C_RET cryptQueryObject( C_IN void C_PTR objectData, C_IN int objectDataLength, C_OUT CRYPT_OBJECT_INFO C_PTR cryptObjectInfo ) { QUERY_INFO queryInfo = DUMMY_INIT_STRUCT; /* If USE_PGP undef'd */ STREAM stream; int value, length = objectDataLength, status; /* Perform basic error checking and clear the return value */ if( objectDataLength <= MIN_CRYPT_OBJECTSIZE || \ objectDataLength >= MAX_INTLENGTH ) return( CRYPT_ERROR_PARAM2 ); if( !isReadPtr( objectData, objectDataLength ) ) return( CRYPT_ERROR_PARAM1 ); if( !isWritePtrConst( cryptObjectInfo, sizeof( CRYPT_OBJECT_INFO ) ) ) return( CRYPT_ERROR_PARAM3 ); memset( cryptObjectInfo, 0, sizeof( CRYPT_OBJECT_INFO ) ); /* Query the object. This is just a wrapper for the lower-level object- query functions. Note that we use sPeek() rather than peekTag() because we want to continue processing (or at least checking for) PGP data if it's no ASN.1 */ sMemConnect( &stream, ( void * ) objectData, length ); status = value = sPeek( &stream ); if( cryptStatusError( status ) ) { sMemDisconnect( &stream ); return( status ); } if( value == BER_SEQUENCE || value == MAKE_CTAG( CTAG_RI_PWRI ) ) status = queryAsn1Object( &stream, &queryInfo ); else { #ifdef USE_PGP status = queryPgpObject( &stream, &queryInfo ); #else status = CRYPT_ERROR_BADDATA; #endif /* USE_PGP */ } sMemDisconnect( &stream ); if( cryptStatusError( status ) ) return( status ); /* Copy the externally-visible fields across */ cryptObjectInfo->objectType = queryInfo.type; cryptObjectInfo->cryptAlgo = queryInfo.cryptAlgo; cryptObjectInfo->cryptMode = queryInfo.cryptMode; if( queryInfo.type == CRYPT_OBJECT_SIGNATURE ) cryptObjectInfo->hashAlgo = queryInfo.hashAlgo; if( queryInfo.type == CRYPT_OBJECT_ENCRYPTED_KEY && \ queryInfo.saltLength > 0 ) { memcpy( cryptObjectInfo->salt, queryInfo.salt, queryInfo.saltLength ); cryptObjectInfo->saltSize = queryInfo.saltLength; if( queryInfo.keySetupAlgo != CRYPT_ALGO_NONE ) cryptObjectInfo->hashAlgo = queryInfo.keySetupAlgo; } return( CRYPT_OK ); }
static void convertDate( OUT CK_DATE *date, const time_t theTime ) { STREAM stream; BYTE dateBuffer[ 32 + 8 ]; int cryptStatus; assert( isWritePtr( date, sizeof( CK_DATE ) ) ); /* Clear return value */ memset( date, 0, sizeof( CK_DATE ) ); /* Convert the time_t value to an ASN.1 time string that we can use to populate the CK_DATE fields, which are stored as ASCII text strings */ sMemOpen( &stream, dateBuffer, 32 ); cryptStatus = writeGeneralizedTime( &stream, theTime, DEFAULT_TAG ); sMemDisconnect( &stream ); ENSURES_V( cryptStatusOK( cryptStatus ) ); memcpy( &date->year, dateBuffer + 2, 4 ); memcpy( &date->month, dateBuffer + 6, 2 ); memcpy( &date->day, dateBuffer + 8, 2 ); }
static int processAdditionalScepRequest( INOUT SESSION_INFO *sessionInfoPtr, const HTTP_URI_INFO *httpReqInfo ) { HTTP_URI_INFO rewrittenHttpReqInfo; MESSAGE_DATA msgData; int operationType, status; assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) ); assert( isReadPtr( httpReqInfo, sizeof( HTTP_URI_INFO ) ) ); /* If the client has fed us an HTTP GET request, find out what they want. SCEP's handling of HTTP requests is a bit different from the "attribute '=' value" lookup that's normally used for HTTP data retrieval. Instead, it uses the format "'operation =' value '&' extraData", with the search key buried in the 'extraData' value. In addition the content of the 'extraData' value isn't defined