int exchangeServerKeys( INOUT SESSION_INFO *sessionInfoPtr, INOUT SSL_HANDSHAKE_INFO *handshakeInfo ) { STREAM *stream = &handshakeInfo->stream; int length, status; assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) ); assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) ); /* Read the response from the client and, if we're expecting a client certificate, make sure that it's present */ status = readHSPacketSSL( sessionInfoPtr, handshakeInfo, &length, SSL_MSG_HANDSHAKE ); if( cryptStatusError( status ) ) return( status ); sMemConnect( stream, sessionInfoPtr->receiveBuffer, length ); if( clientCertAuthRequired( sessionInfoPtr ) ) { /* Read the client certificate chain and make sure that the certificate being presented is valid for access */ status = readCheckClientCerts( sessionInfoPtr, handshakeInfo, stream ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* Read the next packet(s) if necessary */ status = refreshHSStream( sessionInfoPtr, handshakeInfo ); if( cryptStatusError( status ) ) return( status ); } /* Process the client key exchange packet: byte ID = SSL_HAND_CLIENT_KEYEXCHANGE uint24 len DH: uint16 yLen byte[] y ECDH: uint16 ecPointLen byte[] ecPoint PSK: uint16 userIDLen byte[] userID RSA: [ uint16 encKeyLen -- TLS 1.x ] byte[] rsaPKCS1( byte[2] { 0x03, 0x0n } || byte[46] random ) */ status = checkHSPacketHeader( sessionInfoPtr, stream, &length, SSL_HAND_CLIENT_KEYEXCHANGE, UINT16_SIZE + 1 ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } if( isKeyxAlgo( handshakeInfo->keyexAlgo ) ) { KEYAGREE_PARAMS keyAgreeParams; const BOOLEAN isECC = isEccAlgo( handshakeInfo->keyexAlgo ); memset( &keyAgreeParams, 0, sizeof( KEYAGREE_PARAMS ) ); if( isECC ) { status = readEcdhValue( stream, keyAgreeParams.publicValue, CRYPT_MAX_PKCSIZE, &keyAgreeParams.publicValueLen ); } else { status = readInteger16UChecked( stream, keyAgreeParams.publicValue, &keyAgreeParams.publicValueLen, MIN_PKCSIZE, CRYPT_MAX_PKCSIZE ); } if( cryptStatusError( status ) ) { sMemDisconnect( stream ); /* Some misconfigured clients may use very short keys, we perform a special-case check for these and return a more specific message than the generic bad-data error */ if( status == CRYPT_ERROR_NOSECURE ) { retExt( CRYPT_ERROR_NOSECURE, ( CRYPT_ERROR_NOSECURE, SESSION_ERRINFO, "Insecure key used in key exchange" ) ); } retExt( CRYPT_ERROR_BADDATA, ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, "Invalid DH/ECDH phase 2 key agreement data" ) ); } /* Perform phase 2 of the DH/ECDH key agreement */ status = krnlSendMessage( handshakeInfo->dhContext, IMESSAGE_CTX_DECRYPT, &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); if( cryptStatusError( status ) ) { zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); sMemDisconnect( stream ); retExt( status, ( status, SESSION_ERRINFO, "Invalid DH/ECDH phase 2 key agreement value" ) ); } if( isECC ) { const int xCoordLen = ( keyAgreeParams.wrappedKeyLen - 1 ) / 2; /* The output of the ECDH operation is an ECC point, but for some unknown reason TLS only uses the x coordinate and not the full point. To work around this we have to rewrite the point as a standalone x coordinate, which is relatively easy because we're using an "uncompressed" point format: +---+---------------+---------------+ |04 | qx | qy | +---+---------------+---------------+ |<- fldSize --> |<- fldSize --> | */ REQUIRES( keyAgreeParams.wrappedKeyLen >= MIN_PKCSIZE_ECCPOINT && \ keyAgreeParams.wrappedKeyLen <= MAX_PKCSIZE_ECCPOINT && \ ( keyAgreeParams.wrappedKeyLen & 1 ) == 1 && \ keyAgreeParams.wrappedKey[ 0 ] == 0x04 ); memmove( keyAgreeParams.wrappedKey, keyAgreeParams.wrappedKey + 1, xCoordLen ); keyAgreeParams.wrappedKeyLen = xCoordLen; } ENSURES( rangeCheckZ( 0, keyAgreeParams.wrappedKeyLen, CRYPT_MAX_PKCSIZE + CRYPT_MAX_TEXTSIZE ) ); memcpy( handshakeInfo->premasterSecret, keyAgreeParams.wrappedKey, keyAgreeParams.wrappedKeyLen ); handshakeInfo->premasterSecretSize = keyAgreeParams.wrappedKeyLen; zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); } else { if( handshakeInfo->authAlgo == CRYPT_ALGO_NONE ) { const ATTRIBUTE_LIST *attributeListPtr; BYTE userID[ CRYPT_MAX_TEXTSIZE + 8 ]; /* Read the client user ID and make sure that it's a valid user. Handling non-valid users is somewhat problematic, we can either bail out immediately or invent a fake password for the (non-)user and continue with that. The problem with this is that it doesn't really help hide whether the user is valid or not due to the fact that we're still vulnerable to a timing attack because it takes considerably longer to generate the random password than it does to read a fixed password string from memory, so an attacker can tell from the timing whether the username is valid or not. In addition usability research on real-world users indicates that this actually reduces security while having little to no tangible benefit. Because of this we don't try and fake out the valid/invalid user name indication but just exit immediately if an invalid name is found */ length = readUint16( stream ); if( length < 1 || length > CRYPT_MAX_TEXTSIZE || \ cryptStatusError( sread( stream, userID, length ) ) ) { sMemDisconnect( stream ); retExt( CRYPT_ERROR_BADDATA, ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, "Invalid client user ID" ) ); } attributeListPtr = \ findSessionInfoEx( sessionInfoPtr->attributeList, CRYPT_SESSINFO_USERNAME, userID, length ); if( attributeListPtr == NULL ) { sMemDisconnect( stream ); retExt( CRYPT_ERROR_WRONGKEY, ( CRYPT_ERROR_WRONGKEY, SESSION_ERRINFO, "Unknown user name '%s'", sanitiseString( userID, CRYPT_MAX_TEXTSIZE, length ) ) ); } /* Select the attribute with the user ID and move on to the associated password */ sessionInfoPtr->attributeListCurrent = \ ( ATTRIBUTE_LIST * ) attributeListPtr; attributeListPtr = attributeListPtr->next; ENSURES( attributeListPtr != NULL && \ attributeListPtr->attributeID == CRYPT_SESSINFO_PASSWORD ); /* Create the shared premaster secret from the user password */ status = createSharedPremasterSecret( \ handshakeInfo->premasterSecret, CRYPT_MAX_PKCSIZE + CRYPT_MAX_TEXTSIZE, &handshakeInfo->premasterSecretSize, attributeListPtr->value, attributeListPtr->valueLength, ( attributeListPtr->flags & ATTR_FLAG_ENCODEDVALUE ) ? \ TRUE : FALSE ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); retExt( status, ( status, SESSION_ERRINFO, "Couldn't create master secret from shared " "secret/password value" ) ); } } else { BYTE wrappedKey[ CRYPT_MAX_PKCSIZE + 8 ]; if( sessionInfoPtr->version <= SSL_MINOR_VERSION_SSL ) { /* The original Netscape SSL implementation didn't provide a length for the encrypted key and everyone copied that