archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/protocols/schannel/spbase/ssl3msg.c

2809 lines
81 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1995.
  5. //
  6. // File: ssl3msg.c
  7. //
  8. // Contents: Main crypto functions for SSL3.
  9. //
  10. // Classes:
  11. //
  12. // Functions:
  13. //
  14. // History: 04-16-96 ramas Created.
  15. //
  16. //----------------------------------------------------------------------------
  18. #include <spbase.h>
  20. #if VERIFYHASH
  21. BYTE rgbF[5000];
  22. DWORD ibF = 0;
  23. #endif
  26. //------------------------------------------------------------------------------------------
  28. SP_STATUS WINAPI
  29. Ssl3DecryptHandler(
  30. PSPContext pContext,
  31. PSPBuffer pCommInput,
  32. PSPBuffer pAppOutput)
  33. {
  34. SP_STATUS pctRet = PCT_ERR_OK;
  36. if(pCommInput->cbData == 0)
  37. {
  38. return PCT_INT_INCOMPLETE_MSG;
  39. }
  41. if(!(pContext->State & SP_STATE_CONNECTED) || pContext->Decrypt == NULL)
  42. {
  43. return SP_LOG_RESULT(PCT_INT_ILLEGAL_MSG);
  44. }
  46. switch(*(PBYTE)pCommInput->pvBuffer)
  47. {
  48. case SSL3_CT_HANDSHAKE:
  49. if(pContext->RipeZombie->fProtocol & SP_PROT_CLIENTS)
  50. {
  51. // This should be a HelloRequest message. We should make sure, and
  52. // then completely consume the message.
  53. pctRet = pContext->Decrypt( pContext,
  54. pCommInput, // message
  55. pAppOutput); // Unpacked Message
  56. if(PCT_ERR_OK != pctRet)
  57. {
  58. return pctRet;
  59. }
  61. if(*(PBYTE)pAppOutput->pvBuffer != SSL3_HS_HELLO_REQUEST ||
  62. pAppOutput->cbData != sizeof(SHSH))
  63. {
  64. // This ain't no HelloRequest!
  65. return SP_LOG_RESULT(PCT_INT_ILLEGAL_MSG);
  66. }
  67. }
  68. else
  69. {
  70. // This is probably a ClientHello message. In any case, let the
  71. // caller deal with it (by passing it to the LSA process).
  72. pCommInput->cbData = 0;
  73. }
  75. pAppOutput->cbData = 0;
  77. pContext->State = SSL3_STATE_RENEGOTIATE;
  78. return SP_LOG_RESULT(PCT_INT_RENEGOTIATE);
  81. case SSL3_CT_ALERT:
  82. pctRet = pContext->Decrypt( pContext,
  83. pCommInput,
  84. pAppOutput);
  85. if(PCT_ERR_OK != pctRet)
  86. {
  87. return pctRet;
  88. }
  90. pctRet = ParseAlertMessage(pContext,
  91. (PBYTE)pAppOutput->pvBuffer,
  92. pAppOutput->cbData);
  94. // make sure that APP doesn't see Alert messages...
  95. pAppOutput->cbData = 0;
  97. return pctRet;
  100. case SSL3_CT_APPLICATIONDATA:
  101. pctRet = pContext->Decrypt( pContext,
  102. pCommInput,
  103. pAppOutput);
  105. return pctRet;
  108. default:
  109. return SP_LOG_RESULT(PCT_INT_ILLEGAL_MSG);
  110. }
  111. }
  113. SP_STATUS WINAPI
  114. Ssl3GetHeaderSize(
  115. PSPContext pContext,
  116. PSPBuffer pCommInput,
  117. DWORD * pcbHeaderSize)
  118. {
  119. if(pcbHeaderSize == NULL)
  120. {
  121. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  122. }
  124. *pcbHeaderSize = sizeof(SWRAP);
  125. return PCT_ERR_OK;
  126. }
  130. #if DBG
  131. BYTE rgb3Mac[2048];
  132. DWORD ibMac = 0;
  133. #endif
  135. //+---------------------------------------------------------------------------
  136. //
  137. // Function: Ssl3ComputeMac
  138. //
  139. // Synopsis:
  140. //
  141. // Arguments: [pContext] --
  142. // [fReadMac] --
  143. // [pClean] --
  144. // [cContentType] --
  145. // [pbMac] --
  146. // [cbMac]
  147. //
  148. // History: 10-03-97 jbanes Created.
  149. //
  150. // Notes:
  151. //
  152. //----------------------------------------------------------------------------
  153. SP_STATUS
  154. Ssl3ComputeMac(
  155. PSPContext pContext,
  156. BOOL fReadMac,
  157. PSPBuffer pClean,
  158. CHAR cContentType,
  159. PBYTE pbMac,
  160. DWORD cbMac)
  161. {
  162. HCRYPTHASH hHash = 0;
  163. DWORD dwReverseSequence;
  164. WORD wReverseData;
  165. UCHAR rgbDigest[SP_MAX_DIGEST_LEN];
  166. DWORD cbDigest;
  167. BYTE rgbPad[CB_SSL3_MAX_MAC_PAD];
  168. WORD cbPad;
  169. HCRYPTPROV hProv;
  170. HCRYPTKEY hSecret;
  171. DWORD dwSequence;
  172. DWORD dwCapiFlags;
  173. PHashInfo pHashInfo;
  174. SP_STATUS pctRet;
  176. if(fReadMac)
  177. {
  178. hProv = pContext->hReadProv;
  179. hSecret = pContext->hReadMAC;
  180. dwSequence = pContext->ReadCounter;
  181. pHashInfo = pContext->pReadHashInfo;
  182. }
  183. else
  184. {
  185. hProv = pContext->hWriteProv;
  186. hSecret = pContext->hWriteMAC;
  187. dwSequence = pContext->WriteCounter;
  188. pHashInfo = pContext->pWriteHashInfo;
  189. }
  190. dwCapiFlags = pContext->RipeZombie->dwCapiFlags;
  192. if(!hProv)
  193. {
  194. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  195. }
  197. // Determine size of pad_1 and pad_2.
