int32 sslActivateWriteCipher(ssl_t *ssl)
{
ssl->encrypt = ssl->cipher->encrypt;
ssl->generateMac = ssl->cipher->generateMac;
ssl->enMacSize = ssl->cipher->macSize;
ssl->enBlockSize = ssl->cipher->blockSize;
ssl->enIvSize = ssl->cipher->ivSize;
/*
Reset the outgoing sequence number for the new suite
*/
memset(ssl->sec.seq, 0x0, sizeof(ssl->sec.seq));
if (ssl->cipher->id != SSL_NULL_WITH_NULL_NULL) {
ssl->flags |= SSL_FLAGS_WRITE_SECURE;
/*
Copy the newly activated write keys into the live buffers
*/
memcpy(ssl->sec.writeMAC, ssl->sec.wMACptr, ssl->cipher->macSize);
memcpy(ssl->sec.writeKey, ssl->sec.wKeyptr, ssl->cipher->keySize);
memcpy(ssl->sec.writeIV, ssl->sec.wIVptr, ssl->cipher->ivSize);
/*
set up encrypt contexts
*/
if (ssl->cipher->init(&(ssl->sec), INIT_ENCRYPT_CIPHER) < 0) {
matrixStrDebugMsg("Unable to init write cipher suite\n", NULL);
return -1;
}
}
return 0;
}
/*
Read in the certificate and private keys from the given files
If privPass is non-NULL, it will be used to decode an encrypted private
key file.
The certificate is stored internally as a pointer to DER encoded X.509
The private key is stored in a crypto provider specific structure
*/
#ifdef USE_FILE_SYSTEM
int32 matrixRsaReadKeys(sslKeys_t **keys, const char *certFile,
const char *privFile, const char *privPass,
const char *trustedCAFiles)
{
return matrixRsaReadKeysEx(PEERSEC_BASE_POOL, keys, certFile, privFile,
privPass, trustedCAFiles);
}
#else /* USE_FILE_SYSTEM */
int32 matrixRsaReadKeys(sslKeys_t **keys, char *certFile, char *privFile,
char *privPass, char *trustedCAFile)
{
matrixStrDebugMsg("Error: Calling matrixRsaReadKeys against a library " \
"built without USE_FILE_SYSTEM defined\n", NULL);
return -1;
}
/*
Binary to struct helper for RSA public keys.
*/
int32 matrixRsaParsePubKey(psPool_t *pool, unsigned char *keyBuf,
int32 keyBufLen, sslRsaKey_t **key)
{
unsigned char *p, *end;
int32 len;
p = keyBuf;
end = p + keyBufLen;
/*
Supporting both the PKCS#1 RSAPublicKey format and the
X.509 SubjectPublicKeyInfo format. If encoding doesn't start with
the SEQUENCE identifier for the SubjectPublicKeyInfo format, jump down
to the RSAPublicKey subset parser and try that
*/
if (getSequence(&p, (int32)(end - p), &len) == 0) {
if (getAlgorithmIdentifier(&p, (int32)(end - p), &len, 1) < 0) {
return -1;
}
}
/*
Now have the DER stream to extract from in asnp
*/
*key = psMalloc(pool, sizeof(sslRsaKey_t));
if (*key == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(*key, 0x0, sizeof(sslRsaKey_t));
if (getPubKey(pool, &p, (int32)(end - p), *key) < 0) {
matrixRsaFreeKey(*key);
*key = NULL;
matrixStrDebugMsg("Unable to ASN parse public key\n", NULL);
return -1;
}
return 0;
}
/*
Cipher suites are chosen before they are activated with the
ChangeCipherSuite message. Additionally, the read and write cipher suites
are activated at different times in the handshake process. The following
APIs activate the selected cipher suite callback functions.
*/
int32 sslActivateReadCipher(ssl_t *ssl)
{
ssl->decrypt = ssl->cipher->decrypt;
ssl->verifyMac = ssl->cipher->verifyMac;
ssl->deMacSize = ssl->cipher->macSize;
ssl->deBlockSize = ssl->cipher->blockSize;
ssl->deIvSize = ssl->cipher->ivSize;
/*
Reset the expected incoming sequence number for the new suite
*/
memset(ssl->sec.remSeq, 0x0, sizeof(ssl->sec.remSeq));
if (ssl->cipher->id != SSL_NULL_WITH_NULL_NULL) {
ssl->flags |= SSL_FLAGS_READ_SECURE;
/*
Copy the newly activated read keys into the live buffers
*/
memcpy(ssl->sec.readMAC, ssl->sec.rMACptr, ssl->cipher->macSize);
memcpy(ssl->sec.readKey, ssl->sec.rKeyptr, ssl->cipher->keySize);
memcpy(ssl->sec.readIV, ssl->sec.rIVptr, ssl->cipher->ivSize);
/*
set up decrypt contexts
*/
if (ssl->cipher->init(&(ssl->sec), INIT_DECRYPT_CIPHER) < 0) {
matrixStrDebugMsg("Unable to initialize read cipher suite\n", NULL);
return -1;
}
}
return 0;
}
/*
ServerHelloDone message is a blank handshake message
*/
static int32 writeServerHelloDone(ssl_t *ssl, sslBuf_t *out)
{
unsigned char *c, *end, *encryptStart;
char padLen;
int32 messageSize, rc;
c = out->end;
end = out->buf + out->size;
messageSize =
ssl->recordHeadLen +
ssl->hshakeHeadLen;
if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
SSL_HS_SERVER_HELLO_DONE, &messageSize, &padLen,
&encryptStart, &end, &c)) < 0) {
return rc;
}
if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
padLen, encryptStart, out, &c)) < 0) {
return rc;
}
if (c - out->end != messageSize) {
matrixStrDebugMsg("Error generating hello done for write\n", NULL);
return SSL_ERROR;
}
out->end = c;
return SSL_SUCCESS;
}
/*
Open and close the PKI module. These routines are called once in the
lifetime of the application and initialize and clean up the library
respectively.
*/
int32 matrixPkiOpen(void)
{
if (sslOpenOsdep() < 0) {
matrixStrDebugMsg("Osdep open failure\n", NULL);
return -1;
}
return 0;
}
/*
Implementation specific OID parser for suppported RSA algorithms
*/
int32 getAlgorithmIdentifier(unsigned char **pp, int32 len, int32 *oi,
int32 isPubKey)
{
unsigned char *p = *pp, *end;
int32 arcLen, llen;
end = p + len;
if (len < 1 || getSequence(&p, len, &llen) < 0) {
return -1;
}
if (end - p < 1) {
return -1;
}
if (*(p++) != ASN_OID || asnParseLength(&p, (int32)(end - p), &arcLen) < 0 ||
llen < arcLen) {
return -1;
}
/*
List of expected (currently supported) OIDs
algorithm summed length hex
sha1 88 05 2b0e03021a
md2 646 08 2a864886f70d0202
md5 649 08 2a864886f70d0205
rsaEncryption 645 09 2a864886f70d010101
md2WithRSAEncryption: 646 09 2a864886f70d010102
md5WithRSAEncryption 648 09 2a864886f70d010104
sha-1WithRSAEncryption 649 09 2a864886f70d010105
Yes, the summing isn't ideal (as can be seen with the duplicate 649),
but the specific implementation makes this ok.