outside of "any string which is understood by the CA". However since 'value' defines what we want, we can determine what to return based on this and ignore the 'extraData' portion. In order to fix up the query information into a format that works with standard HTTP queries, we rewrite the query data from the "'operation =' value '&' extraData" form into "attribute '=' value" before we process the query */ memset( &rewrittenHttpReqInfo, 0, sizeof( HTTP_URI_INFO ) ); memcpy( rewrittenHttpReqInfo.attribute, httpReqInfo->value, httpReqInfo->valueLen ); rewrittenHttpReqInfo.attributeLen = httpReqInfo->valueLen; if( httpReqInfo->extraDataLen > 0 ) { memcpy( rewrittenHttpReqInfo.value, httpReqInfo->extraData, httpReqInfo->extraDataLen ); rewrittenHttpReqInfo.valueLen = httpReqInfo->extraDataLen; } status = processCertQuery( sessionInfoPtr, &rewrittenHttpReqInfo, certstoreReadInfo, FAILSAFE_ARRAYSIZE( certstoreReadInfo, \ CERTSTORE_READ_INFO ), &operationType, NULL, 0, NULL ); if( cryptStatusError( status ) ) { sendCertErrorResponse( sessionInfoPtr, status ); return( status ); } ENSURES( operationType == SCEP_OPERATION_GETCACAPS || \ operationType == SCEP_OPERATION_GETCACERT || \ operationType == SCEP_OPERATION_GETCACERTCHAIN ); /* If it's a CA capabilities query, return the information as raw text over HTTP */ if( operationType == SCEP_OPERATION_GETCACAPS ) { STREAM stream; sMemOpen( &stream, sessionInfoPtr->receiveBuffer, 1024 ); status = swrite( &stream, "POSTPKIOperation\n", 17 ); if( algoAvailable( CRYPT_ALGO_SHA1 ) ) status = swrite( &stream, "SHA-1\n", 6 ); if( algoAvailable( CRYPT_ALGO_SHA2 ) ) status = swrite( &stream, "SHA-256\n", 8 ); if( algoAvailable( CRYPT_ALGO_SHAng ) ) status = swrite( &stream, "SHAng\n", 6 ); if( algoAvailable( CRYPT_ALGO_3DES ) ) status = swrite( &stream, "DES3\n", 5 ); if( algoAvailable( CRYPT_ALGO_AES ) ) status = swrite( &stream, "AES\n", 4 ); if( cryptStatusOK( status ) ) sessionInfoPtr->receiveBufEnd = stell( &stream ); sMemDisconnect( &stream ); ENSURES( cryptStatusOK( status ) ); return( writePkiDatagram( sessionInfoPtr, SCEP_CONTENT_TYPE, SCEP_CONTENT_TYPE_LEN ) ); } /* Export the CA certificate and send it to the client */ setMessageData( &msgData, sessionInfoPtr->receiveBuffer, sessionInfoPtr->receiveBufSize ); status = krnlSendMessage( sessionInfoPtr->privateKey, IMESSAGE_CRT_EXPORT, &msgData, ( operationType == SCEP_OPERATION_GETCACERT ) ? \ CRYPT_CERTFORMAT_CERTIFICATE : \ CRYPT_CERTFORMAT_CERTCHAIN ); if( cryptStatusError( status ) ) { retExt( status, ( status, SESSION_ERRINFO, "Couldn't export CA certificate%s for '%s' request", ( operationType == SCEP_OPERATION_GETCACERT ) ? \ "" : " chain", ( operationType == SCEP_OPERATION_GETCACERT ) ? \ "GetCACert" : "GetCACertChain" ) ); } sessionInfoPtr->receiveBufEnd = msgData.length; if( operationType == SCEP_OPERATION_GETCACERT ) { return( writePkiDatagram( sessionInfoPtr, SCEP_CONTENT_TYPE_GETCACERT, SCEP_CONTENT_TYPE_GETCACERT_LEN ) ); } return( writePkiDatagram( sessionInfoPtr, SCEP_CONTENT_TYPE_GETCACERTCHAIN, SCEP_CONTENT_TYPE_GETCACERTCHAIN_LEN ) ); }