  198. if(pHashInfo->aiHash == CALG_MD5)
  199. {
  200. cbPad = CB_SSL3_MD5_MAC_PAD;
  201. }
  202. else
  203. {
  204. cbPad = CB_SSL3_SHA_MAC_PAD;
  205. }
  207. //
  208. // hash(MAC_write_secret + pad_2 +
  209. // hash(MAC_write_secret + pad_1 + seq_num +
  210. // SSLCompressed.type + SSLCompressed.length +
  211. // SSLCompressed.fragment));
  212. //
  214. // Create hash
  215. if(!SchCryptCreateHash(hProv,
  216. pHashInfo->aiHash,
  217. 0,
  218. 0,
  219. &hHash,
  220. dwCapiFlags))
  221. {
  222. SP_LOG_RESULT(GetLastError());
  223. pctRet = PCT_INT_INTERNAL_ERROR;
  224. goto cleanup;
  225. }
  227. // Hash secret
  228. if(!SchCryptHashSessionKey(hHash,
  229. hSecret,
  230. CRYPT_LITTLE_ENDIAN,
  231. dwCapiFlags))
  232. {
  233. SP_LOG_RESULT(GetLastError());
  234. pctRet = PCT_INT_INTERNAL_ERROR;
  235. goto cleanup;
  236. }
  238. // hash pad 1
  239. FillMemory(rgbPad, cbPad, PAD1_CONSTANT);
  240. if(!SchCryptHashData(hHash, rgbPad, cbPad, 0, dwCapiFlags))
  241. {
  242. SP_LOG_RESULT(GetLastError());
  243. pctRet = PCT_INT_INTERNAL_ERROR;
  244. goto cleanup;
  245. }
  247. /* add count */
  248. dwReverseSequence = 0;
  249. if(!SchCryptHashData(hHash,
  250. (PUCHAR)&dwReverseSequence,
  251. sizeof(DWORD),
  252. 0,
  253. dwCapiFlags))
  254. {
  255. SP_LOG_RESULT(GetLastError());
  256. pctRet = PCT_INT_INTERNAL_ERROR;
  257. goto cleanup;
  258. }
  259. dwReverseSequence = htonl(dwSequence);
  260. if(!SchCryptHashData(hHash,
  261. (PUCHAR)&dwReverseSequence,
  262. sizeof(DWORD),
  263. 0,
  264. dwCapiFlags))
  265. {
  266. SP_LOG_RESULT(GetLastError());
  267. pctRet = PCT_INT_INTERNAL_ERROR;
  268. goto cleanup;
  269. }
  271. // Add content type.
  272. if(cContentType != 0)
  273. {
  274. if(!SchCryptHashData(hHash, &cContentType, 1, 0, dwCapiFlags))
  275. {
  276. SP_LOG_RESULT(GetLastError());
  277. pctRet = PCT_INT_INTERNAL_ERROR;
  278. goto cleanup;
  279. }
  280. }
  282. /* add length */
  283. wReverseData = (WORD)pClean->cbData >> 8 | (WORD)pClean->cbData << 8;
  284. if(!SchCryptHashData(hHash,
  285. (PBYTE)&wReverseData,
  286. sizeof(WORD),
  287. 0,
  288. dwCapiFlags))
  289. {
  290. SP_LOG_RESULT(GetLastError());
  291. pctRet = PCT_INT_INTERNAL_ERROR;
  292. goto cleanup;
  293. }
  295. /* add data */
  296. if(!SchCryptHashData(hHash,
  297. pClean->pvBuffer,
  298. pClean->cbData,
  299. 0,
  300. dwCapiFlags))
  301. {
  302. SP_LOG_RESULT(GetLastError());
  303. pctRet = PCT_INT_INTERNAL_ERROR;
  304. goto cleanup;
  305. }
  307. #if VERIFYHASH
  308. if(ibMac > 1800) ibMac = 0;
  309. CopyMemory(&rgb3Mac[ibMac], (BYTE *)&dw32High, sizeof(DWORD));
  310. ibMac += sizeof(DWORD);
  311. CopyMemory(&rgb3Mac[ibMac], (BYTE *)&dwReverseSeq, sizeof(DWORD));
  312. ibMac += sizeof(DWORD);
  313. CopyMemory(&rgb3Mac[ibMac], (BYTE *)&wDataReverse, sizeof(WORD));
  314. ibMac += sizeof(WORD);
  315. if(wData < 50)
  316. {
  317. CopyMemory(&rgb3Mac[ibMac], (PUCHAR)pClean->pvBuffer, wData);
  318. ibMac += wData;
  319. }
  320. #endif
  322. // Get inner hash value.