*/
if (end - p < 2) {
return -1;
}
if (isPubKey && (*p != 0x2a) && (*(p + 1) != 0x86)) {
/*
Expecting DSA here if not RSA, but OID doesn't always match
*/
matrixStrDebugMsg("Unsupported algorithm identifier\n", NULL);
return -1;
}
*oi = 0;
while (arcLen-- > 0) {
*oi += (int32)*p++;
}
/*
Each of these cases might have a trailing NULL parameter. Skip it
*/
if (*p != ASN_NULL) {
*pp = p;
return 0;
}
if (end - p < 2) {
return -1;
}
*pp = p + 2;
return 0;
}
/*
Get an integer
*/
int32 getInteger(unsigned char **pp, int32 len, int32 *val)
{
unsigned char *p = *pp, *end;
uint32 ui;
int32 vlen;
end = p + len;
if (len < 1 || *(p++) != ASN_INTEGER ||
asnParseLength(&p, len - 1, &vlen) < 0) {
matrixStrDebugMsg("ASN getInteger failed\n", NULL);
return -1;
}
/*
This check prevents us from having a big positive integer where the
high bit is set because it will be encoded as 5 bytes (with leading
blank byte). If that is required, a getUnsigned routine should be used
*/
if (vlen > sizeof(int32) || end - p < vlen) {
matrixStrDebugMsg("ASN getInteger failed\n", NULL);
return -1;
}
ui = 0;
/*
If high bit is set, it's a negative integer, so perform the two's compliment
Otherwise do a standard big endian read (most likely case for RSA)
*/
if (*p & 0x80) {
while (vlen-- > 0) {
ui = (ui << 8) | (*p ^ 0xFF);
p++;
}
vlen = (int32)ui;
vlen++;
vlen = -vlen;
*val = vlen;
} else {
while (vlen-- > 0) {
ui = (ui << 8) | *p;
p++;
}
*val = (int32)ui;
}
*pp = p;
return 0;
}
/*
* Generates all key material.
*/
int32 sslDeriveKeys(ssl_t *ssl)
{
sslMd5Context_t md5Ctx;
sslSha1Context_t sha1Ctx;
unsigned char buf[SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE];
unsigned char *tmp;
int32 i;
/*
If this session is resumed, we want to reuse the master secret to
regenerate the key block with the new random values.
*/
if (ssl->flags & SSL_FLAGS_RESUMED) {
goto skipPremaster;
}
/*
master_secret =
MD5(pre_master_secret + SHA('A' + pre_master_secret +
ClientHello.random + ServerHello.random)) +
MD5(pre_master_secret + SHA('BB' + pre_master_secret +
ClientHello.random + ServerHello.random)) +
MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
ClientHello.random + ServerHello.random));
*/
tmp = ssl->sec.masterSecret;
for (i = 0; i < 3; i++) {
matrixSha1Init(&sha1Ctx);
matrixSha1Update(&sha1Ctx, salt[i], i + 1);
matrixSha1Update(&sha1Ctx, ssl->sec.premaster, ssl->sec.premasterSize);
matrixSha1Update(&sha1Ctx, ssl->sec.clientRandom, SSL_HS_RANDOM_SIZE);
matrixSha1Update(&sha1Ctx, ssl->sec.serverRandom, SSL_HS_RANDOM_SIZE);
matrixSha1Final(&sha1Ctx, buf);
matrixMd5Init(&md5Ctx);
matrixMd5Update(&md5Ctx, ssl->sec.premaster, ssl->sec.premasterSize);
matrixMd5Update(&md5Ctx, buf, SSL_SHA1_HASH_SIZE);
matrixMd5Final(&md5Ctx, tmp);
tmp += SSL_MD5_HASH_SIZE;
}
memset(buf, 0x0, SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE);
/*
premaster is now allocated for DH reasons. Can free here
*/
psFree(ssl->sec.premaster);
ssl->sec.premaster = NULL;
ssl->sec.premasterSize = 0;
skipPremaster:
if (createKeyBlock(ssl, ssl->sec.clientRandom, ssl->sec.serverRandom,
ssl->sec.masterSecret, SSL_HS_MASTER_SIZE) < 0) {
matrixStrDebugMsg("Unable to create key block\n", NULL);
return -1;
}
return SSL_HS_MASTER_SIZE;
}
/*
Callback to extract a big int32 (stream of bytes) from the DER stream
*/
int32 getBig(psPool_t *pool, unsigned char **pp, int32 len, mp_int *big)
{
unsigned char *p = *pp;
int32 vlen;
if (len < 1 || *(p++) != ASN_INTEGER ||
asnParseLength(&p, len - 1, &vlen) < 0) {
matrixStrDebugMsg("ASN getBig failed\n", NULL);
return -1;
}
mp_init(pool, big);
if (mp_read_unsigned_bin(big, p, vlen) != 0) {
mp_clear(big);
matrixStrDebugMsg("ASN getBig failed\n", NULL);
return -1;
}
p += vlen;
*pp = p;
return 0;
}
/*
Open and close the SSL module. These routines are called once in the
lifetime of the application and initialize and clean up the library
respectively.
*/
int32 matrixSslOpen(void)
{
if (matrixPkiOpen() < 0) {
matrixStrDebugMsg("PKI open failure\n", NULL);
printf("open failed\n");
return -1;
}
#ifdef USE_SERVER_SIDE_SSL
memset(sessionTable, 0x0,
sizeof(sslSessionEntry_t) * SSL_SESSION_TABLE_SIZE);
sslCreateMutex(&sessionTableLock);
#endif /* USE_SERVER_SIDE_SSL */
return 0;
}
/*
On success, p will be updated to point to first character of value and
valLen will contain number of bytes in value
Return:
0 Success
< 0 Error
*/
int32 asnParseLength(unsigned char **p, int32 size, int32 *valLen)
{
unsigned char *c, *end;
int32 len, olen;
c = *p;
end = c + size;
if (end - c < 1) {
return -1;
}
/*
If the length byte has high bit only set, it's an indefinite length
We don't support this!
*/
if (*c == 0x80) {
*valLen = -1;
matrixStrDebugMsg("Unsupported: ASN indefinite length\n", NULL);
return -1;
}
/*
If the high bit is set, the lower 7 bits represent the number of
bytes that follow and represent length
If the high bit is not set, the lower 7 represent the actual length
*/
len = *c & 0x7F;
if (*(c++) & 0x80) {
/*
Make sure there aren't more than 4 bytes of length specifier,
and that we have that many bytes left in the buffer
*/
if (len > sizeof(int32) || len == 0x7f || (end - c) < len) {
return -1;
}
olen = 0;
while (len-- > 0) {
olen = (olen << 8) | *c;
c++;
}
if (olen < 0 || olen > INT_MAX) {
return -1;
}
len = olen;
}
*p = c;
*valLen = len;
return 0;
}
/*
Allows for semi-colon delimited list of certificates for cert chaining.
Also allows multiple certificiates in a single file.
HOWERVER, in both cases the first in the list must be the identifying
cert of the application. Each subsequent cert is the parent of the previous
*/
int32 readCertChain(psPool_t *pool, const char *certFiles,
sslLocalCert_t *lkeys)
{
sslLocalCert_t *currCert;
unsigned char *certBin, *tmp;
sslChainLen_t chain;
int32 certLen, i;
if (certFiles == NULL) {
return 0;
}
if (matrixX509ReadCert(pool, certFiles, &certBin, &certLen, &chain) < 0) {
matrixStrDebugMsg("Error reading cert file %s\n", (char*)certFiles);
return -1;
}
/*
The first cert is allocated in the keys struct. All others in
linked list are allocated here.
*/
i = 0;
tmp = certBin;
while (chain[i] != 0) {
if (i == 0) {
currCert = lkeys;
} else {
currCert->next = psMalloc(pool, sizeof(sslLocalCert_t));
if (currCert->next == NULL) {
psFree(tmp);
return -8; /* SSL_MEM_ERROR */
}
memset(currCert->next, 0x0, sizeof(sslLocalCert_t));
currCert = currCert->next;
}
currCert->certBin = psMalloc(pool, chain[i]);
memcpy(currCert->certBin, certBin, chain[i]);
currCert->certLen = chain[i];
certBin += chain[i]; certLen -= chain[i];
i++;
}
psFree(tmp);
sslAssert(certLen == 0);
return 0;
}
/*
Encrypt the message using the current cipher. This call is used in
conjunction with the writeRecordHeader function above to finish writing
an SSL record. Updates handshake hash if necessary, generates message
MAC, writes the padding, and does the encrytion.