static int processAdditionalScepRequest( INOUT SESSION_INFO *sessionInfoPtr, const HTTP_URI_INFO *httpReqInfo ) { HTTP_URI_INFO rewrittenHttpReqInfo; MESSAGE_DATA msgData; int operationType, status; assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) ); assert( isReadPtr( httpReqInfo, sizeof( HTTP_URI_INFO ) ) ); /* If the client has fed us an HTTP GET request, find out what they want. SCEP's handling of HTTP requests is a bit different from the "attribute '=' value" lookup that's normally used for HTTP data retrieval. Instead, it uses the format "'operation =' value '&' extraData", with the search key buried in the 'extraData' value. In addition the content of the 'extraData' value isn't defined outside of "any string which is understood by the CA". However since 'value' defines what we want, we can determine what to return based on this and ignore the 'extraData' portion. In order to fix up the query information into a format that works with standard HTTP queries, we rewrite the query data from the "'operation =' value '&' extraData" form into "attribute '=' value" before we process the query */ memset( &rewrittenHttpReqInfo, 0, sizeof( HTTP_URI_INFO ) ); memcpy( rewrittenHttpReqInfo.attribute, httpReqInfo->value, httpReqInfo->valueLen ); rewrittenHttpReqInfo.attributeLen = httpReqInfo->valueLen; if( httpReqInfo->extraDataLen > 0 ) { memcpy( rewrittenHttpReqInfo.value, httpReqInfo->extraData, httpReqInfo->extraDataLen ); rewrittenHttpReqInfo.valueLen = httpReqInfo->extraDataLen; } status = processCertQuery( sessionInfoPtr, &rewrittenHttpReqInfo, certstoreReadInfo, FAILSAFE_ARRAYSIZE( certstoreReadInfo, \ CERTSTORE_READ_INFO ), &operationType, NULL, 0, NULL ); if( cryptStatusError( status ) ) { sendCertErrorResponse( sessionInfoPtr, status ); return( status ); } ENSURES( operationType == SCEP_OPERATION_GETCACAPS || \ operationType == SCEP_OPERATION_GETCACERT || \ operationType == SCEP_OPERATION_GETCACERTCHAIN ); /* If it's a CA capabilities query, return the information as raw text over HTTP */ if( operationType == SCEP_OPERATION_GETCACAPS ) { STREAM stream; sMemOpen( &stream, sessionInfoPtr->receiveBuffer, 1024 ); swrite( &stream, "POSTPKIOperation\n", 17 ); #if 0 /* 14/6/14 Too risky to implement given its current state in the spec, see the discussion on the JSCEP mailing list for details */ status = swrite( &stream, "Renewal\n", 8 ); #endif /* 0 */ if( algoAvailable( CRYPT_ALGO_SHA1 ) ) status = swrite( &stream, "SHA-1\n", 6 ); if( algoAvailable( CRYPT_ALGO_SHA2 ) ) status = swrite( &stream, "SHA-256\n", 8 ); if( algoAvailable( CRYPT_ALGO_SHAng ) ) status = swrite( &stream, "SHAng\n", 6 ); if( algoAvailable( CRYPT_ALGO_3DES ) ) status = swrite( &stream, "DES3\n", 5 ); if( algoAvailable( CRYPT_ALGO_AES ) ) status = swrite( &stream, "AES\n", 4 ); if( cryptStatusOK( status ) ) sessionInfoPtr->receiveBufEnd = stell( &stream ); sMemDisconnect( &stream ); ENSURES( cryptStatusOK( status ) ); return( writePkiDatagram( sessionInfoPtr, SCEP_CONTENT_TYPE, SCEP_CONTENT_TYPE_LEN ) ); }
int exchangeServerKeys( INOUT SESSION_INFO *sessionInfoPtr, INOUT SSL_HANDSHAKE_INFO *handshakeInfo ) { STREAM *stream = &handshakeInfo->stream; int length, status; assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) ); assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) ); /* Read the response from the client and, if we're expecting a client certificate, make sure that it's present */ status = readHSPacketSSL( sessionInfoPtr, handshakeInfo, &length, SSL_MSG_HANDSHAKE ); if( cryptStatusError( status ) ) return( status ); sMemConnect( stream, sessionInfoPtr->receiveBuffer, length ); if( clientCertAuthRequired( sessionInfoPtr ) ) { /* Read the client certificate chain and