  323. cbDigest = sizeof(rgbDigest);
  324. if(!SchCryptGetHashParam(hHash,
  325. HP_HASHVAL,
  326. rgbDigest,
  327. &cbDigest,
  328. 0,
  329. dwCapiFlags))
  330. {
  331. SP_LOG_RESULT(GetLastError());
  332. pctRet = PCT_INT_INTERNAL_ERROR;
  333. goto cleanup;
  334. }
  335. SP_ASSERT(pHashInfo->cbCheckSum == cbDigest);
  337. SchCryptDestroyHash(hHash, dwCapiFlags);
  338. hHash = 0;
  340. #if VERIFYHASH
  341. CopyMemory(&rgb3Mac[ibMac], rgbDigest, pHashInfo->cbCheckSum);
  342. ibMac += pHashInfo->cbCheckSum;
  343. #endif
  347. // Create hash
  348. if(!SchCryptCreateHash(hProv,
  349. pHashInfo->aiHash,
  350. 0,
  351. 0,
  352. &hHash,
  353. dwCapiFlags))
  354. {
  355. SP_LOG_RESULT(GetLastError());
  356. pctRet = PCT_INT_INTERNAL_ERROR;
  357. goto cleanup;
  358. }
  360. // Hash secret
  361. if(!SchCryptHashSessionKey(hHash,
  362. hSecret,
  363. CRYPT_LITTLE_ENDIAN,
  364. dwCapiFlags))
  365. {
  366. SP_LOG_RESULT(GetLastError());
  367. pctRet = PCT_INT_INTERNAL_ERROR;
  368. goto cleanup;
  369. }
  371. // hash pad 2
  372. FillMemory(rgbPad, cbPad, PAD2_CONSTANT);
  373. if(!SchCryptHashData(hHash, rgbPad, cbPad, 0, dwCapiFlags))
  374. {
  375. SP_LOG_RESULT(GetLastError());
  376. pctRet = PCT_INT_INTERNAL_ERROR;
  377. goto cleanup;
  378. }
  380. if(!SchCryptHashData(hHash, rgbDigest, cbDigest, 0, dwCapiFlags))
  381. {
  382. SP_LOG_RESULT(GetLastError());
  383. pctRet = PCT_INT_INTERNAL_ERROR;
  384. goto cleanup;
  385. }
  387. // Get outer hash value.
  388. cbDigest = sizeof(rgbDigest);
  389. if(!SchCryptGetHashParam(hHash,
  390. HP_HASHVAL,
  391. rgbDigest,
  392. &cbDigest,
  393. 0,
  394. dwCapiFlags))
  395. {
  396. SP_LOG_RESULT(GetLastError());
  397. pctRet = PCT_INT_INTERNAL_ERROR;
  398. goto cleanup;
  399. }
  400. SP_ASSERT(pHashInfo->cbCheckSum == cbDigest);
  402. SchCryptDestroyHash(hHash, dwCapiFlags);
  403. hHash = 0;
  405. #if VERIFYHASH
  406. CopyMemory(&rgb3Mac[ibMac], rgbDigest, pHashInfo->cbCheckSum);
  407. ibMac += pHashInfo->cbCheckSum;
  408. #endif
  410. CopyMemory(pbMac, rgbDigest, cbDigest);
  412. pctRet = PCT_ERR_OK;
  414. cleanup:
  416. if(hHash)
  417. {
  418. SchCryptDestroyHash(hHash, dwCapiFlags);
  419. }
  421. return pctRet;
  422. }
  425. //+---------------------------------------------------------------------------
  426. //
  427. // Function: Ssl3BuildFinishMessage
  428. //
  429. // Synopsis:
  430. //
  431. // Arguments: [pContext] --
  432. // [pbMd5Digest] --
  433. // [pbSHADigest] --
  434. // [fClient] --
  435. //
  436. // History: 10-03-97 jbanes Added server-side CAPI integration.
  437. //
  438. // Notes:
  439. //
  440. //----------------------------------------------------------------------------
  441. SP_STATUS
  442. Ssl3BuildFinishMessage(
  443. PSPContext pContext,
  444. BYTE *pbMd5Digest,
  445. BYTE *pbSHADigest,
  446. BOOL fClient)
  447. {
  448. BYTE rgbPad1[CB_SSL3_MAX_MAC_PAD];
  449. BYTE rgbPad2[CB_SSL3_MAX_MAC_PAD];
  450. BYTE szClnt[] = "CLNT";
  451. BYTE szSrvr[] = "SRVR";
  452. DWORD cbMessage;
  453. HCRYPTHASH hHash = 0;
  454. DWORD cbDigest;
  455. SP_STATUS pctRet;
  457. //
  458. // Compute the two hash values as follows:
  459. //
  460. // enum { client(0x434c4e54), server(0x53525652) } Sender;
  461. // enum { client("CLNT"), server("SRVR") } Sender;
  462. //
  463. // struct {
  464. // opaque md5_hash[16];
  465. // opaque sha_hash[20];
  466. // } Finished;
  467. //
  468. // md5_hash - MD5(master_secret + pad2 + MD5(handshake_messages +
  469. // Sender + master_secret + pad1))
  470. //
  471. // sha_hash - SHA(master_secret + pad2 + SHA(handshake_messages +
  472. // Sender + master_secret + pad1))
  473. //
  474. // pad_1 - The character 0x36 repeated 48 times for MD5 or
  475. // 40 times for SHA.
  476. //
  477. // pad_2 - The character 0x5c repeated the same number of times.
  478. //
  480. FillMemory(rgbPad1, sizeof(rgbPad1), PAD1_CONSTANT);
  481. FillMemory(rgbPad2, sizeof(rgbPad2), PAD2_CONSTANT);
  484. // Make local copy of the handshake_messages MD5 hash object
  485. if(!SchCryptDuplicateHash(pContext->hMd5Handshake,
  486. NULL,
  487. 0,
  488. &hHash,
  489. pContext->RipeZombie->dwCapiFlags))
  490. {
  491. SP_LOG_RESULT(GetLastError());
  492. pctRet = PCT_INT_INTERNAL_ERROR;
  493. goto cleanup;
  494. }
  496. // Add rest of stuff to local MD5 hash object.