*/
static int32 encryptRecord(ssl_t *ssl, int32 type, int32 messageSize, int32 padLen,
unsigned char *encryptStart, sslBuf_t *out,
unsigned char **c)
{
if (type == SSL_RECORD_TYPE_HANDSHAKE) {
sslUpdateHSHash(ssl, encryptStart, (int32)(*c - encryptStart));
}
*c += ssl->generateMac(ssl, type, encryptStart,
(int32)(*c - encryptStart), *c);
*c += sslWritePad(*c, padLen);
if (ssl->encrypt(&ssl->sec.encryptCtx, encryptStart, encryptStart,
(int32)(*c - encryptStart)) < 0 || *c - out->end != messageSize) {
matrixStrDebugMsg("Error encrypting message for write\n", NULL);
return SSL_ERROR;
}
return 0;
}
void matrixSslClose(void)
{
#ifdef USE_SERVER_SIDE_SSL
int32 i;
sslLockMutex(&sessionTableLock);
for (i = 0; i < SSL_SESSION_TABLE_SIZE; i++) {
if (sessionTable[i].inUse == 1) {
matrixStrDebugMsg("Warning: closing while session still in use\n",
NULL);
}
}
memset(sessionTable, 0x0,
sizeof(sslSessionEntry_t) * SSL_SESSION_TABLE_SIZE);
sslUnlockMutex(&sessionTableLock);
sslDestroyMutex(&sessionTableLock);
#endif /* USE_SERVER_SIDE_SSL */
matrixPkiClose();
}
/*
Pad a value to be encrypted by RSA, according to PKCS#1 v1.5
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
When encrypting a value with RSA, the value is first padded to be
equal to the public key size using the following method:
00 <id> <data> 00 <value to be encrypted>
- id denotes a public or private key operation
- if id is private, data is however many non-zero bytes it takes to pad the
value to the key length (randomLen = keyLen - 3 - valueLen).
- if id is public, data is FF for the same length as described above
- There must be at least 8 bytes of data.
*/
static int32 sslPadRSA(unsigned char *in, int32 inlen, unsigned char *out,
int32 outlen, int32 cryptType)
{
unsigned char *c;
int32 randomLen;
randomLen = outlen - 3 - inlen;
if (randomLen < 8) {
matrixIntDebugMsg("RSA encryption data too large: %d\n", inlen);
return -1;
}
c = out;
*c = 0x00;
c++;
*c = (unsigned char)cryptType;
c++;
if (cryptType == RSA_PUBLIC) {
while (randomLen-- > 0) {
*c++ = 0xFF;
}
} else {
if (sslGetEntropy(c, randomLen) < 0) {
matrixStrDebugMsg("Error gathering RSA pad entropy\n", NULL);
return -1;
}
/*
SECURITY: Read through the random data and change all 0x0 to 0x01.
This is per spec that no random bytes should be 0
*/
while (randomLen-- > 0) {
if (*c == 0x0) {
*c = 0x01;
}
c++;
}
}
*c = 0x00;
c++;
memcpy(c, in, inlen);
return outlen;
}
/*
Binary to struct helper for RSA public keys
*/
int32 matrixRsaParsePubKey(psPool_t *pool, unsigned char *keyBuf,
int32 keyBufLen, sslRsaKey_t **key)
{
/*
Now have the DER stream to extract from in asnp
*/
*key = psMalloc(pool, sizeof(sslRsaKey_t));
if (*key == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(*key, 0x0, sizeof(sslRsaKey_t));
if (getPubKey(pool, &keyBuf, keyBufLen, *key) < 0) {
matrixRsaFreeKey(*key);
*key = NULL;
matrixStrDebugMsg("Unable to ASN parse public key\n", NULL);
return -1;
}
return 0;
}
/*
This function was written strictly for clarity in the PeerSec crypto API
product. It extracts only the public key from a certificate file for use
in the lower level encrypt/decrypt RSA routines
*/
int32 matrixX509ReadPubKey(psPool_t *pool, const char *certFile,
sslRsaKey_t **key)
{
unsigned char *certBuf;
sslChainLen_t chain;
int32 certBufLen;
certBuf = NULL;
if (matrixX509ReadCert(pool, certFile, &certBuf, &certBufLen, &chain) < 0) {
matrixStrDebugMsg("Unable to read certificate file %s\n",
(char*)certFile);
if (certBuf) psFree(certBuf);
return -1;
}
if (matrixX509ParsePubKey(pool, certBuf, certBufLen, key) < 0) {
psFree(certBuf);
return -1;
}
psFree(certBuf);
return 0;
}
/*
Server initiated rehandshake public API call.
*/
int32 matrixSslEncodeHelloRequest(ssl_t *ssl, sslBuf_t *out)
{
unsigned char *c, *end, *encryptStart;
char padLen;
int32 messageSize, rc;
if (ssl->flags & SSL_FLAGS_ERROR || ssl->flags & SSL_FLAGS_CLOSED) {
return SSL_ERROR;
}
if (!(ssl->flags & SSL_FLAGS_SERVER) || (ssl->hsState != SSL_HS_DONE)) {
return SSL_ERROR;
}
c = out->end;
end = out->buf + out->size;
messageSize =
ssl->recordHeadLen +
ssl->hshakeHeadLen;
if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
SSL_HS_HELLO_REQUEST, &messageSize, &padLen,
&encryptStart, &end, &c)) < 0) {
return rc;
}
if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
padLen, encryptStart, out, &c)) < 0) {
return rc;
}
if (c - out->end != messageSize) {
matrixStrDebugMsg("Error generating hello request for write\n", NULL);
return SSL_ERROR;
}
out->end = c;
return SSL_SUCCESS;
}
/*
New SSL protocol context
This structure is associated with a single SSL connection. Each socket
using SSL should be associated with a new SSL context.
certBuf and privKey ARE NOT duplicated within the server context, in order
to minimize memory usage with multiple simultaneous requests. They must
not be deleted by caller until all server contexts using them are deleted.
*/
int32 matrixSslNewSession(ssl_t **ssl, sslKeys_t *keys, sslSessionId_t *session,
int32 flags)
{
psPool_t *pool = NULL;
ssl_t *lssl;
/*
First API level chance to make sure a user is not attempting to use
client or server support that was not built into this library compile
*/
#ifndef USE_SERVER_SIDE_SSL
if (flags & SSL_FLAGS_SERVER) {
matrixStrDebugMsg("MatrixSSL lib not compiled with server support\n",
NULL);
return -1;
}
#endif
#ifndef USE_CLIENT_SIDE_SSL
if (!(flags & SSL_FLAGS_SERVER)) {
matrixStrDebugMsg("MatrixSSL lib not compiled with client support\n",
NULL);
return -1;
}
#endif
if (flags & SSL_FLAGS_CLIENT_AUTH) {
matrixStrDebugMsg("MatrixSSL lib not compiled with client " \
"authentication support\n", NULL);
return -1;
}
if (flags & SSL_FLAGS_SERVER) {
if (keys == NULL) {
matrixStrDebugMsg("NULL keys in matrixSslNewSession\n", NULL);
return -1;
}
if (session != NULL) {
matrixStrDebugMsg("Server session must be NULL\n", NULL);
return -1;
}
}
*ssl = lssl = psMalloc(pool, sizeof(ssl_t));
if (lssl == NULL) {
return SSL_MEM_ERROR;
}
memset(lssl, 0x0, sizeof(ssl_t));
lssl->pool = pool;
lssl->cipher = sslGetCipherSpec(SSL_NULL_WITH_NULL_NULL);
sslActivateReadCipher(lssl);
sslActivateWriteCipher(lssl);
sslActivatePublicCipher(lssl);
lssl->recordHeadLen = SSL3_HEADER_LEN;
lssl->hshakeHeadLen = SSL3_HANDSHAKE_HEADER_LEN;
if (flags & SSL_FLAGS_SERVER) {
lssl->flags |= SSL_FLAGS_SERVER;
/*
Client auth can only be requested by server, not set by client
*/
if (flags & SSL_FLAGS_CLIENT_AUTH) {
lssl->flags |= SSL_FLAGS_CLIENT_AUTH;
}
lssl->hsState = SSL_HS_CLIENT_HELLO;
} else {
/*
Client is first to set protocol version information based on
compile and/or the 'flags' parameter so header information in
the handshake messages will be correctly set.