make sure that the certificate being presented is valid for access */ status = readCheckClientCerts( sessionInfoPtr, handshakeInfo, stream ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* Read the next packet(s) if necessary */ status = refreshHSStream( sessionInfoPtr, handshakeInfo ); if( cryptStatusError( status ) ) return( status ); } /* Process the client key exchange packet: byte ID = SSL_HAND_CLIENT_KEYEXCHANGE uint24 len DH: uint16 yLen byte[] y ECDH: uint16 ecPointLen byte[] ecPoint PSK: uint16 userIDLen byte[] userID RSA: [ uint16 encKeyLen -- TLS 1.x ] byte[] rsaPKCS1( byte[2] { 0x03, 0x0n } || byte[46] random ) */ status = checkHSPacketHeader( sessionInfoPtr, stream, &length, SSL_HAND_CLIENT_KEYEXCHANGE, UINT16_SIZE + 1 ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } if( isKeyxAlgo( handshakeInfo->keyexAlgo ) ) { KEYAGREE_PARAMS keyAgreeParams; const BOOLEAN isECC = isEccAlgo( handshakeInfo->keyexAlgo ); memset( &keyAgreeParams, 0, sizeof( KEYAGREE_PARAMS ) ); if( isECC ) { status = readEcdhValue( stream, keyAgreeParams.publicValue, CRYPT_MAX_PKCSIZE, &keyAgreeParams.publicValueLen ); } else { status = readInteger16UChecked( stream, keyAgreeParams.publicValue, &keyAgreeParams.publicValueLen, MIN_PKCSIZE, CRYPT_MAX_PKCSIZE ); } if( cryptStatusError( status ) ) { sMemDisconnect( stream ); /* Some misconfigured clients may use very short keys, we perform a special-case check for these and return a more specific message than the generic bad-data error */ if( status == CRYPT_ERROR_NOSECURE ) { retExt( CRYPT_ERROR_NOSECURE, ( CRYPT_ERROR_NOSECURE, SESSION_ERRINFO, "Insecure key used in key exchange" ) ); } retExt( CRYPT_ERROR_BADDATA, ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, "Invalid DH/ECDH phase 2 key agreement data" ) ); } /* Perform phase 2 of the DH/ECDH key agreement */ status = krnlSendMessage( handshakeInfo->dhContext, IMESSAGE_CTX_DECRYPT, &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); if( cryptStatusError( status ) ) { zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); sMemDisconnect( stream ); retExt( status, ( status, SESSION_ERRINFO, "Invalid DH/ECDH phase 2 key agreement value" ) ); } if( isECC ) { const int xCoordLen = ( keyAgreeParams.wrappedKeyLen - 1 ) / 2; /* The output of the ECDH operation is an ECC point, but for some unknown reason TLS only uses the x coordinate and not the full point. To work around this we have to rewrite the point as a standalone x coordinate, which is relatively easy because we're using an "uncompressed" point format: +---+---------------+---------------+ |04 | qx | qy | +---+---------------+---------------+ |<- fldSize --> |<- fldSize --> | */ REQUIRES( keyAgreeParams.wrappedKeyLen >= MIN_PKCSIZE_ECCPOINT && \ keyAgreeParams.wrappedKeyLen <= MAX_PKCSIZE_ECCPOINT && \ ( keyAgreeParams.wrappedKeyLen & 1 ) == 1 && \ keyAgreeParams.wrappedKey[ 0 ] == 0x04 ); memmove( keyAgreeParams.wrappedKey, keyAgreeParams.wrappedKey + 1, xCoordLen ); keyAgreeParams.wrappedKeyLen = xCoordLen; } ENSURES( rangeCheckZ( 0, keyAgreeParams.wrappedKeyLen, CRYPT_MAX_PKCSIZE + CRYPT_MAX_TEXTSIZE ) ); memcpy( handshakeInfo->premasterSecret, keyAgreeParams.wrappedKey, keyAgreeParams.wrappedKeyLen ); handshakeInfo->premasterSecretSize = keyAgreeParams.wrappedKeyLen; zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); } else { if( handshakeInfo->authAlgo == CRYPT_ALGO_NONE ) { const