  497. if(!SchCryptHashData(hHash,
  498. fClient ? szClnt : szSrvr,
  499. 4,
  500. 0,
  501. pContext->RipeZombie->dwCapiFlags))
  502. {
  503. SP_LOG_RESULT(GetLastError());
  504. pctRet = PCT_INT_INTERNAL_ERROR;
  505. goto cleanup;
  506. }
  508. if(!SchCryptHashSessionKey(hHash,
  509. pContext->RipeZombie->hMasterKey,
  510. CRYPT_LITTLE_ENDIAN,
  511. pContext->RipeZombie->dwCapiFlags))
  512. {
  513. SP_LOG_RESULT(GetLastError());
  514. pctRet = PCT_INT_INTERNAL_ERROR;
  515. goto cleanup;
  516. }
  517. if(!SchCryptHashData(hHash,
  518. rgbPad1,
  519. CB_SSL3_MD5_MAC_PAD,
  520. 0,
  521. pContext->RipeZombie->dwCapiFlags))
  522. {
  523. SP_LOG_RESULT(GetLastError());
  524. pctRet = PCT_INT_INTERNAL_ERROR;
  525. goto cleanup;
  526. }
  527. cbDigest = CB_MD5_DIGEST_LEN;
  528. if(!SchCryptGetHashParam(hHash,
  529. HP_HASHVAL,
  530. pbMd5Digest,
  531. &cbDigest,
  532. 0,
  533. pContext->RipeZombie->dwCapiFlags))
  534. {
  535. SP_LOG_RESULT(GetLastError());
  536. pctRet = PCT_INT_INTERNAL_ERROR;
  537. goto cleanup;
  538. }
  539. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  540. hHash = 0;
  542. // Compute "parent" MD5 hash
  543. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  544. CALG_MD5,
  545. 0,
  546. 0,
  547. &hHash,
  548. pContext->RipeZombie->dwCapiFlags))
  549. {
  550. SP_LOG_RESULT(GetLastError());
  551. pctRet = PCT_INT_INTERNAL_ERROR;
  552. goto cleanup;
  553. }
  554. if(!SchCryptHashSessionKey(hHash,
  555. pContext->RipeZombie->hMasterKey,
  556. CRYPT_LITTLE_ENDIAN,
  557. pContext->RipeZombie->dwCapiFlags))
  558. {
  559. SP_LOG_RESULT(GetLastError());
  560. pctRet = PCT_INT_INTERNAL_ERROR;
  561. goto cleanup;
  562. }
  563. if(!SchCryptHashData(hHash,
  564. rgbPad2,
  565. CB_SSL3_MD5_MAC_PAD,
  566. 0,
  567. pContext->RipeZombie->dwCapiFlags))
  568. {
  569. SP_LOG_RESULT(GetLastError());
  570. pctRet = PCT_INT_INTERNAL_ERROR;
  571. goto cleanup;
  572. }
  573. if(!SchCryptHashData(hHash,
  574. pbMd5Digest,
  575. CB_MD5_DIGEST_LEN,
  576. 0,
  577. pContext->RipeZombie->dwCapiFlags))
  578. {
  579. SP_LOG_RESULT(GetLastError());
  580. pctRet = PCT_INT_INTERNAL_ERROR;
  581. goto cleanup;
  582. }
  583. cbDigest = CB_MD5_DIGEST_LEN;
  584. if(!SchCryptGetHashParam(hHash,
  585. HP_HASHVAL,
  586. pbMd5Digest,
  587. &cbDigest,
  588. 0,
  589. pContext->RipeZombie->dwCapiFlags))
  590. {
  591. SP_LOG_RESULT(GetLastError());
  592. pctRet = PCT_INT_INTERNAL_ERROR;
  593. goto cleanup;
  594. }
  595. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  596. hHash = 0;
  598. // Build SHA Hash
  600. // Make local copy of the handshake_messages SHA hash object
  601. if(!SchCryptDuplicateHash(pContext->hShaHandshake,
  602. NULL,
  603. 0,
  604. &hHash,
  605. pContext->RipeZombie->dwCapiFlags))
  606. {
  607. SP_LOG_RESULT(GetLastError());
  608. pctRet = PCT_INT_INTERNAL_ERROR;
  609. goto cleanup;
  610. }
  612. // SHA(handshake_messages + Sender + master_secret + pad1)
  613. if(!SchCryptHashData(hHash,
  614. fClient ? szClnt : szSrvr,
  615. 4,
  616. 0,
  617. pContext->RipeZombie->dwCapiFlags))
  618. {
  619. SP_LOG_RESULT(GetLastError());
  620. pctRet = PCT_INT_INTERNAL_ERROR;
  621. goto cleanup;
  622. }
  623. if(!SchCryptHashSessionKey(hHash,
  624. pContext->RipeZombie->hMasterKey,
  625. CRYPT_LITTLE_ENDIAN,
  626. pContext->RipeZombie->dwCapiFlags))
  627. {
  628. SP_LOG_RESULT(GetLastError());
  629. pctRet = PCT_INT_INTERNAL_ERROR;
  630. goto cleanup;
  631. }
  632. if(!SchCryptHashData(hHash,
  633. rgbPad1,
  634. CB_SSL3_SHA_MAC_PAD,
  635. 0,
  636. pContext->RipeZombie->dwCapiFlags))
  637. {
  638. SP_LOG_RESULT(GetLastError());
  639. pctRet = PCT_INT_INTERNAL_ERROR;
  640. goto cleanup;
  641. }
  642. cbDigest = A_SHA_DIGEST_LEN;
  643. if(!SchCryptGetHashParam(hHash,
  644. HP_HASHVAL,
  645. pbSHADigest,
  646. &cbDigest,
  647. 0,
  648. pContext->RipeZombie->dwCapiFlags))
  649. {
  650. SP_LOG_RESULT(GetLastError());
  651. pctRet = PCT_INT_INTERNAL_ERROR;
  652. goto cleanup;
  653. }
  654. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  655. hHash = 0;
  657. // SHA(master_secret + pad2 + SHA-hash);
  658. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  659. CALG_SHA,
  660. 0,
  661. 0,
  662. &hHash,
  663. pContext->RipeZombie->dwCapiFlags))
  664. {
  665. SP_LOG_RESULT(GetLastError());
  666. pctRet = PCT_INT_INTERNAL_ERROR;
  667. goto cleanup;
  668. }
  669. if(!SchCryptHashSessionKey(hHash,
  670. pContext->RipeZombie->hMasterKey,
  671. CRYPT_LITTLE_ENDIAN,