*/
lssl->majVer = SSL3_MAJ_VER;
lssl->minVer = SSL3_MIN_VER;
lssl->hsState = SSL_HS_SERVER_HELLO;
if (session != NULL && session->cipherId != SSL_NULL_WITH_NULL_NULL) {
lssl->cipher = sslGetCipherSpec(session->cipherId);
if (lssl->cipher == NULL) {
matrixStrDebugMsg("Invalid session id to matrixSslNewSession\n",
NULL);
} else {
memcpy(lssl->sec.masterSecret, session->masterSecret,
SSL_HS_MASTER_SIZE);
lssl->sessionIdLen = SSL_MAX_SESSION_ID_SIZE;
memcpy(lssl->sessionId, session->id, SSL_MAX_SESSION_ID_SIZE);
}
}
}
lssl->err = SSL_ALERT_NONE;
lssl->keys = keys;
return 0;
}
/*
Set a custom callback to receive the certificate being presented to the
session to perform custom authentication if needed
*/
void matrixSslSetCertValidator(ssl_t *ssl,
int32 (*certValidator)(sslCertInfo_t *t, void *arg), void *arg)
{
if (certValidator) {
ssl->sec.validateCert = certValidator;
ssl->sec.validateCertArg = arg;
}
}
#else /* Public API, so should always be linkable */
void matrixSslSetCertValidator(ssl_t *ssl,
int32 (*certValidator)(sslCertInfo_t *t, void *arg), void *arg)
{
matrixStrDebugMsg("matrixSslSetCertValidator is not available\n", NULL);
matrixStrDebugMsg("Library not built for cert validation support\n", NULL);
}
/*
Preferred version for commercial users who make use of memory pools.
This use of the sslKeys_t param implies this is for use in the MatrixSSL
product (input to matrixSslNewSession). However, we didn't want to
expose this API at the matrixSsl.h level due to the pool parameter. This
is strictly an API that commerical users will have access to.
*/
int32 matrixRsaParseKeysMem(psPool_t *pool, sslKeys_t **keys,
unsigned char *certBuf, int32 certLen, unsigned char *privBuf,
int32 privLen, unsigned char *trustedCABuf, int32 trustedCALen)
{
sslKeys_t *lkeys;
sslLocalCert_t *current, *next;
unsigned char *binPtr;
int32 len, lenOh, i;
#ifdef USE_CLIENT_SIDE_SSL
sslRsaCert_t *currentCA, *nextCA;
#endif /* USE_CLIENT_SIDE_SSL */
*keys = lkeys = psMalloc(pool, sizeof(sslKeys_t));
if (lkeys == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(lkeys, 0x0, sizeof(sslKeys_t));
/*
The buffers are just the ASN.1 streams so the intermediate parse
that used to be here is gone. Doing a straight memcpy for this
and passing that along to X509ParseCert
*/
i = 0;
current = &lkeys->cert;
binPtr = certBuf;
/*
Need to check for a chain here. Only way to do this is to read off the
length id from the DER stream for each. The chain must be just a stream
of DER certs with the child-most cert always first.
*/
while (certLen > 0) {
if (getSequence(&certBuf, certLen, &len) < 0) {
matrixStrDebugMsg("Unable to parse length of cert stream\n", NULL);
matrixRsaFreeKeys(lkeys);
return -1;
}
/*
Account for the overhead of storing the length itself
*/
lenOh = (int32)(certBuf - binPtr);
len += lenOh;
certBuf -= lenOh;
/*
First cert is already malloced
*/
if (i > 0) {
next = psMalloc(pool, sizeof(sslLocalCert_t));
memset(next, 0x0, sizeof(sslLocalCert_t));
current->next = next;
current = next;
}
current->certBin = psMalloc(pool, len);
memcpy(current->certBin, certBuf, len);
current->certLen = len;
certLen -= len;
certBuf += len;
binPtr = certBuf;
i++;
}
/*
Parse private key
*/
if (privLen > 0) {
if (matrixRsaParsePrivKey(pool, privBuf, privLen,
&lkeys->cert.privKey) < 0) {
matrixStrDebugMsg("Error reading private key mem\n", NULL);
matrixRsaFreeKeys(lkeys);
return -1;
}
}
/*
Trusted CAs
*/
#ifdef USE_CLIENT_SIDE_SSL
if (trustedCABuf != NULL && trustedCALen > 0) {
i = 0;
binPtr = trustedCABuf;
currentCA = NULL;
/*
Need to check for list here. Only way to do this is to read off the
length id from the DER stream for each.
*/
while (trustedCALen > 0) {
if (getSequence(&trustedCABuf, trustedCALen, &len) < 0) {
matrixStrDebugMsg("Unable to parse length of CA stream\n",
NULL);
matrixRsaFreeKeys(lkeys);
return -1;
}
/*
Account for the overhead of storing the length itself
*/
lenOh = (int32)(trustedCABuf - binPtr);
len += lenOh;
trustedCABuf -= lenOh;
if (matrixX509ParseCert(pool, trustedCABuf, len, ¤tCA) < 0) {
matrixStrDebugMsg("Error parsing CA cert\n", NULL);
matrixRsaFreeKeys(lkeys);
return -1;
}
/*
First cert should be assigned to lkeys
*/
if (i == 0) {
lkeys->caCerts = currentCA;
nextCA = lkeys->caCerts;
} else {
nextCA->next = currentCA;
nextCA = currentCA;
}
currentCA = currentCA->next;
trustedCALen -= len;
trustedCABuf += len;
binPtr = trustedCABuf;
i++;
}
}
#endif /* USE_CLIENT_SIDE_SSL */
return 0;
}
/*
Parse an X509 ASN.1 certificate stream
http://www.faqs.org/rfcs/rfc2459.html section 4.1
*/
int32 matrixX509ParseCert(psPool_t *pool, unsigned char *pp, int32 size,
sslRsaCert_t **outcert)
{
sslRsaCert_t *cert;
sslMd5Context_t md5Ctx;
sslSha1Context_t sha1Ctx;
unsigned char *p, *end, *certStart, *certEnd;
int32 certLen, len, parsing;
#ifdef USE_MD2
sslMd2Context_t md2Ctx;
#endif /* USE_MD2 */
/*
Allocate the cert structure right away. User MUST always call
matrixX509FreeCert regardless of whether this function succeeds.