ATTRIBUTE_LIST *attributeListPtr; BYTE userID[ CRYPT_MAX_TEXTSIZE + 8 ]; /* Read the client user ID and make sure that it's a valid user. Handling non-valid users is somewhat problematic, we can either bail out immediately or invent a fake password for the (non-)user and continue with that. The problem with this is that it doesn't really help hide whether the user is valid or not due to the fact that we're still vulnerable to a timing attack because it takes considerably longer to generate the random password than it does to read a fixed password string from memory, so an attacker can tell from the timing whether the username is valid or not. In addition usability research on real-world users indicates that this actually reduces security while having little to no tangible benefit. Because of this we don't try and fake out the valid/invalid user name indication but just exit immediately if an invalid name is found */ length = readUint16( stream ); if( length < 1 || length > CRYPT_MAX_TEXTSIZE || \ cryptStatusError( sread( stream, userID, length ) ) ) { sMemDisconnect( stream ); retExt( CRYPT_ERROR_BADDATA, ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, "Invalid client user ID" ) ); } attributeListPtr = \ findSessionInfoEx( sessionInfoPtr->attributeList, CRYPT_SESSINFO_USERNAME, userID, length ); if( attributeListPtr == NULL ) { sMemDisconnect( stream ); retExt( CRYPT_ERROR_WRONGKEY, ( CRYPT_ERROR_WRONGKEY, SESSION_ERRINFO, "Unknown user name '%s'", sanitiseString( userID, CRYPT_MAX_TEXTSIZE, length ) ) ); } /* Select the attribute with the user ID and move on to the associated password */ sessionInfoPtr->attributeListCurrent = \ ( ATTRIBUTE_LIST * ) attributeListPtr; attributeListPtr = attributeListPtr->next; ENSURES( attributeListPtr != NULL && \ attributeListPtr->attributeID == CRYPT_SESSINFO_PASSWORD ); /* Create the shared premaster secret from the user password */ status = createSharedPremasterSecret( \ handshakeInfo->premasterSecret, CRYPT_MAX_PKCSIZE + CRYPT_MAX_TEXTSIZE, &handshakeInfo->premasterSecretSize, attributeListPtr->value, attributeListPtr->valueLength, ( attributeListPtr->flags & ATTR_FLAG_ENCODEDVALUE ) ? \ TRUE : FALSE ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); retExt( status, ( status, SESSION_ERRINFO, "Couldn't create master secret from shared " "secret/password value" ) ); } } else { BYTE wrappedKey[ CRYPT_MAX_PKCSIZE + 8 ]; if( sessionInfoPtr->version <= SSL_MINOR_VERSION_SSL ) { /* The original Netscape SSL implementation didn't provide a length for the encrypted key and everyone copied that so it became the de facto standard way to do it (sic faciunt omnes. The spec itself is ambiguous on the topic). This was fixed in TLS (although the spec is still ambigous) so the encoding differs slightly between SSL and TLS. To work around this we have to duplicate a certain amount of the integer-read code here */ if( isShortPKCKey( length ) ) status = CRYPT_ERROR_NOSECURE; else { if( length < MIN_PKCSIZE || length > CRYPT_MAX_PKCSIZE || \ cryptStatusError( sread( stream, wrappedKey, length ) ) ) status = CRYPT_ERROR_BADDATA; } } else { status = readInteger16UChecked( stream, wrappedKey, &length, MIN_PKCSIZE, CRYPT_MAX_PKCSIZE ); } if( cryptStatusError( status ) ) { sMemDisconnect( stream ); /* Some misconfigured clients may use very short keys, we perform a special-case check for these and return a more specific message than