  672. pContext->RipeZombie->dwCapiFlags))
  673. {
  674. SP_LOG_RESULT(GetLastError());
  675. pctRet = PCT_INT_INTERNAL_ERROR;
  676. goto cleanup;
  677. }
  678. if(!SchCryptHashData(hHash,
  679. rgbPad2,
  680. CB_SSL3_SHA_MAC_PAD,
  681. 0,
  682. pContext->RipeZombie->dwCapiFlags))
  683. {
  684. SP_LOG_RESULT(GetLastError());
  685. pctRet = PCT_INT_INTERNAL_ERROR;
  686. goto cleanup;
  687. }
  688. if(!SchCryptHashData(hHash,
  689. pbSHADigest,
  690. A_SHA_DIGEST_LEN,
  691. 0,
  692. pContext->RipeZombie->dwCapiFlags))
  693. {
  694. SP_LOG_RESULT(GetLastError());
  695. pctRet = PCT_INT_INTERNAL_ERROR;
  696. goto cleanup;
  697. }
  698. cbDigest = A_SHA_DIGEST_LEN;
  699. if(!SchCryptGetHashParam(hHash,
  700. HP_HASHVAL,
  701. pbSHADigest,
  702. &cbDigest,
  703. 0,
  704. pContext->RipeZombie->dwCapiFlags))
  705. {
  706. SP_LOG_RESULT(GetLastError());
  707. pctRet = PCT_INT_INTERNAL_ERROR;
  708. goto cleanup;
  709. }
  710. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  711. hHash = 0;
  713. pctRet = PCT_ERR_OK;
  715. cleanup:
  717. if(hHash)
  718. {
  719. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  720. }
  722. return pctRet;
  723. }
  726. /*****************************************************************************/
  727. DWORD Ssl3CiphertextLen(
  728. PSPContext pContext,
  729. DWORD cbMessage,
  730. BOOL fClientIsSender)
  731. {
  732. DWORD cbBlock;
  734. // Abort early if we're not encrypting.
  735. if(pContext->pWriteCipherInfo == NULL)
  736. {
  737. // Add record header length.
  738. cbMessage += sizeof(SWRAP);
  740. return cbMessage;
  741. }
  743. // Add MAC length.
  744. cbMessage += pContext->pWriteHashInfo->cbCheckSum;
  746. // Add padding if we're using a block cipher.
  747. cbBlock = pContext->pWriteCipherInfo->dwBlockSize;
  748. if(cbBlock > 1)
  749. {
  750. cbMessage += cbBlock - cbMessage % cbBlock;
  751. }
  753. // Add record header length.
  754. cbMessage += sizeof(SWRAP);
  756. return cbMessage;
  757. }
  759. //+---------------------------------------------------------------------------
  760. //
  761. // Function: Ssl3EncryptRaw
  762. //
  763. // Synopsis: Perform the MAC and encryption steps on an SSL3 record.
  764. //
  765. // Arguments: [pContext] -- Schannel context.
  766. // [pAppInput] -- Data to be encrypted.
  767. // [pCommOutput] -- (output) Encrypted SSL3 record.
  768. // [bContentType] -- SSL3 context type.
  769. //
  770. // History: 10-22-97 jbanes CAPI integrated.
  771. //
  772. // Notes: This function doesn't touch the header portion of the SSL3
  773. // record. This is handle by the calling function.
  774. //
  775. //----------------------------------------------------------------------------
  776. SP_STATUS WINAPI
  777. Ssl3EncryptRaw(
  778. PSPContext pContext,
  779. PSPBuffer pAppInput,
  780. PSPBuffer pCommOutput,
  781. BYTE bContentType)
  782. {
  783. SP_STATUS pctRet;
  784. SPBuffer Clean;
  785. SPBuffer Encrypted;
  786. DWORD cbBlock;
  787. DWORD cbPadding;
  788. PUCHAR pbMAC = NULL;
  789. BOOL fIsClient = FALSE;
  790. DWORD cbBuffExpected;
  792. if((pContext == NULL) ||
  793. (pContext->RipeZombie == NULL) ||
  794. (pContext->pWriteHashInfo == NULL) ||
  795. (pContext->pWriteCipherInfo == NULL) ||
  796. (pAppInput == NULL) ||
  797. (pCommOutput == NULL) ||
  798. (pAppInput->pvBuffer == NULL) ||
  799. (pCommOutput->pvBuffer == NULL))
  800. {
  801. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  802. }
  804. if(pAppInput->cbData > pAppInput->cbBuffer)
  805. {
  806. return SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
  807. }
  808. fIsClient = ( 0 != (pContext->RipeZombie->fProtocol & SP_PROT_SSL3TLS1_CLIENTS));
  810. cbBuffExpected = Ssl3CiphertextLen(pContext, pAppInput->cbData, fIsClient);
  811. if(cbBuffExpected == 0)
  812. {
  813. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  814. }
  816. if(pCommOutput->cbBuffer < cbBuffExpected)
  817. {
  818. return SP_LOG_RESULT(PCT_INT_BUFF_TOO_SMALL);
  819. }
  821. Clean.cbData = pAppInput->cbData;
  822. Clean.pvBuffer = (PUCHAR)pCommOutput->pvBuffer + sizeof(SWRAP);
  823. Clean.cbBuffer = pCommOutput->cbBuffer - sizeof(SWRAP);
  825. /* Move data out of the way if necessary */
  826. if(Clean.pvBuffer != pAppInput->pvBuffer)
  827. {
  828. DebugLog((DEB_WARN, "SSL3EncryptRaw: Unnecessary Move, performance hog\n"));
  829. MoveMemory(Clean.pvBuffer,
  830. pAppInput->pvBuffer,
  831. pAppInput->cbData);
  832. }
  834. // Transfer the write key over from the application process.