memset is important because the test for NULL is what is used
to determine what to free
*/
*outcert = cert = psMalloc(pool, sizeof(sslRsaCert_t));
if (cert == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(cert, '\0', sizeof(sslRsaCert_t));
p = pp;
end = p + size;
/*
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
*/
parsing = 1;
while (parsing) {
if (getSequence(&p, (int32)(end - p), &len) < 0) {
matrixStrDebugMsg("Initial cert parse error\n", NULL);
return -1;
}
certStart = p;
/*
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3 }
*/
if (getSequence(&p, (int32)(end - p), &len) < 0) {
matrixStrDebugMsg("ASN sequence parse error\n", NULL);
return -1;
}
certEnd = p + len;
certLen = (int32)(certEnd - certStart);
/*
Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
if (getExplicitVersion(&p, (int32)(end - p), 0, &cert->version) < 0) {
matrixStrDebugMsg("ASN version parse error\n", NULL);
return -1;
}
if (cert->version != 2) {
matrixIntDebugMsg("Warning: non-v3 certificate version: %d\n",
cert->version);
}
/*
CertificateSerialNumber ::= INTEGER
*/
if (getSerialNum(pool, &p, (int32)(end - p), &cert->serialNumber,
&cert->serialNumberLen) < 0) {
matrixStrDebugMsg("ASN serial number parse error\n", NULL);
return -1;
}
/*
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
*/
if (getAlgorithmIdentifier(&p, (int32)(end - p),
&cert->certAlgorithm, 0) < 0) {
return -1;
}
/*
Name ::= CHOICE {
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
*/
if (getDNAttributes(pool, &p, (int32)(end - p), &cert->issuer) < 0) {
return -1;
}
/*
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time }
*/
if (getValidity(pool, &p, (int32)(end - p), &cert->notBefore,
&cert->notAfter) < 0) {
return -1;
}
/*
Subject DN
*/
if (getDNAttributes(pool, &p, (int32)(end - p), &cert->subject) < 0) {
return -1;
}
/*
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
*/
if (getSequence(&p, (int32)(end - p), &len) < 0) {
return -1;
}
if (getAlgorithmIdentifier(&p, (int32)(end - p),
&cert->pubKeyAlgorithm, 1) < 0) {
return -1;
}
if (getPubKey(pool, &p, (int32)(end - p), &cert->publicKey) < 0) {
return -1;
}
/*
As the next three values are optional, we can do a specific test here
*/
if (*p != (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
if (getImplicitBitString(pool, &p, (int32)(end - p), IMPLICIT_ISSUER_ID,
&cert->uniqueUserId, &cert->uniqueUserIdLen) < 0 ||
getImplicitBitString(pool, &p, (int32)(end - p), IMPLICIT_SUBJECT_ID,
&cert->uniqueSubjectId, &cert->uniqueSubjectIdLen) < 0 ||
getExplicitExtensions(pool, &p, (int32)(end - p), EXPLICIT_EXTENSION,
&cert->extensions) < 0) {
matrixStrDebugMsg("There was an error parsing a certificate\n", NULL);
matrixStrDebugMsg("extension. This is likely caused by an\n", NULL);
matrixStrDebugMsg("extension format that is not currently\n", NULL);
matrixStrDebugMsg("recognized. Please email [email protected]\n", NULL);
matrixStrDebugMsg("to add support for the extension.\n\n", NULL);
return -1;
}
}
/*
This is the end of the cert. Do a check here to be certain
*/
if (certEnd != p) {
return -1;
}
/*
Certificate signature info
*/
if (getAlgorithmIdentifier(&p, (int32)(end - p),
&cert->sigAlgorithm, 0) < 0) {
return -1;
}
/*
Signature algorithm must match that specified in TBS cert
*/
if (cert->certAlgorithm != cert->sigAlgorithm) {
matrixStrDebugMsg("Parse error: mismatched signature type\n", NULL);
return -1;
}
/*
Compute the hash of the cert here for CA validation
*/
if (cert->certAlgorithm == OID_RSA_MD5) {
matrixMd5Init(&md5Ctx);
matrixMd5Update(&md5Ctx, certStart, certLen);
matrixMd5Final(&md5Ctx, cert->sigHash);
} else if (cert->certAlgorithm == OID_RSA_SHA1) {
matrixSha1Init(&sha1Ctx);
matrixSha1Update(&sha1Ctx, certStart, certLen);
matrixSha1Final(&sha1Ctx, cert->sigHash);
}
#ifdef USE_MD2
else if (cert->certAlgorithm == OID_RSA_MD2) {
matrixMd2Init(&md2Ctx);
matrixMd2Update(&md2Ctx, certStart, certLen);
matrixMd2Final(&md2Ctx, cert->sigHash);
}
#endif /* USE_MD2 */
if (getSignature(pool, &p, (int32)(end - p), &cert->signature,
&cert->signatureLen) < 0) {
return -1;
}
/*
The ability to parse additional chained certs is a PKI product
feature addition. Chaining in MatrixSSL is handled internally.
*/
if (p != end) {
cert->next = psMalloc(pool, sizeof(sslRsaCert_t));
cert = cert->next;
memset(cert, '\0', sizeof(sslRsaCert_t));
} else {
parsing = 0;
}
}
return (int32)(p - pp);
}
/*
Write out the ServerHello message
*/
static int32 writeServerHello(ssl_t *ssl, sslBuf_t *out)
{
unsigned char *c, *end, *encryptStart;
char padLen;
int32 messageSize, rc;
time_t t;
c = out->end;
end = out->buf + out->size;
/*
Calculate the size of the message up front, and verify we have room
We assume there will be a sessionId in the message, and make adjustments
below if there is no sessionId.
*/
messageSize =
ssl->recordHeadLen +
ssl->hshakeHeadLen +
38 + SSL_MAX_SESSION_ID_SIZE;
/*
First 4 bytes of the serverRandom are the unix time to prevent replay
attacks, the rest are random
*/
t = time(0);
ssl->sec.serverRandom[0] = (unsigned char)((t & 0xFF000000) >> 24);
ssl->sec.serverRandom[1] = (unsigned char)((t & 0xFF0000) >> 16);
ssl->sec.serverRandom[2] = (unsigned char)((t & 0xFF00) >> 8);
ssl->sec.serverRandom[3] = (unsigned char)(t & 0xFF);
if (sslGetEntropy(ssl->sec.serverRandom + 4, SSL_HS_RANDOM_SIZE - 4) < 0) {
matrixStrDebugMsg("Error gathering serverRandom entropy\n", NULL);
return SSL_ERROR;
}
/*
We register session here because at this point the serverRandom value is
populated. If we are able to register the session, the sessionID and
sessionIdLen fields will be non-NULL, otherwise the session couldn't
be registered.
*/
if (!(ssl->flags & SSL_FLAGS_RESUMED)) {
matrixRegisterSession(ssl);
}
messageSize -= (SSL_MAX_SESSION_ID_SIZE - ssl->sessionIdLen);
if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
SSL_HS_SERVER_HELLO, &messageSize, &padLen, &encryptStart,
&end, &c)) < 0) {
return rc;
}
/*
First two fields in the ServerHello message are the major and minor
SSL protocol versions we agree to talk with
*/
*c = ssl->majVer; c++;
*c = ssl->minVer; c++;
/*
The next 32 bytes are the server's random value, to be combined with
the client random and premaster for key generation later
*/
memcpy(c, ssl->sec.serverRandom, SSL_HS_RANDOM_SIZE);
c += SSL_HS_RANDOM_SIZE;
/*
The next data is a single byte containing the session ID length,
and up to 32 bytes containing the session id.
First register the session, which will give us a session id and length
if not all session slots in the table are used
*/
*c = ssl->sessionIdLen; c++;
if (ssl->sessionIdLen > 0) {
memcpy(c, ssl->sessionId, ssl->sessionIdLen);
c += ssl->sessionIdLen;
}
/*
Two byte cipher suite we've chosen based on the list sent by the client
and what we support.
One byte compression method (always zero)
*/
*c = (ssl->cipher->id & 0xFF00) >> 8; c++;
*c = ssl->cipher->id & 0xFF; c++;
*c = 0; c++;
if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
padLen, encryptStart, out, &c)) < 0) {
return rc;
}
/*
If we're resuming a session, we now have the clientRandom, master and
serverRandom, so we can derive keys which we'll be using shortly.