the generic bad-data */ if( status == CRYPT_ERROR_NOSECURE ) { retExt( CRYPT_ERROR_NOSECURE, ( CRYPT_ERROR_NOSECURE, SESSION_ERRINFO, "Insecure key used in key exchange" ) ); } retExt( CRYPT_ERROR_BADDATA, ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, "Invalid RSA encrypted key data" ) ); } /* Decrypt the pre-master secret */ status = unwrapPremasterSecret( sessionInfoPtr, handshakeInfo, wrappedKey, length ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } } /* If we're expecting a client certificate, process the client certificate verify */ if( clientCertAuthRequired( sessionInfoPtr ) ) { const BOOLEAN isECC = isEccAlgo( handshakeInfo->keyexAlgo ); /* Since the client certificate-verify message requires the hash of all handshake packets up to this point, we have to interrupt the processing to calculate the hash before we continue */ status = createCertVerifyHash( sessionInfoPtr, handshakeInfo ); if( cryptStatusError( status ) ) return( status ); /* Read the next packet(s) if necessary */ status = refreshHSStream( sessionInfoPtr, handshakeInfo ); if( cryptStatusError( status ) ) return( status ); /* Process the client certificate verify packet: byte ID = SSL_HAND_CLIENT_CERTVERIFY uint24 len byte[] signature */ status = checkHSPacketHeader( sessionInfoPtr, stream, &length, SSL_HAND_CLIENT_CERTVERIFY, isECC ? MIN_PKCSIZE_ECCPOINT : \ MIN_PKCSIZE ); if( cryptStatusOK( status ) ) status = checkCertVerify( sessionInfoPtr, handshakeInfo, stream, length ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } sMemDisconnect( stream ); return( CRYPT_OK ); }
int beginServerHandshake( INOUT SESSION_INFO *sessionInfoPtr, INOUT SSL_HANDSHAKE_INFO *handshakeInfo ) { STREAM *stream = &handshakeInfo->stream; SCOREBOARD_LOOKUP_RESULT lookupResult = DUMMY_INIT_STRUCT; MESSAGE_DATA msgData; int length, resumedSessionID = CRYPT_ERROR; int packetOffset, status; assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) ); assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) ); /* Read and process the client hello */ status = readHSPacketSSL( sessionInfoPtr, handshakeInfo, &length, SSL_MSG_FIRST_HANDSHAKE ); if( cryptStatusError( status ) ) return( status ); sMemConnect( stream, sessionInfoPtr->receiveBuffer, length ); status = processHelloSSL( sessionInfoPtr, handshakeInfo, stream, TRUE ); sMemDisconnect( stream ); if( cryptStatusError( status ) ) { if( status != OK_SPECIAL ) return( status ); /* The client has sent us a sessionID in an attempt to resume a previous session, see if it's in the session cache */ resumedSessionID = \ lookupScoreboardEntry( sessionInfoPtr->sessionSSL->scoreboardInfoPtr, SCOREBOARD_KEY_SESSIONID_SVR, handshakeInfo->sessionID, handshakeInfo->sessionIDlength, &lookupResult ); #ifdef CONFIG_SUITEB_TESTS resumedSessionID = CRYPT_ERROR; /* Disable for Suite B tests */ #endif /* CONFIG_SUITEB_TESTS */ } /* Handle session resumption. If it's a new session or the session data has expired from the cache, generate a new session ID */ if( cryptStatusError( resumedSessionID ) ) { setMessageData( &msgData, handshakeInfo->sessionID, SESSIONID_SIZE ); status = krnlSendMessage( SYSTEM_OBJECT_HANDLE, IMESSAGE_GETATTRIBUTE_S, &msgData, CRYPT_IATTRIBUTE_RANDOM_NONCE ); if( cryptStatusError( status ) ) return( status ); handshakeInfo->sessionIDlength = SESSIONID_SIZE; } else { /* We're resuming a previous session, remember the premaster secret */ status = attributeCopyParams( handshakeInfo->premasterSecret, SSL_SECRET_SIZE, &handshakeInfo->premasterSecretSize, lookupResult.data, lookupResult.dataSize ); ENSURES( cryptStatusOK( status ) ); } /* Get the nonce that's used to randomise all crypto operations and set up the server DH/ECDH context if necessary */ setMessageData( &msgData, handshakeInfo->serverNonce, SSL_NONCE_SIZE ); status = krnlSendMessage( SYSTEM_OBJECT_HANDLE, IMESSAGE_GETATTRIBUTE_S, &msgData, CRYPT_IATTRIBUTE_RANDOM_NONCE ); if( cryptStatusOK( status ) && isKeyxAlgo( handshakeInfo->keyexAlgo ) ) { status = initDHcontextSSL( &handshakeInfo->dhContext, NULL, 0, ( handshakeInfo->authAlgo != CRYPT_ALGO_NONE ) ? \ sessionInfoPtr->privateKey : CRYPT_UNUSED, isEccAlgo( handshakeInfo->keyexAlgo ) ? \ handshakeInfo->eccCurveID : CRYPT_ECCCURVE_NONE ); } if( cryptStatusError( status ) ) return( status ); /* Build the server hello, certificate, optional certificate request, and done packets: byte ID = SSL_HAND_SERVER_HELLO uint24 len byte[2] version = { 0x03, 0x0n } byte[32] nonce byte sessIDlen byte[] sessID uint16 suite byte copr = 0 [ uint16 extListLen -- RFC 3546/RFC 4366 byte extType uint16 extLen byte[] extData ] ... We have to be careful how we handle extensions because the RFC makes the rather optimistic assumption that implementations can handle the presence of unexpected data at the end of the hello packet, to avoid problems with this we avoid sending extensions unless they're in response to extensions already sent by the client */ status = openPacketStreamSSL( stream, sessionInfoPtr, CRYPT_USE_DEFAULT, SSL_MSG_HANDSHAKE ); if( cryptStatusError( status ) ) return( status ); status = continueHSPacketStream( stream, SSL_HAND_SERVER_HELLO, &packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } sputc( stream, SSL_MAJOR_VERSION ); sputc( stream, sessionInfoPtr->version ); swrite( stream, handshakeInfo->serverNonce, SSL_NONCE_SIZE ); sputc( stream, handshakeInfo->sessionIDlength ); swrite( stream, handshakeInfo->sessionID, handshakeInfo->sessionIDlength ); writeUint16( stream, handshakeInfo->cipherSuite ); status = sputc( stream, 0 ); /* No compression */ if( handshakeInfo->hasExtensions ) status = writeServerExtensions( stream, handshakeInfo ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* If it's a resumed session then the server hello is followed immediately by the change cipherspec, which is sent by the shared handshake completion code */ if( !cryptStatusError( resumedSessionID ) ) { status = completePacketStreamSSL( stream, 0 ); if( cryptStatusOK( status ) ) status = hashHSPacketWrite( handshakeInfo, stream, 0 ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* Tell the caller that it's a resumed session, leaving the stream open in order to write the change cipherspec message that follows the server hello in a resumed session */ DEBUG_PRINT(( "Resuming session with client based on " "sessionID = \n" )); DEBUG_DUMP_DATA( handshakeInfo->sessionID, handshakeInfo->sessionIDlength ); return( OK_SPECIAL ); } /* ... (optional server supplemental data) byte ID = SSL_HAND_SUPPLEMENTAL_DATA uint24 len uint16 type uint16 len byte[] value ... */ /* ... (optional server certificate chain) ... */ if( handshakeInfo->authAlgo != CRYPT_ALGO_NONE ) { status = writeSSLCertChain( sessionInfoPtr, stream ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } /* ... (optional server keyex) byte