so it became the de facto standard way to do it (sic faciunt omnes. The spec itself is ambiguous on the topic). This was fixed in TLS (although the spec is still ambigous) so the encoding differs slightly between SSL and TLS. To work around this we have to duplicate a certain amount of the integer-read code here */ if( isShortPKCKey( length ) ) status = CRYPT_ERROR_NOSECURE; else { if( length < MIN_PKCSIZE || length > CRYPT_MAX_PKCSIZE || \ cryptStatusError( sread( stream, wrappedKey, length ) ) ) status = CRYPT_ERROR_BADDATA; } } else { status = readInteger16UChecked( stream, wrappedKey, &length, MIN_PKCSIZE, CRYPT_MAX_PKCSIZE ); } if( cryptStatusError( status ) ) { sMemDisconnect( stream ); /* Some misconfigured clients may use very short keys, we perform a special-case check for these and return a more specific message than the generic bad-data */ if( status == CRYPT_ERROR_NOSECURE ) { retExt( CRYPT_ERROR_NOSECURE, ( CRYPT_ERROR_NOSECURE, SESSION_ERRINFO, "Insecure key used in key exchange" ) ); } retExt( CRYPT_ERROR_BADDATA, ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, "Invalid RSA encrypted key data" ) ); } /* Decrypt the pre-master secret */ status = unwrapPremasterSecret( sessionInfoPtr, handshakeInfo, wrappedKey, length ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } } /* If we're expecting a client certificate, process the client certificate verify */ if( clientCertAuthRequired( sessionInfoPtr ) ) { const BOOLEAN isECC = isEccAlgo( handshakeInfo->keyexAlgo ); /* Since the client certificate-verify message requires the hash of all handshake packets up to this point, we have to interrupt the processing to calculate the hash before we continue */ status = createCertVerifyHash( sessionInfoPtr, handshakeInfo ); if( cryptStatusError( status ) ) return( status ); /* Read the next packet(s) if necessary */ status = refreshHSStream( sessionInfoPtr, handshakeInfo ); if( cryptStatusError( status ) ) return( status ); /* Process the client certificate verify packet: byte ID = SSL_HAND_CLIENT_CERTVERIFY uint24 len byte[] signature */ status = checkHSPacketHeader( sessionInfoPtr, stream, &length, SSL_HAND_CLIENT_CERTVERIFY, isECC ? MIN_PKCSIZE_ECCPOINT : \ MIN_PKCSIZE ); if( cryptStatusOK( status ) ) status = checkCertVerify( sessionInfoPtr, handshakeInfo, stream, length ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } sMemDisconnect( stream ); return( CRYPT_OK ); }
static int addStandardExtensions( INOUT CERT_INFO *certInfoPtr ) { BOOLEAN isCA = FALSE; int keyUsage, extKeyUsage, value, status; assert( isWritePtr( certInfoPtr, sizeof( CERT_INFO ) ) ); /* Get the implicit keyUsage flags (based on any extended key usage extensions present) and explicit key usage flags, which we use to extend the basic keyUsage flags if required */ status = getKeyUsageFromExtKeyUsage( certInfoPtr, &extKeyUsage, &certInfoPtr->errorLocus, &certInfoPtr->errorType ); if( cryptStatusError( status ) ) return( status ); status = getAttributeFieldValue( certInfoPtr->attributes, CRYPT_CERTINFO_KEYUSAGE, CRYPT_ATTRIBUTE_NONE, &keyUsage ); if( cryptStatusError( status ) ) { if( status != CRYPT_ERROR_NOTFOUND ) return( status ); /* There's no keyUsage attribute present, mark the value as being not set so that we explicitly set it later */ keyUsage = CRYPT_ERROR; } /* If there's an explicit