  835. if(pContext->hWriteKey == 0 &&
  836. pContext->pWriteCipherInfo->aiCipher != CALG_NULLCIPHER)
  837. {
  838. DebugLog((DEB_TRACE, "Transfer write key from user process.\n"));
  839. pctRet = SPGetUserKeys(pContext, SCH_FLAG_WRITE_KEY);
  840. if(pctRet != PCT_ERR_OK)
  841. {
  842. return SP_LOG_RESULT(pctRet);
  843. }
  844. }
  846. // Compute MAC and add it to end of message.
  847. pbMAC = (PUCHAR)Clean.pvBuffer + Clean.cbData;
  848. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  849. {
  850. pctRet = Ssl3ComputeMac(pContext,
  851. FALSE,
  852. &Clean,
  853. bContentType,
  854. pbMAC,
  855. pContext->pWriteHashInfo->cbCheckSum);
  856. if(pctRet != PCT_ERR_OK)
  857. {
  858. return pctRet;
  859. }
  860. }
  861. else
  862. {
  863. pctRet = Tls1ComputeMac(pContext,
  864. FALSE,
  865. &Clean,
  866. bContentType,
  867. pbMAC,
  868. pContext->pWriteHashInfo->cbCheckSum);
  869. if(pctRet != PCT_ERR_OK)
  870. {
  871. return pctRet;
  872. }
  873. }
  874. Clean.cbData += pContext->pWriteHashInfo->cbCheckSum;
  876. pContext->WriteCounter++;
  878. // Add block cipher padding to end of message.
  879. cbBlock = pContext->pWriteCipherInfo->dwBlockSize;
  880. if(cbBlock > 1)
  881. {
  882. // This is a block cipher.
  883. cbPadding = cbBlock - Clean.cbData % cbBlock;
  885. FillMemory((PUCHAR)Clean.pvBuffer + Clean.cbData,
  886. cbPadding,
  887. (UCHAR)(cbPadding - 1));
  888. Clean.cbData += cbPadding;
  889. }
  891. SP_ASSERT(Clean.cbData <= Clean.cbBuffer);
  893. Encrypted.cbData = Clean.cbData;
  894. Encrypted.pvBuffer = Clean.pvBuffer;
  895. Encrypted.cbBuffer = Clean.cbBuffer;
  897. // Encrypt message.
  898. if(pContext->pWriteCipherInfo->aiCipher != CALG_NULLCIPHER)
  899. {
  900. if(!SchCryptEncrypt(pContext->hWriteKey,
  901. 0, FALSE, 0,
  902. Encrypted.pvBuffer,
  903. &Encrypted.cbData,
  904. Encrypted.cbBuffer,
  905. pContext->RipeZombie->dwCapiFlags))
  906. {
  907. SP_LOG_RESULT(GetLastError());
  908. return PCT_INT_INTERNAL_ERROR;
  909. }
  910. }
  912. pCommOutput->cbData = Encrypted.cbData + sizeof(SWRAP);
  914. return PCT_ERR_OK;
  915. }
  917. //+---------------------------------------------------------------------------
  918. //
  919. // Function: Ssl3EncryptMessage
  920. //
  921. // Synopsis: Encode a block of data as an SSL3 record.
  922. //
  923. // Arguments: [pContext] -- Schannel context.
  924. // [pAppInput] -- Data to be encrypted.
  925. // [pCommOutput] -- (output) Completed SSL3 record.
  926. //
  927. // History: 10-22-97 jbanes CAPI integrated.
  928. //
  929. // Notes: An SSL3 record is formatted as:
  930. //
  931. // BYTE header[5];
  932. // BYTE data[pAppInput->cbData];
  933. // BYTE mac[mac_size];
  934. // BYTE padding[padding_size];
  935. //
  936. //----------------------------------------------------------------------------
  937. SP_STATUS WINAPI
  938. Ssl3EncryptMessage( PSPContext pContext,
  939. PSPBuffer pAppInput,
  940. PSPBuffer pCommOutput)
  941. {
  942. DWORD cbMessage;
  943. SP_STATUS pctRet;
  945. SP_BEGIN("Ssl3EncryptMessage");
  947. if((pContext == NULL) ||
  948. (pContext->RipeZombie == NULL) ||
  949. (pAppInput == NULL) ||
  950. (pCommOutput == NULL) ||
  951. (pCommOutput->pvBuffer == NULL))
  952. {
  953. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  954. }
  956. DebugLog((DEB_TRACE, "Input: cbData:0x%x, cbBuffer:0x%x, pvBuffer:0x%8.8x\n",
  957. pAppInput->cbData,
  958. pAppInput->cbBuffer,
  959. pAppInput->pvBuffer));
  961. DebugLog((DEB_TRACE, "Output: cbData:0x%x, cbBuffer:0x%x, pvBuffer:0x%8.8x\n",
  962. pCommOutput->cbData,
  963. pCommOutput->cbBuffer,
  964. pCommOutput->pvBuffer));
  966. // Compute encrypted message size.
  967. cbMessage = Ssl3CiphertextLen(pContext, pAppInput->cbData, TRUE);
  969. pctRet = Ssl3EncryptRaw(pContext, pAppInput, pCommOutput, SSL3_CT_APPLICATIONDATA);
  970. if(pctRet != PCT_ERR_OK)
  971. {
  972. SP_RETURN(SP_LOG_RESULT(pctRet));
  973. }
  975. SetWrapNoEncrypt(pCommOutput->pvBuffer,
  976. SSL3_CT_APPLICATIONDATA,
  977. cbMessage - sizeof(SWRAP));
  978. if(pContext->RipeZombie->fProtocol & SP_PROT_TLS1)
  979. {
  980. ((PUCHAR)pCommOutput->pvBuffer)[02] = TLS1_CLIENT_VERSION_LSB;
  981. }
  983. DebugLog((DEB_TRACE, "Output: cbData:0x%x, cbBuffer:0x%x, pvBuffer:0x%8.8x\n",
  984. pCommOutput->cbData,
  985. pCommOutput->cbBuffer,
  986. pCommOutput->pvBuffer));
  988. SP_RETURN(PCT_ERR_OK);
  989. }
  992. //+---------------------------------------------------------------------------
  993. //
  994. // Function: Ssl3DecryptMessage
  995. //
  996. // Synopsis: Decode an SSL3 record.