*/
if (ssl->flags & SSL_FLAGS_RESUMED) {
sslDeriveKeys(ssl);
}
/*
Verify that we've calculated the messageSize correctly, really this
should never fail; it's more of an implementation verification
*/
if (c - out->end != messageSize) {
return SSL_ERROR;
}
out->end = c;
return SSL_SUCCESS;
}
/*
Implementations of this specification MUST be prepared to receive
the following standard attribute types in issuer names:
country, organization, organizational-unit, distinguished name qualifier,
state or province name, and common name
*/
int32 getDNAttributes(psPool_t *pool, unsigned char **pp, int32 len,
DNattributes_t *attribs)
{
sslSha1Context_t hash;
unsigned char *p = *pp;
unsigned char *dnEnd, *dnStart;
int32 llen, setlen, arcLen, id, stringType;
char *stringOut;
dnStart = p;
if (getSequence(&p, len, &llen) < 0) {
return -1;
}
dnEnd = p + llen;
matrixSha1Init(&hash);
while (p < dnEnd) {
if (getSet(&p, (int32)(dnEnd - p), &setlen) < 0) {
return -1;
}
if (getSequence(&p, (int32)(dnEnd - p), &llen) < 0) {
return -1;
}
if (dnEnd <= p || (*(p++) != ASN_OID) ||
asnParseLength(&p, (int32)(dnEnd - p), &arcLen) < 0 ||
(dnEnd - p) < arcLen) {
return -1;
}
/*
id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
id-at-commonName OBJECT IDENTIFIER ::= {id-at 3}
id-at-countryName OBJECT IDENTIFIER ::= {id-at 6}
id-at-localityName OBJECT IDENTIFIER ::= {id-at 7}
id-at-stateOrProvinceName OBJECT IDENTIFIER ::= {id-at 8}
id-at-organizationName OBJECT IDENTIFIER ::= {id-at 10}
id-at-organizationalUnitName OBJECT IDENTIFIER ::= {id-at 11}
*/
*pp = p;
/*
FUTURE: Currently skipping OIDs not of type {joint-iso-ccitt(2) ds(5) 4}
However, we could be dealing with an OID we MUST support per RFC.
domainComponent is one such example.
*/
if (dnEnd - p < 2) {
return -1;
}
if ((*p++ != 85) || (*p++ != 4) ) {
p = *pp;
/*
Move past the OID and string type, get data size, and skip it.
NOTE: Have had problems parsing older certs in this area.
*/
if (dnEnd - p < arcLen + 1) {
return -1;
}
p += arcLen + 1;
if (asnParseLength(&p, (int32)(dnEnd - p), &llen) < 0 ||
dnEnd - p < llen) {
return -1;
}
p = p + llen;
continue;
}
/*
Next are the id of the attribute type and the ASN string type
*/
if (arcLen != 3 || dnEnd - p < 2) {
return -1;
}
id = (int32)*p++;
/*
Done with OID parsing
*/
stringType = (int32)*p++;
asnParseLength(&p, (int32)(dnEnd - p), &llen);
if (dnEnd - p < llen) {
return -1;
}
switch (stringType) {
case ASN_PRINTABLESTRING:
case ASN_UTF8STRING:
case ASN_IA5STRING:
case ASN_T61STRING:
case ASN_BMPSTRING:
stringOut = psMalloc(pool, llen + 1);
if (stringOut == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memcpy(stringOut, p, llen);
stringOut[llen] = '\0';
p = p + llen;
break;
default:
matrixStrDebugMsg("Parsing untested DN attrib type\n", NULL);
return -1;
}
switch (id) {
case ATTRIB_COUNTRY_NAME:
if (attribs->country) {
psFree(attribs->country);
}
attribs->country = stringOut;
break;
case ATTRIB_STATE_PROVINCE:
if (attribs->state) {
psFree(attribs->state);
}
attribs->state = stringOut;
break;
case ATTRIB_LOCALITY:
if (attribs->locality) {
psFree(attribs->locality);
}
attribs->locality = stringOut;
break;
case ATTRIB_ORGANIZATION:
if (attribs->organization) {
psFree(attribs->organization);
}
attribs->organization = stringOut;
break;
case ATTRIB_ORG_UNIT:
if (attribs->orgUnit) {
psFree(attribs->orgUnit);
}
attribs->orgUnit = stringOut;
break;
case ATTRIB_COMMON_NAME:
if (attribs->commonName) {
psFree(attribs->commonName);
}
attribs->commonName = stringOut;
break;
/*
Not a MUST support
*/
default:
psFree(stringOut);
stringOut = NULL;
break;
}
/*
Hash up the DN. Nice for validation later
*/
if (stringOut != NULL) {
matrixSha1Update(&hash, (unsigned char*)stringOut, llen);
}
}
matrixSha1Final(&hash, (unsigned char*)attribs->hash);
*pp = p;
return 0;
}
/*
* Public API to return a binary buffer from a cert. Suitable to send
* over the wire. Caller must free 'out' if this function returns success (0)
* Parse .pem files according to http://www.faqs.org/rfcs/rfc1421.html
*/
int32 matrixX509ReadCert(psPool_t *pool, const char *fileName,
unsigned char **out, int32 *outLen, sslChainLen_t *chain)
{
int32 certBufLen, rc, certChainLen, i;
unsigned char *oneCert[MAX_CHAIN_LENGTH];
unsigned char *certPtr, *tmp;
char *certFile, *start, *end, *certBuf;
const char sep[] = ";";
/*
Init chain array and output params
*/
for (i=0; i < MAX_CHAIN_LENGTH; i++) {
oneCert[i] = NULL;
(*chain)[i] = 0;
}
*outLen = certChainLen = i = 0;
rc = -1;
/*
For PKI product purposes, this routine now accepts a chain of certs.
*/
if (fileName != NULL) {
fileName += parseList(pool, fileName, sep, &certFile);
} else {
return 0;
}
while (certFile != NULL) {
if (i == MAX_CHAIN_LENGTH) {
matrixIntDebugMsg("Exceeded maximum cert chain length of %d\n",
MAX_CHAIN_LENGTH);
psFree(certFile);
rc = -1;
goto err;
}
if ((rc = psGetFileBin(pool, certFile, (unsigned char**)&certBuf,
&certBufLen)) < 0) {
matrixStrDebugMsg("Couldn't open file %s\n", certFile);
goto err;
}
psFree(certFile);
certPtr = (unsigned char*)certBuf;
start = end = certBuf;
while (certBufLen > 0) {
if (((start = strstr(certBuf, "-----BEGIN")) != NULL) &&
((start = strstr(certBuf, "CERTIFICATE-----")) != NULL) &&
(end = strstr(start, "-----END")) != NULL) {
start += strlen("CERTIFICATE-----");
(*chain)[i] = (int32)(end - start);
end += strlen("-----END CERTIFICATE-----");
while (*end == '\r' || *end == '\n' || *end == '\t' || *end == ' ') {
end++;
}
} else {
psFree(certPtr);
rc = -1;
goto err;
}
oneCert[i] = psMalloc(pool, (*chain)[i]);
certBufLen -= (int32)(end - certBuf);
certBuf = end;
memset(oneCert[i], '\0', (*chain)[i]);
if (ps_base64_decode((unsigned char*)start, (*chain)[i], oneCert[i],
&(*chain)[i]) != 0) {
psFree(certPtr);
matrixStrDebugMsg("Unable to base64 decode certificate\n", NULL);
rc = -1;
goto err;
}
certChainLen += (*chain)[i];
i++;
if (i == MAX_CHAIN_LENGTH) {
matrixIntDebugMsg("Exceeded maximum cert chain length of %d\n",
MAX_CHAIN_LENGTH);
psFree(certPtr);
rc = -1;
goto err;
}
}
psFree(certPtr);
/*
Check for more files
*/
fileName += parseList(pool, fileName, sep, &certFile);
}
*outLen = certChainLen;
/*
Don't bother stringing them together if only one was passed in
*/
if (i == 1) {
sslAssert(certChainLen == (*chain)[0]);
*out = oneCert[0];
return 0;
} else {
*out = tmp = psMalloc(pool, certChainLen);
for (i=0; i < MAX_CHAIN_LENGTH; i++) {
if (oneCert[i]) {
memcpy(tmp, oneCert[i], (*chain)[i]);
tmp += (*chain)[i];
}
}
rc = 0;
}
err:
for (i=0; i < MAX_CHAIN_LENGTH; i++) {
if (oneCert[i]) psFree(oneCert[i]);
}
return rc;
}
/*
Preferred version for commercial users who make use of memory pools.