key usage present, make sure that it's consistent with the implicit key usage flags derived from the extended key usage. We mask out the nonRepudiation bit for reasons given in chk_cert.c. This check is also performed by checkCert(), however we need to explicitly perform it here as well since we need to add a key usage to match the extKeyUsage before calling checkCert() if one wasn't explicitly set or checkCert() will reject the certificate because of the inconsistent keyUsage */ if( keyUsage > 0 ) { const int effectiveKeyUsage = \ extKeyUsage & ~CRYPT_KEYUSAGE_NONREPUDIATION; if( ( keyUsage & effectiveKeyUsage ) != effectiveKeyUsage ) { setErrorInfo( certInfoPtr, CRYPT_CERTINFO_KEYUSAGE, CRYPT_ERRTYPE_CONSTRAINT ); return( CRYPT_ERROR_INVALID ); } } /* Check whether this is a CA certificate. If there's no basicConstraints attribute present, add one and make it a non-CA certificate */ status = getAttributeFieldValue( certInfoPtr->attributes, CRYPT_CERTINFO_CA, CRYPT_ATTRIBUTE_NONE, &value ); if( cryptStatusOK( status ) ) isCA = ( value > 0 ) ? TRUE : FALSE; else { status = addCertComponent( certInfoPtr, CRYPT_CERTINFO_CA, FALSE ); if( cryptStatusError( status ) ) return( status ); } /* If there's no explicit keyUsage information present add it based on various implicit information. We also add key feature information which is used to help automate key management, for example to inhibit speculative reads of keys held in removable tokens, which can result in spurious insert-token dialogs being presented to the user outside the control of cryptlib if the token isn't present */ if( keyUsage <= 0 ) { /* If there's no implicit key usage present and it's not a CA (for which we don't want to set things like encryption flags for the CA certificate), set the key usage flags based on the capabilities of the associated context. Because no-one can figure out what the nonRepudiation flag signifies we don't set this, if the user wants it they have to specify it explicitly. Similarly we don't try and set the keyAgreement encipher/decipher- only flags, which were tacked on as variants of keyAgreement long after the basic keyAgreement flag was defined */ if( extKeyUsage <= 0 && !isCA ) { keyUsage = 0; /* Reset key usage */ if( certInfoPtr->iPubkeyContext != CRYPT_ERROR ) { /* There's a context present, check its capabilities. This has the advantage that it takes into account any ACLs that may exist for the key */ if( cryptStatusOK( \ krnlSendMessage( certInfoPtr->iPubkeyContext, IMESSAGE_CHECK, NULL, MESSAGE_CHECK_PKC_SIGCHECK ) ) ) keyUsage = CRYPT_KEYUSAGE_DIGITALSIGNATURE; if( cryptStatusOK( \ krnlSendMessage( certInfoPtr->iPubkeyContext, IMESSAGE_CHECK, NULL, MESSAGE_CHECK_PKC_ENCRYPT ) ) ) keyUsage |= CRYPT_KEYUSAGE_KEYENCIPHERMENT; if( cryptStatusOK( \ krnlSendMessage( certInfoPtr->iPubkeyContext, IMESSAGE_CHECK, NULL, MESSAGE_CHECK_PKC_KA_EXPORT ) ) || \ cryptStatusOK( \ krnlSendMessage( certInfoPtr->iPubkeyContext, IMESSAGE_CHECK, NULL, MESSAGE_CHECK_PKC_KA_IMPORT ) ) ) keyUsage |= CRYPT_KEYUSAGE_KEYAGREEMENT; } else { /* There's no context present (the key is present as encoded data), assume we can do whatever the algorithm allows */ if( isSigAlgo( certInfoPtr->publicKeyAlgo ) ) keyUsage = CRYPT_KEYUSAGE_DIGITALSIGNATURE; if( isCryptAlgo( certInfoPtr->publicKeyAlgo ) ) keyUsage |= CRYPT_KEYUSAGE_KEYENCIPHERMENT; if( isKeyxAlgo( certInfoPtr->publicKeyAlgo ) ) keyUsage |= CRYPT_KEYUSAGE_KEYAGREEMENT; } } else { /* There's an extended key usage set but no basic keyUsage, make the keyUsage consistent with the usage flags derived from the extended usage */ keyUsage = extKeyUsage; /* If it's a CA key, make sure that it's a signing key and enable its use for certification-related purposes*/ if( isCA ) { BOOLEAN usageOK; if( certInfoPtr->iPubkeyContext != CRYPT_ERROR ) { usageOK = cryptStatusOK( \ krnlSendMessage( certInfoPtr->iPubkeyContext, IMESSAGE_CHECK, NULL, MESSAGE_CHECK_PKC_SIGCHECK ) ); } else usageOK = isSigAlgo( certInfoPtr->publicKeyAlgo ); if( !usageOK ) { setErrorInfo( certInfoPtr, CRYPT_CERTINFO_CA, CRYPT_ERRTYPE_CONSTRAINT ); return( CRYPT_ERROR_INVALID ); } keyUsage |= KEYUSAGE_CA; } } ENSURES( keyUsage > CRYPT_KEYUSAGE_NONE && \ keyUsage < CRYPT_KEYUSAGE_LAST ); status = addCertComponent( certInfoPtr, CRYPT_CERTINFO_KEYUSAGE, keyUsage ); if( cryptStatusError( status ) ) return( status ); } if( certInfoPtr->publicKeyFeatures > 0 ) { /* This is a bitstring so we only add it if there are feature flags present to avoid writing zero-length values */ status = addCertComponent( certInfoPtr, CRYPT_CERTINFO_KEYFEATURES, certInfoPtr->publicKeyFeatures ); if( cryptStatusError( status ) && status != CRYPT_ERROR_INITED ) return( status ); } /* Add the subjectKeyIdentifier */ return( addCertComponentString( certInfoPtr, CRYPT_CERTINFO_SUBJECTKEYIDENTIFIER, certInfoPtr->publicKeyID, KEYID_SIZE ) ); }
int beginServerHandshake( INOUT SESSION_INFO *sessionInfoPtr, INOUT SSL_HANDSHAKE_INFO *handshakeInfo ) { STREAM *stream = &handshakeInfo->stream; SCOREBOARD_LOOKUP_RESULT lookupResult = DUMMY_INIT_STRUCT; MESSAGE_DATA msgData; int length, resumedSessionID = CRYPT_ERROR; int packetOffset, status; assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) ); assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) ); /* Read and process the client hello */ status = readHSPacketSSL( sessionInfoPtr, handshakeInfo, &length, SSL_MSG_FIRST_HANDSHAKE ); if( cryptStatusError( status ) ) return( status ); sMemConnect( stream, sessionInfoPtr->receiveBuffer, length ); status = processHelloSSL( sessionInfoPtr, handshakeInfo, stream, TRUE ); sMemDisconnect( stream ); if( cryptStatusError( status ) ) { if( status != OK_SPECIAL ) return( status ); /* The client has sent us a sessionID in an attempt to resume a previous session, see if it's in the session cache */ resumedSessionID = \ lookupScoreboardEntry( sessionInfoPtr->sessionSSL->scoreboardInfoPtr, SCOREBOARD_KEY_SESSIONID_SVR, handshakeInfo->sessionID, handshakeInfo->sessionIDlength, &lookupResult ); #ifdef CONFIG_SUITEB_TESTS resumedSessionID = CRYPT_ERROR; /* Disable for Suite B tests */ #endif /* CONFIG_SUITEB_TESTS */ } /* Handle session resumption. If it's a new session or the session data has expired from the cache, generate a new session ID */ if( cryptStatusError( resumedSessionID ) ) { setMessageData( &msgData, handshakeInfo->sessionID, SESSIONID_SIZE ); status = krnlSendMessage( SYSTEM_OBJECT_HANDLE, IMESSAGE_GETATTRIBUTE_S, &msgData, CRYPT_IATTRIBUTE_RANDOM_NONCE ); if( cryptStatusError( status ) ) return( status ); handshakeInfo->sessionIDlength = SESSIONID_SIZE; } else { /* We're resuming a previous session, remember the