecordContextRef ref)
{
    int err;
    struct SSLRecordInternalContext *ctx = ref;

    if ((err = SSLDisposeCipherSuite(&ctx->writePending, ctx)) != 0)
        return err;

    ctx->writePending = ctx->writeCipher;
    ctx->writeCipher = ctx->prevCipher;

    /* Zero out old data */
    memset(&ctx->prevCipher, 0, sizeof(CipherContext));

    return 0;
}

static int
SSLAdvanceInternalRecordLayerWriteCipher(SSLRecordContextRef ref)
{
    int err;
    struct SSLRecordInternalContext *ctx = ref;

    if ((err = SSLDisposeCipherSuite(&ctx->prevCipher, ctx)) != 0)
        return err;

    ctx->prevCipher = ctx->writeCipher;
    ctx->writeCipher = ctx->writePending;

    /* Zero out old data */
    memset(&ctx->writePending, 0, sizeof(CipherContext));

    return 0;
}

static int
SSLAdvanceInternalRecordLayerReadCipher(SSLRecordContextRef ref)
{
    struct SSLRecordInternalContext *ctx = ref;
    int err;

    if ((err = SSLDisposeCipherSuite(&ctx->readCipher, ctx)) != 0)
        return err;

    ctx->readCipher = ctx->readPending;
    memset(&ctx->readPending, 0, sizeof(CipherContext)); 	/* Zero out old data */

    return 0;
}

static int
SSLInitInternalRecordLayerPendingCiphers(SSLRecordContextRef ref, uint16_t selectedCipher, bool isServer, SSLBuffer key)
{   int        err;
    uint8_t         *keyDataProgress, *keyPtr, *ivPtr;
    CipherContext   *serverPending, *clientPending;

    struct SSLRecordInternalContext *ctx = ref;

    InitCipherSpec(ctx, selectedCipher);

    ctx->readPending.macRef = ctx->selectedCipherSpec.macAlgorithm;
    ctx->writePending.macRef = ctx->selectedCipherSpec.macAlgorithm;
    ctx->readPending.symCipher = ctx->selectedCipherSpec.cipher;
    ctx->writePending.symCipher = ctx->selectedCipherSpec.cipher;
    /* This need to be reinitialized because the whole thing is zeroed sometimes */
    ctx->readPending.encrypting = 0;
    ctx->writePending.encrypting = 1;

    if(ctx->negProtocolVersion == DTLS_Version_1_0)
    {
        ctx->readPending.sequenceNum = (ctx->readPending.sequenceNum & (0xffffULL<<48)) + (1ULL<<48);
        ctx->writePending.sequenceNum = (ctx->writePending.sequenceNum & (0xffffULL<<48)) + (1ULL<<48);
    } else {
        ctx->writePending.sequenceNum = 0;
        ctx->readPending.sequenceNum = 0;
    }

    if (isServer)
    {   serverPending = &ctx->writePending;
        clientPending = &ctx->readPending;
    }
    else
    {   serverPending = &ctx->readPending;
        clientPending = &ctx->writePending;
    }

    /* Check the size of the 'key' buffer - <rdar://problem/11204357> */
    if(key.length != ctx->selectedCipherSpec.macAlgorithm->hash->digestSize*2
                   + ctx->selectedCipherSpec.cipher->params->keySize*2
                   + ctx->selectedCipherSpec.cipher->params->ivSize*2)
    {
        return errSSLRecordInternal;
    }

    keyDataProgress = key.data;
    memcpy(clientPending->macSecret, keyDataProgress,
           ctx->selectedCipherSpec.macAlgorithm->hash->digestSize);
    keyDataProgress += ctx->selectedCipherSpec.macAlgorithm->hash->digestSize;
    memcpy(serverPending->macSecret, keyDataProgress,
           ctx->selectedCipherSpec.macAlgorithm->hash->digestSize);
    keyDataProgress += ctx->selectedCipherSpec.macAlgorithm->hash->digestSize;

    if (ctx->selectedCipherSpec.cipher->params->cipherType == aeadCipherType)
        goto skipInit;

    /* init the reusable-per-record MAC contexts */
    err = ctx->sslTslCalls->initMac(clientPending);
    if(err) {
        goto fail;
    }
    err = ctx->sslTslCalls->initMac(serverPending);
    if(err) {
        goto fail;
    }

    keyPtr = keyDataProgress;
    keyDataProgress += ctx->selectedCipherSpec.cipher->params->keySize;
    /* Skip server write key to get to IV */
    ivPtr = keyDataProgress + ctx->selectedCipherSpec.cipher->params->keySize;
    if ((err = ctx->selectedCipherSpec.cipher->c.cipher.initialize(clientPending->symCipher->params, clientPending->encrypting, keyPtr, ivPtr,
                                                                   &clientPending->cipherCtx)) != 0)
        goto fail;
    keyPtr = keyDataProgress;
    keyDataProgress += ctx->selectedCipherSpec.cipher->params->keySize;
    /* Skip client write IV to get to server write IV */
    ivPtr = keyDataProgress + ctx->selectedCipherSpec.cipher->params->ivSize;
    if ((err = ctx->selectedCipherSpec.cipher->c.cipher.initialize(serverPending->symCipher->params, serverPending->encrypting, keyPtr, ivPtr,
                                                                   &serverPending->cipherCtx)) != 0)
        goto fail;

skipInit:
    /* Ciphers are ready for use */
    ctx->writePending.ready = 1;
    ctx->readPending.ready = 1;