This use of the sslKeys_t param implies this is for use in the MatrixSSL
product (input to matrixSslNewSession). However, we didn't want to
expose this API at the matrixSsl.h level due to the pool parameter. This
is strictly an API that commerical users will have access to
*/
int32 matrixRsaReadKeysEx(psPool_t *pool, sslKeys_t **keys,
const char *certFile, const char *privFile,
const char *privPass, const char *trustedCAFiles)
{
sslKeys_t *lkeys;
unsigned char *privKeyMem;
int32 rc, privKeyMemLen;
#ifdef USE_CLIENT_SIDE_SSL
sslRsaCert_t *currCert, *prevCert = NULL;
unsigned char *caCert, *caStream;
sslChainLen_t chain;
int32 caCertLen, first, i;
#endif /* USE_CLIENT_SIDE_SSL */
*keys = lkeys = psMalloc(pool, sizeof(sslKeys_t));
if (lkeys == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(lkeys, 0x0, sizeof(sslKeys_t));
/*
Load certificate files. Any additional certificate files should chain
to the root CA held on the other side.
*/
rc = readCertChain(pool, certFile, &lkeys->cert);
if (rc < 0 ) {
matrixRsaFreeKeys(lkeys);
return rc;
}
/*
The first cert in certFile must be associated with the provided
private key.
*/
if (privFile) {
rc = matrixRsaReadPrivKey(pool, privFile, privPass, &privKeyMem,
&privKeyMemLen);
if (rc < 0) {
matrixStrDebugMsg("Error reading private key file: %s\n",
(char*)privFile);
matrixRsaFreeKeys(lkeys);
return rc;
}
rc = matrixRsaParsePrivKey(pool, privKeyMem, privKeyMemLen,
&lkeys->cert.privKey);
if (rc < 0) {
matrixStrDebugMsg("Error parsing private key file: %s\n",
(char*)privFile);
psFree(privKeyMem);
matrixRsaFreeKeys(lkeys);
return rc;
}
psFree(privKeyMem);
}
#ifdef USE_CLIENT_SIDE_SSL
/*
Now deal with Certificate Authorities
*/
if (trustedCAFiles != NULL) {
if (matrixX509ReadCert(pool, trustedCAFiles, &caCert, &caCertLen,
&chain) < 0 || caCert == NULL) {
matrixStrDebugMsg("Error reading CA cert files %s\n",
(char*)trustedCAFiles);
matrixRsaFreeKeys(lkeys);
return -1;
}
caStream = caCert;
i = first = 0;
while (chain[i] != 0) {
/*
Don't allow one bad cert to ruin the whole bunch if possible
*/
if (matrixX509ParseCert(pool, caStream, chain[i], &currCert) < 0) {
matrixX509FreeCert(currCert);
matrixStrDebugMsg("Error parsing CA cert %s\n",
(char*)trustedCAFiles);
caStream += chain[i]; caCertLen -= chain[i];
i++;
continue;
}
if (first == 0) {
lkeys->caCerts = currCert;
} else {
prevCert->next = currCert;
}
first++;
prevCert = currCert;
currCert = NULL;
caStream += chain[i]; caCertLen -= chain[i];
i++;
}
sslAssert(caCertLen == 0);
psFree(caCert);
}
/*
Check to see that if a set of CAs were passed in at least
one ended up being valid.
*/
if (trustedCAFiles != NULL && lkeys->caCerts == NULL) {
matrixStrDebugMsg("No valid CA certs in %s\n",
(char*)trustedCAFiles);
matrixRsaFreeKeys(lkeys);
return -1;
}
#endif /* USE_CLIENT_SIDE_SSL */
return 0;
}
static int32 matrixX509ValidateCertInternal(psPool_t *pool, sslRsaCert_t *subjectCert,
sslRsaCert_t *issuerCert, int32 chain)
{
sslRsaCert_t *ic;
unsigned char sigOut[10 + SSL_SHA1_HASH_SIZE + 5]; /* See below */
int32 sigLen;
subjectCert->valid = -1;
/*
Supporting a one level chain or a self-signed cert. If the issuer
is NULL, the self-signed test is done.
*/
if (issuerCert == NULL) {
matrixStrDebugMsg("Warning: No CA to validate cert with\n", NULL);
matrixStrDebugMsg("\tPerforming self-signed CA test\n", NULL);
ic = subjectCert;
} else {
ic = issuerCert;
}
/*
Path confirmation. If this is a chain verification, do not allow
any holes in the path. Error out if issuer does not have CA permissions
or if hashes do not match anywhere along the way.
*/
while (ic) {
if (subjectCert != ic) {
/*
Certificate authority contraint32 only available in version 3 certs
*/
if ((ic->version > 1) && (ic->extensions.bc.ca <= 0)) {
if (chain) {
return -1;
}
ic = ic->next;
continue;
}
/*
Use sha1 hash of issuer fields computed at parse time to compare
*/
if (memcmp(subjectCert->issuer.hash, ic->subject.hash,
SSL_SHA1_HASH_SIZE) != 0) {
if (chain) {
return -1;
}
ic = ic->next;
continue;
}
}
/*
Signature confirmation
The sigLen is the ASN.1 size in bytes for encoding the hash.
The magic 10 is comprised of the SEQUENCE and ALGORITHM ID overhead.
The magic 8 and 5 are the OID lengths of the corresponding algorithm.
NOTE: if sigLen is modified, above sigOut static size must be changed
*/
if (subjectCert->sigAlgorithm == OID_RSA_MD5 ||
subjectCert->sigAlgorithm == OID_RSA_MD2) {
sigLen = 10 + SSL_MD5_HASH_SIZE + 8; /* See above */
} else if (subjectCert->sigAlgorithm == OID_RSA_SHA1) {
sigLen = 10 + SSL_SHA1_HASH_SIZE + 5; /* See above */
} else {
matrixStrDebugMsg("Unsupported signature algorithm\n", NULL);
return -1;
}
sslAssert(sigLen <= sizeof(sigOut));
matrixRsaDecryptPub(pool, &(ic->publicKey), subjectCert->signature,
subjectCert->signatureLen, sigOut, sigLen);
/*
If this is a chain test, fail on any gaps in the chain
*/
if (psAsnConfirmSignature(subjectCert->sigHash, sigOut, sigLen) < 0) {
if (chain) {
return -1;
}
ic = ic->next;
continue;
}
/*
Fall through to here only if passed signature check.
*/
subjectCert->valid = 1;
break;
}
return 0;
}
/*
X509v3 extensions
*/
static int32 getExplicitExtensions(psPool_t *pool, unsigned char **pp,
int32 inlen, int32 expVal,
v3extensions_t *extensions)
{
unsigned char *p = *pp, *end;
unsigned char *extEnd, *extStart;
int32 len, noid, tmpLen, critical, fullExtLen;
unsigned char oid[SSL_MD5_HASH_SIZE];
sslMd5Context_t md5ctx;
end = p + inlen;
if (inlen < 1) {
return -1;
}
/*
Not treating this as an error because it is optional.
*/
if (*p != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | expVal)) {
return 0;
}
p++;
if (asnParseLength(&p, (int32)(end - p), &len) < 0 || (end - p) < len) {
return -1;
}
/*
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
extnValue OCTET STRING }
*/
if (getSequence(&p, (int32)(end - p), &len) < 0) {
return -1;
}
extEnd = p + len;
while ((p != extEnd) && *p == (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
if (getSequence(&p, (int32)(extEnd - p), &fullExtLen) < 0) {
return -1;
}
extStart = p;
/*
Conforming CAs MUST support key identifiers, basic constraints,
key usage, and certificate policies extensions
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 133
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 131
*/
if (extEnd - p < 1 || *p++ != ASN_OID) {
return -1;
}
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
(extEnd - p) < len) {
return -1;
}
/*
Send the OID through a digest to get the unique id
*/
matrixMd5Init(&md5ctx);
while (len-- > 0) {
matrixMd5Update(&md5ctx, p, sizeof(char));
p++;
}
matrixMd5Final(&md5ctx, oid);
noid = lookupExt(oid);
/*
Possible boolean value here for 'critical' id. It's a failure if a
critical extension is found that is not supported
*/
critical = 0;
if (*p == ASN_BOOLEAN) {
p++;
if (*p++ != 1) {
matrixStrDebugMsg("Error parsing cert extension\n", NULL);
return -1;
}
if (*p++ > 0) {
critical = 1;
}
}
if (extEnd - p < 1 || (*p++ != ASN_OCTET_STRING) ||
asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
extEnd - p < len) {
matrixStrDebugMsg("Expecting OCTET STRING in ext parse\n", NULL);
return -1;
}
switch (noid) {
/*
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
*/
case EXT_BASIC_CONSTRAINTS:
if (getSequence(&p, (int32)(extEnd - p), &len) < 0) {
return -1;
}
/*
"This goes against PKIX guidelines but some CAs do it and some
software requires this to avoid interpreting an end user
certificate as a CA."