premaster secret */ status = attributeCopyParams( handshakeInfo->premasterSecret, SSL_SECRET_SIZE, &handshakeInfo->premasterSecretSize, lookupResult.data, lookupResult.dataSize ); ENSURES( cryptStatusOK( status ) ); } /* Get the nonce that's used to randomise all crypto operations and set up the server DH/ECDH context if necessary */ setMessageData( &msgData, handshakeInfo->serverNonce, SSL_NONCE_SIZE ); status = krnlSendMessage( SYSTEM_OBJECT_HANDLE, IMESSAGE_GETATTRIBUTE_S, &msgData, CRYPT_IATTRIBUTE_RANDOM_NONCE ); if( cryptStatusOK( status ) && isKeyxAlgo( handshakeInfo->keyexAlgo ) ) { status = initDHcontextSSL( &handshakeInfo->dhContext, NULL, 0, ( handshakeInfo->authAlgo != CRYPT_ALGO_NONE ) ? \ sessionInfoPtr->privateKey : CRYPT_UNUSED, isEccAlgo( handshakeInfo->keyexAlgo ) ? \ handshakeInfo->eccCurveID : CRYPT_ECCCURVE_NONE ); } if( cryptStatusError( status ) ) return( status ); /* Build the server hello, certificate, optional certificate request, and done packets: byte ID = SSL_HAND_SERVER_HELLO uint24 len byte[2] version = { 0x03, 0x0n } byte[32] nonce byte sessIDlen byte[] sessID uint16 suite byte copr = 0 [ uint16 extListLen -- RFC 3546/RFC 4366 byte extType uint16 extLen byte[] extData ] ... We have to be careful how we handle extensions because the RFC makes the rather optimistic assumption that implementations can handle the presence of unexpected data at the end of the hello packet, to avoid problems with this we avoid sending extensions unless they're in response to extensions already sent by the client */ status = openPacketStreamSSL( stream, sessionInfoPtr, CRYPT_USE_DEFAULT, SSL_MSG_HANDSHAKE ); if( cryptStatusError( status ) ) return( status ); status = continueHSPacketStream( stream, SSL_HAND_SERVER_HELLO, &packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } sputc( stream, SSL_MAJOR_VERSION ); sputc( stream, sessionInfoPtr->version ); swrite( stream, handshakeInfo->serverNonce, SSL_NONCE_SIZE ); sputc( stream, handshakeInfo->sessionIDlength ); swrite( stream, handshakeInfo->sessionID, handshakeInfo->sessionIDlength ); writeUint16( stream, handshakeInfo->cipherSuite ); status = sputc( stream, 0 ); /* No compression */ if( handshakeInfo->hasExtensions ) status = writeServerExtensions( stream, handshakeInfo ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* If it's a resumed session then the server hello is followed immediately by the change cipherspec, which is sent by the shared handshake completion code */ if( !cryptStatusError( resumedSessionID ) ) { status = completePacketStreamSSL( stream, 0 ); if( cryptStatusOK( status ) ) status = hashHSPacketWrite( handshakeInfo, stream, 0 ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* Tell the caller that it's a resumed session, leaving the stream open in order to write the change cipherspec message that follows the server hello in a resumed session */ DEBUG_PRINT(( "Resuming session with client based on " "sessionID = \n" )); DEBUG_DUMP_DATA( handshakeInfo->sessionID, handshakeInfo->sessionIDlength ); return( OK_SPECIAL ); } /* ... (optional server supplemental data) byte ID = SSL_HAND_SUPPLEMENTAL_DATA uint24 len uint16 type uint16 len byte[] value ... */ /* ... (optional server certificate chain) ... */ if( handshakeInfo->authAlgo != CRYPT_ALGO_NONE ) { status = writeSSLCertChain( sessionInfoPtr, stream ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } /* ... (optional server keyex) byte ID = SSL_HAND_SERVER_KEYEXCHANGE uint24 len DH: uint16 dh_pLen byte[] dh_p uint16 dh_gLen byte[] dh_g uint16 dh_YsLen byte[] dh_Ys [ byte hashAlgoID -- TLS 1.2 ] [ byte sigAlgoID -- TLS 1.2 ] uint16 signatureLen byte[] signature ECDH: byte curveType uint16 namedCurve uint8 ecPointLen -- NB uint8 not uint16 byte[] ecPoint [ byte hashAlgoID -- TLS 1.2 ] [ byte sigAlgoID -- TLS 1.2 ] uint16 signatureLen byte[] signature */ if( isKeyxAlgo( handshakeInfo->keyexAlgo ) ) { KEYAGREE_PARAMS keyAgreeParams; void *keyData = DUMMY_INIT_PTR; int keyDataOffset, keyDataLength = DUMMY_INIT; /* Perform phase 1 of the DH/ECDH key agreement process */ memset( &keyAgreeParams, 0, sizeof( KEYAGREE_PARAMS ) ); status = krnlSendMessage( handshakeInfo->dhContext, IMESSAGE_CTX_ENCRYPT, &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); if( cryptStatusError( status ) ) { zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); sMemDisconnect( stream ); return( status ); } /* Write the DH/ECDH key parameters and public value and sign them */ status = continueHSPacketStream( stream, SSL_HAND_SERVER_KEYEXCHANGE, &packetOffset ); if( cryptStatusError( status ) ) { zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); sMemDisconnect( stream ); return( status ); } keyDataOffset = stell( stream ); status = exportAttributeToStream( stream, handshakeInfo->dhContext, CRYPT_IATTRIBUTE_KEY_SSL ); if( cryptStatusOK( status ) ) { if( isEccAlgo( handshakeInfo->keyexAlgo ) ) { sputc( stream, keyAgreeParams.publicValueLen ); swrite( stream, keyAgreeParams.publicValue, keyAgreeParams.publicValueLen ); } else { status = writeInteger16U( stream, keyAgreeParams.publicValue, keyAgreeParams.publicValueLen ); } } if( cryptStatusOK( status ) ) { keyDataLength = stell( stream ) - keyDataOffset; status = sMemGetDataBlockAbs( stream, keyDataOffset, &keyData, keyDataLength ); } if( cryptStatusOK( status ) ) { status = createKeyexSignature( sessionInfoPtr, handshakeInfo, stream, keyData, keyDataLength ); } zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } /* ... (optional request for client certificate authentication) byte ID = SSL_HAND_SERVER_CERTREQUEST uint24 len byte certTypeLen byte[] certType = { RSA, DSA, ECDSA } [ uint16 sigHashListLen -- TLS 1.2 ] [ byte hashAlgoID -- TLS 1.2 ] [ byte sigAlgoID -- TLS 1.2 ] uint16 caNameListLen = 4 uint16 caNameLen = 2 byte[] caName = { 0x30, 0x00 } ... */ if( clientCertAuthRequired( sessionInfoPtr ) ) { status = continueHSPacketStream( stream, SSL_HAND_SERVER_CERTREQUEST, &packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } status = writeCertRequest( sessionInfoPtr, handshakeInfo, stream ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } /* ... byte ID = SSL_HAND_SERVER_HELLODONE uint24 len = 0 */ status = continueHSPacketStream( stream, SSL_HAND_SERVER_HELLODONE, &packetOffset ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* Send the combined server packets to the client. We perform the assorted hashing of the packets in between the network ops where it's effectively free */ status = sendPacketSSL( sessionInfoPtr, stream, FALSE ); if( cryptStatusOK( status ) ) status = hashHSPacketWrite( handshakeInfo, stream, 0 ); sMemDisconnect( stream ); return( status ); }