ID = SSL_HAND_SERVER_KEYEXCHANGE uint24 len DH: uint16 dh_pLen byte[] dh_p uint16 dh_gLen byte[] dh_g uint16 dh_YsLen byte[] dh_Ys [ byte hashAlgoID -- TLS 1.2 ] [ byte sigAlgoID -- TLS 1.2 ] uint16 signatureLen byte[] signature ECDH: byte curveType uint16 namedCurve uint8 ecPointLen -- NB uint8 not uint16 byte[] ecPoint [ byte hashAlgoID -- TLS 1.2 ] [ byte sigAlgoID -- TLS 1.2 ] uint16 signatureLen byte[] signature */ if( isKeyxAlgo( handshakeInfo->keyexAlgo ) ) { KEYAGREE_PARAMS keyAgreeParams; void *keyData = DUMMY_INIT_PTR; int keyDataOffset, keyDataLength = DUMMY_INIT; /* Perform phase 1 of the DH/ECDH key agreement process */ memset( &keyAgreeParams, 0, sizeof( KEYAGREE_PARAMS ) ); status = krnlSendMessage( handshakeInfo->dhContext, IMESSAGE_CTX_ENCRYPT, &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); if( cryptStatusError( status ) ) { zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); sMemDisconnect( stream ); return( status ); } /* Write the DH/ECDH key parameters and public value and sign them */ status = continueHSPacketStream( stream, SSL_HAND_SERVER_KEYEXCHANGE, &packetOffset ); if( cryptStatusError( status ) ) { zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); sMemDisconnect( stream ); return( status ); } keyDataOffset = stell( stream ); status = exportAttributeToStream( stream, handshakeInfo->dhContext, CRYPT_IATTRIBUTE_KEY_SSL ); if( cryptStatusOK( status ) ) { if( isEccAlgo( handshakeInfo->keyexAlgo ) ) { sputc( stream, keyAgreeParams.publicValueLen ); swrite( stream, keyAgreeParams.publicValue, keyAgreeParams.publicValueLen ); } else { status = writeInteger16U( stream, keyAgreeParams.publicValue, keyAgreeParams.publicValueLen ); } } if( cryptStatusOK( status ) ) { keyDataLength = stell( stream ) - keyDataOffset; status = sMemGetDataBlockAbs( stream, keyDataOffset, &keyData, keyDataLength ); } if( cryptStatusOK( status ) ) { status = createKeyexSignature( sessionInfoPtr, handshakeInfo, stream, keyData, keyDataLength ); } zeroise( &keyAgreeParams, sizeof( KEYAGREE_PARAMS ) ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } /* ... (optional request for client certificate authentication) byte ID = SSL_HAND_SERVER_CERTREQUEST uint24 len byte certTypeLen byte[] certType = { RSA, DSA, ECDSA } [ uint16 sigHashListLen -- TLS 1.2 ] [ byte hashAlgoID -- TLS 1.2 ] [ byte sigAlgoID -- TLS 1.2 ] uint16 caNameListLen = 4 uint16 caNameLen = 2 byte[] caName = { 0x30, 0x00 } ... */ if( clientCertAuthRequired( sessionInfoPtr ) ) { status = continueHSPacketStream( stream, SSL_HAND_SERVER_CERTREQUEST, &packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } status = writeCertRequest( sessionInfoPtr, handshakeInfo, stream ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } } /* ... byte ID = SSL_HAND_SERVER_HELLODONE uint24 len = 0 */ status = continueHSPacketStream( stream, SSL_HAND_SERVER_HELLODONE, &packetOffset ); if( cryptStatusOK( status ) ) status = completeHSPacketStream( stream, packetOffset ); if( cryptStatusError( status ) ) { sMemDisconnect( stream ); return( status ); } /* Send the combined server packets to the client. We perform the assorted hashing of the packets in between the network ops where it's effectively free */ status = sendPacketSSL( sessionInfoPtr, stream, FALSE ); if( cryptStatusOK( status ) ) status = hashHSPacketWrite( handshakeInfo, stream, 0 ); sMemDisconnect( stream ); return( status ); }