    /* Ciphers get swapped by sending or receiving a change cipher spec message */
    err = 0;

fail:
    return err;
}

static int
SSLSetInternalRecordLayerProtocolVersion(SSLRecordContextRef ref, SSLProtocolVersion negVersion)
{
    struct SSLRecordInternalContext *ctx = ref;

    switch(negVersion) {
        case SSL_Version_3_0:
            ctx->sslTslCalls = &Ssl3RecordCallouts;
            break;
        case TLS_Version_1_0:
        case TLS_Version_1_1:
        case DTLS_Version_1_0:
        case TLS_Version_1_2:
            ctx->sslTslCalls = &Tls1RecordCallouts;
            break;
        case SSL_Version_2_0:
        case SSL_Version_Undetermined:
        default:
            return errSSLRecordNegotiation;
    }
    ctx->negProtocolVersion = negVersion;

    return 0;
}

static int
SSLRecordFreeInternal(SSLRecordContextRef ref, SSLRecord rec)
{
    return SSLFreeBuffer(&rec.contents);
}

static int
SSLRecordServiceWriteQueueInternal(SSLRecordContextRef ref)
{
    int             err = 0, werr = 0;
    size_t          written = 0;
    SSLBuffer       buf;
    WaitingRecord   *rec;
    struct SSLRecordInternalContext *ctx= ref;

    while (!werr && ((rec = ctx->recordWriteQueue) != 0))
    {   buf.data = rec->data + rec->sent;
        buf.length = rec->length - rec->sent;
        werr = sslIoWrite(buf, &written, ctx);
        rec->sent += written;
        if (rec->sent >= rec->length)
        {
            check(rec->sent == rec->length);
            check(err == 0);
            ctx->recordWriteQueue = rec->next;
			sslFree(rec);
        }
        if (err) {
            check_noerr(err);
            return err;
        }
    }

    return werr;
}

/***** Internal Record Layer APIs *****/

SSLRecordContextRef
SSLCreateInternalRecordLayer(bool dtls)
{
    struct SSLRecordInternalContext *ctx;

    ctx = sslMalloc(sizeof(struct SSLRecordInternalContext));
    if(ctx==NULL)
        return NULL;

    memset(ctx, 0, sizeof(struct SSLRecordInternalContext));

    ctx->negProtocolVersion = SSL_Version_Undetermined;

    ctx->sslTslCalls = &Ssl3RecordCallouts;
    ctx->recordWriteQueue = NULL;

    InitCipherSpec(ctx, TLS_NULL_WITH_NULL_NULL);

    ctx->writeCipher.macRef    = ctx->selectedCipherSpec.macAlgorithm;
    ctx->readCipher.macRef     = ctx->selectedCipherSpec.macAlgorithm;
    ctx->readCipher.symCipher  = ctx->selectedCipherSpec.cipher;
    ctx->writeCipher.symCipher = ctx->selectedCipherSpec.cipher;
    ctx->readCipher.encrypting = 0;
    ctx->writeCipher.encrypting = 1;

    ctx->isDTLS = dtls;

    return ctx;

}

int
SSLSetInternalRecordLayerIOFuncs(
                                 SSLRecordContextRef ref,
                                 SSLIOReadFunc    readFunc,
                                 SSLIOWriteFunc   writeFunc)
{
    struct SSLRecordInternalContext *ctx = ref;

    ctx->read = readFunc;
    ctx->write = writeFunc;

    return 0;
}

int
SSLSetInternalRecordLayerConnection(
                                    SSLRecordContextRef ref,
                                    SSLIOConnectionRef ioRef)
{
    struct SSLRecordInternalContext *ctx = ref;

    ctx->ioRef = ioRef;

    return 0;
}

void
SSLDestroyInternalRecordLayer(SSLRecordContextRef ref)
{
    struct SSLRecordInternalContext *ctx = ref;
	WaitingRecord   *waitRecord, *next;

    /* RecordContext cleanup : */
    SSLFreeBuffer(&ctx->partialReadBuffer);
    waitRecord = ctx->recordWriteQueue;
    while (waitRecord)
    {   next = waitRecord->next;
        sslFree(waitRecord);
        waitRecord = next;
    }


    /* Cleanup cipher structs */
    SSLDisposeCipherSuite(&ctx->readCipher, ctx);
    SSLDisposeCipherSuite(&ctx->writeCipher, ctx);
    SSLDisposeCipherSuite(&ctx->readPending, ctx);
    SSLDisposeCipherSuite(&ctx->writePending, ctx);
    SSLDisposeCipherSuite(&ctx->prevCipher, ctx);

    sslFree(ctx);

}

struct SSLRecordFuncs SSLRecordLayerInternal =
{
    .read  = SSLRecordReadInternal,
    .write = SSLRecordWriteInternal,
    .initPendingCiphers = SSLInitInternalRecordLayerPendingCiphers,
    .advanceWriteCipher = SSLAdvanceInternalRecordLayerWriteCipher,
    .advanceReadCipher = SSLAdvanceInternalRecordLayerReadCipher,
    .rollbackWriteCipher = SSLRollbackInternalRecordLayerWriteCipher,
    .setProtocolVersion = SSLSetInternalRecordLayerProtocolVersion,
    .free = SSLRecordFreeInternal,
    .serviceWriteQueue = SSLRecordServiceWriteQueueInternal,
};