  997. //
  998. // Arguments: [pContext] -- Schannel context.
  999. // [pMessage] -- Data from the remote party.
  1000. // [pAppOutput] -- (output) Decrypted data.
  1001. //
  1002. // History: 10-22-97 jbanes CAPI integrated.
  1003. //
  1004. // Notes: The number of input data bytes consumed by this function
  1005. // is returned in pMessage->cbData.
  1006. //
  1007. //----------------------------------------------------------------------------
  1008. SP_STATUS WINAPI
  1009. Ssl3DecryptMessage( PSPContext pContext,
  1010. PSPBuffer pMessage,
  1011. PSPBuffer pAppOutput)
  1012. {
  1013. SP_STATUS pctRet;
  1014. SPBuffer Clean;
  1015. SPBuffer Encrypted;
  1016. UCHAR rgbDigest[SP_MAX_DIGEST_LEN];
  1017. PUCHAR pbMAC;
  1018. DWORD dwLength, cbActualData;
  1019. SWRAP *pswrap = pMessage->pvBuffer;
  1020. DWORD dwVersion;
  1022. DWORD cbBlock;
  1023. DWORD cbPadding;
  1025. SP_BEGIN("Ssl3DecryptMessage");
  1027. if((pContext == NULL) ||
  1028. (pContext->pReadCipherInfo == NULL) ||
  1029. (pContext->RipeZombie == NULL) ||
  1030. (pAppOutput == NULL) ||
  1031. (pMessage == NULL) ||
  1032. (pMessage->pvBuffer == NULL))
  1033. {
  1034. SP_RETURN(SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR));
  1035. }
  1037. /* First determine the length of data, the length of padding,
  1038. * and the location of data, and the location of MAC */
  1039. cbActualData = pMessage->cbData;
  1040. pMessage->cbData = sizeof(SWRAP); /* minimum amount of data we need */
  1042. if(cbActualData < sizeof(SWRAP))
  1043. {
  1044. SP_RETURN(PCT_INT_INCOMPLETE_MSG);
  1045. }
  1047. dwVersion = COMBINEBYTES(pswrap->bMajor, pswrap->bMinor);
  1048. if(dwVersion != SSL3_CLIENT_VERSION && dwVersion != TLS1_CLIENT_VERSION)
  1049. {
  1050. SP_RETURN(SP_LOG_RESULT(PCT_INT_ILLEGAL_MSG));
  1051. }
  1053. dwLength = COMBINEBYTES(pswrap->bcbMSBSize, pswrap->bcbLSBSize);
  1055. Encrypted.pvBuffer = (PUCHAR)pMessage->pvBuffer + sizeof(SWRAP);
  1056. Encrypted.cbBuffer = pMessage->cbBuffer - sizeof(SWRAP);
  1058. pMessage->cbData += dwLength ;
  1060. if(pMessage->cbData > cbActualData)
  1061. {
  1062. SP_RETURN(PCT_INT_INCOMPLETE_MSG);
  1063. }
  1065. Encrypted.cbData = dwLength; /* encrypted data size */
  1067. SP_ASSERT(Encrypted.cbData != 0);
  1069. /* check to see if we have a block size violation */
  1070. if(Encrypted.cbData % pContext->pReadCipherInfo->dwBlockSize)
  1071. {
  1072. SP_RETURN(SP_LOG_RESULT(PCT_INT_MSG_ALTERED));
  1073. }
  1075. // Transfer the read key over from the application process.
  1076. if(pContext->hReadKey == 0 &&
  1077. pContext->pReadCipherInfo->aiCipher != CALG_NULLCIPHER)
  1078. {
  1079. DebugLog((DEB_TRACE, "Transfer read key from user process.\n"));
  1080. pctRet = SPGetUserKeys(pContext, SCH_FLAG_READ_KEY);
  1081. if(pctRet != PCT_ERR_OK)
  1082. {
  1083. return SP_LOG_RESULT(pctRet);
  1084. }
  1085. }
  1087. // Decrypt message.
  1088. if(pContext->pReadCipherInfo->aiCipher != CALG_NULLCIPHER)
  1089. {
  1090. if(!SchCryptDecrypt(pContext->hReadKey,
  1091. 0, FALSE, 0,
  1092. Encrypted.pvBuffer,
  1093. &Encrypted.cbData,
  1094. pContext->RipeZombie->dwCapiFlags))
  1095. {
  1096. SP_LOG_RESULT(GetLastError());
  1097. SP_RETURN(PCT_INT_INTERNAL_ERROR);
  1098. }
  1099. }
  1101. // Remove block cipher padding.
  1102. cbBlock = pContext->pReadCipherInfo->dwBlockSize;
  1103. if(cbBlock > 1)
  1104. {
  1105. // This is a block cipher.
  1106. cbPadding = *((PUCHAR)Encrypted.pvBuffer + Encrypted.cbData - 1) + 1;
  1108. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  1109. {
  1110. if(cbPadding > cbBlock || cbPadding >= Encrypted.cbData)
  1111. {
  1112. // Invalid pad size.
  1113. DebugLog((DEB_WARN, "FINISHED Message: Padding Invalid\n"));
  1114. SP_RETURN(SP_LOG_RESULT(PCT_INT_MSG_ALTERED));
  1115. }
  1116. }
  1117. else
  1118. {
  1119. if(cbPadding > 256 || cbPadding >= Encrypted.cbData)
  1120. {
  1121. // Invalid pad size.