- OpenSSL certificate configuration doc
basicConstraints=CA:FALSE
*/
if (len == 0) {
break;
}
if (extEnd - p < 3) {
return -1;
}
if (*p++ != ASN_BOOLEAN) {
return -1;
}
if (*p++ != 1) {
return -1;
}
extensions->bc.ca = *p++;
/*
Now need to check if there is a path constraint. Only makes
sense if cA is true. If it's missing, there is no limit to
the cert path
*/
if (*p == ASN_INTEGER) {
if (getInteger(&p, (int32)(extEnd - p),
&(extensions->bc.pathLenConstraint)) < 0) {
return -1;
}
} else {
extensions->bc.pathLenConstraint = -1;
}
break;
case EXT_ALT_SUBJECT_NAME:
if (getSequence(&p, (int32)(extEnd - p), &len) < 0) {
return -1;
}
/*
Looking only for DNS, URI, and email here to support
FQDN for Web clients
FUTURE: Support all subject alt name members
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
*/
while (len > 0) {
if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 2)) {
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
extensions->san.dns = psMalloc(pool, tmpLen + 1);
if (extensions->san.dns == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(extensions->san.dns, 0x0, tmpLen + 1);
memcpy(extensions->san.dns, p, tmpLen);
} else if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 6)) {
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
extensions->san.uri = psMalloc(pool, tmpLen + 1);
if (extensions->san.uri == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(extensions->san.uri, 0x0, tmpLen + 1);
memcpy(extensions->san.uri, p, tmpLen);
} else if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 1)) {
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
extensions->san.email = psMalloc(pool, tmpLen + 1);
if (extensions->san.email == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(extensions->san.email, 0x0, tmpLen + 1);
memcpy(extensions->san.email, p, tmpLen);
} else {
matrixStrDebugMsg("Unsupported subjectAltName type.n",
NULL);
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
}
p = p + tmpLen;
len -= tmpLen + 2; /* the magic 2 is the type and length */
}
break;
#ifdef USE_FULL_CERT_PARSE
case EXT_AUTH_KEY_ID:
/*
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING
*/
if (getSequence(&p, (int32)(extEnd - p), &len) < 0) {
return -1;
}
/*
Have seen a cert that has a zero length ext here. Let it pass.
*/
if (len == 0) {
break;
}
/*
All memebers are optional
*/
if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 0)) {
p++;
if (asnParseLength(&p, (int32)(extEnd - p),
&extensions->ak.keyLen) < 0 ||
extEnd - p < extensions->ak.keyLen) {
return -1;
}
extensions->ak.keyId = psMalloc(pool, extensions->ak.keyLen);
if (extensions->ak.keyId == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memcpy(extensions->ak.keyId, p, extensions->ak.keyLen);
p = p + extensions->ak.keyLen;
}
if (*p == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) {
p++;
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
len < 1 || extEnd - p < len) {
return -1;
}
if ((*p ^ ASN_CONTEXT_SPECIFIC ^ ASN_CONSTRUCTED) != 4) {
/*
FUTURE: support other name types
We are just dealing with DN formats here
*/
matrixIntDebugMsg("Error auth key-id name type: %d\n",
*p ^ ASN_CONTEXT_SPECIFIC ^ ASN_CONSTRUCTED);
return -1;
}
p++;
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
extEnd - p < len) {
return -1;
}
if (getDNAttributes(pool, &p, (int32)(extEnd - p),
&(extensions->ak.attribs)) < 0) {
return -1;
}
}
if ((*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 2)) ||
(*p == ASN_INTEGER)){
/*
Treat as a serial number (not a native INTEGER)
*/
if (getSerialNum(pool, &p, (int32)(extEnd - p),
&(extensions->ak.serialNum), &len) < 0) {
return -1;
}
extensions->ak.serialNumLen = len;
}
break;
case EXT_KEY_USAGE:
/*
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
*/
if (*p++ != ASN_BIT_STRING) {
return -1;
}
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
extEnd - p < len) {
return -1;
}
if (len != 2) {
return -1;
}
/*
Assure all unused bits are 0 and store away
*/
extensions->keyUsage = (*(p + 1)) & ~((1 << *p) -1);
p = p + len;
break;
case EXT_SUBJ_KEY_ID:
/*
The value of the subject key identifier MUST be the value
placed in the key identifier field of the Auth Key Identifier
extension of certificates issued by the subject of
this certificate.
*/
if (*p++ != ASN_OCTET_STRING || asnParseLength(&p,
(int32)(extEnd - p), &(extensions->sk.len)) < 0 ||
extEnd - p < extensions->sk.len) {
return -1;
}
extensions->sk.id = psMalloc(pool, extensions->sk.len);
if (extensions->sk.id == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memcpy(extensions->sk.id, p, extensions->sk.len);
p = p + extensions->sk.len;
break;
#endif /* USE_FULL_CERT_PARSE */
/*
Unsupported or skipping because USE_FULL_CERT_PARSE is undefined
*/
default:
if (critical) {
/*
SPEC DIFFERENCE: Ignoring an unrecognized critical
extension. The specification dictates an error should
occur, but real-world experience has shown this is not
a realistic or desirable action. Also, no other SSL
implementations have been found to error in this case.
It is NOT a security risk in an RSA authenticaion sense.
*/
matrixStrDebugMsg("Unknown critical ext encountered\n",
NULL);
}
p++;
/*
Skip over based on the length reported from the ASN_SEQUENCE
surrounding the entire extension. It is not a guarantee that
the value of the extension itself will contain it's own length.
*/
p = p + (fullExtLen - (p - extStart));
break;
}
}
*pp = p;
return 0;
}
/*
Server initiated rehandshake public API call.
*/
int32 matrixSslEncodeHelloRequest(ssl_t *ssl, sslBuf_t *out)
{
unsigned char *c, *end, *encryptStart;
char padLen;
int32 messageSize, rc;
if (ssl->flags & SSL_FLAGS_ERROR || ssl->flags & SSL_FLAGS_CLOSED) {
return SSL_ERROR;
}
if (!(ssl->flags & SSL_FLAGS_SERVER) || (ssl->hsState != SSL_HS_DONE)) {
return SSL_ERROR;
}
c = out->end;
end = out->buf + out->size;
messageSize =
ssl->recordHeadLen +
ssl->hshakeHeadLen;
if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
SSL_HS_HELLO_REQUEST, &messageSize, &padLen,
&encryptStart, &end, &c)) < 0) {
return rc;
}
if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
padLen, encryptStart, out, &c)) < 0) {
return rc;
}
if (c - out->end != messageSize) {
matrixStrDebugMsg("Error generating hello request for write\n", NULL);
return SSL_ERROR;
}
out->end = c;
return SSL_SUCCESS;
}
#else /* USE_SERVER_SIDE_SSL */
int32 matrixSslEncodeHelloRequest(ssl_t *ssl, sslBuf_t *out)
{
matrixStrDebugMsg("Library not built with USE_SERVER_SIDE_SSL\n", NULL);
return -1;
}