  1122. DebugLog((DEB_WARN, "FINISHED Message: Padding Invalid\n"));
  1123. SP_RETURN(SP_LOG_RESULT(PCT_INT_MSG_ALTERED));
  1124. }
  1125. }
  1126. Encrypted.cbData -= cbPadding;
  1127. }
  1130. if(Encrypted.cbData < pContext->pReadHashInfo->cbCheckSum)
  1131. {
  1132. SP_RETURN(SP_LOG_RESULT(PCT_INT_MSG_ALTERED));
  1133. }
  1135. // Validate MAC.
  1136. Clean.pvBuffer = Encrypted.pvBuffer;
  1137. Clean.cbData = Encrypted.cbData - pContext->pReadHashInfo->cbCheckSum;
  1138. Clean.cbBuffer = Clean.cbData;
  1140. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  1141. {
  1142. pctRet = Ssl3ComputeMac(pContext,
  1143. TRUE,
  1144. &Clean,
  1145. pswrap->bCType,
  1146. rgbDigest,
  1147. sizeof(rgbDigest));
  1148. if(pctRet != PCT_ERR_OK)
  1149. {
  1150. return pctRet;
  1151. }
  1152. }
  1153. else
  1154. {
  1155. pctRet = Tls1ComputeMac(pContext,
  1156. TRUE,
  1157. &Clean,
  1158. pswrap->bCType,
  1159. rgbDigest,
  1160. sizeof(rgbDigest));
  1161. if(pctRet != PCT_ERR_OK)
  1162. {
  1163. return pctRet;
  1164. }
  1165. }
  1167. pContext->ReadCounter++;
  1169. pbMAC = (PUCHAR)Clean.pvBuffer + Clean.cbData;
  1171. if(memcmp(rgbDigest, pbMAC, pContext->pReadHashInfo->cbCheckSum))
  1172. {
  1173. DebugLog((DEB_WARN, "FINISHED Message: Checksum Invalid\n"));
  1174. if(pContext->RipeZombie->fProtocol & SP_PROT_TLS1)
  1175. {
  1176. SetTls1Alert(pContext, TLS1_ALERT_FATAL, TLS1_ALERT_BAD_RECORD_MAC);
  1177. }
  1178. SP_RETURN(SP_LOG_RESULT(SEC_E_MESSAGE_ALTERED));
  1179. }
  1181. if(pAppOutput->pvBuffer != Clean.pvBuffer)
  1182. {
  1183. CopyMemory(pAppOutput->pvBuffer, Clean.pvBuffer, Clean.cbData);
  1184. }
  1186. pAppOutput->cbData = Clean.cbData;
  1188. SP_RETURN(PCT_ERR_OK);
  1189. }
  1192. /*****************************************************************************/
  1193. // Create an encrypted Finish message, adding it to the end of the
  1194. // specified buffer object.
  1195. //
  1196. SP_STATUS SPBuildS3FinalFinish(PSPContext pContext, PSPBuffer pBuffer, BOOL fClient)
  1197. {
  1198. PBYTE pbMessage = (PBYTE)pBuffer->pvBuffer + pBuffer->cbData;
  1199. DWORD cbFinished;
  1200. SP_STATUS pctRet;
  1201. DWORD cbDataOut;
  1203. BYTE rgbMd5Digest[CB_MD5_DIGEST_LEN];
  1204. BYTE rgbSHADigest[CB_SHA_DIGEST_LEN];
  1206. // Build Finished message body.
  1207. pctRet = Ssl3BuildFinishMessage(pContext, rgbMd5Digest, rgbSHADigest, fClient);
  1208. if(pctRet != PCT_ERR_OK)
  1209. {
  1210. return pctRet;
  1211. }
  1213. CopyMemory(pbMessage + sizeof(SWRAP) + sizeof(SHSH),
  1214. rgbMd5Digest,
  1215. CB_MD5_DIGEST_LEN);
  1216. CopyMemory(pbMessage + sizeof(SWRAP) + sizeof(SHSH) + CB_MD5_DIGEST_LEN,
  1217. rgbSHADigest,
  1218. CB_SHA_DIGEST_LEN);
  1220. // Build Finished handshake header.
  1221. SetHandshake(pbMessage + sizeof(SWRAP),
  1222. SSL3_HS_FINISHED,
  1223. NULL,
  1224. CB_MD5_DIGEST_LEN + CB_SHA_DIGEST_LEN);
  1225. cbFinished = sizeof(SHSH) + CB_MD5_DIGEST_LEN + CB_SHA_DIGEST_LEN;
  1227. // Update handshake hash objects.
  1228. pctRet = UpdateHandshakeHash(pContext,
  1229. pbMessage + sizeof(SWRAP),
  1230. cbFinished,
  1231. FALSE);
  1232. if(pctRet != PCT_ERR_OK)
  1233. {
  1234. return(pctRet);
  1235. }
  1237. // Add record header and encrypt message.
  1238. pctRet = SPSetWrap(pContext,
  1239. pbMessage,
  1240. SSL3_CT_HANDSHAKE,
  1241. cbFinished,
  1242. fClient,
  1243. &cbDataOut);
  1245. if(pctRet != PCT_ERR_OK)
  1246. {
  1247. return pctRet;
  1248. }
  1250. // Update buffer length.
  1251. pBuffer->cbData += cbDataOut;
  1253. SP_ASSERT(pBuffer->cbData <= pBuffer->cbBuffer);
  1255. return PCT_ERR_OK;
  1256. }
  1258. SP_STATUS
  1259. SPSetWrap(
  1260. PSPContext pContext,
  1261. PUCHAR pbMessage,
  1262. UCHAR bContentType,
  1263. DWORD cbPayload,
  1264. BOOL fClient,
  1265. DWORD *pcbDataOut)
  1266. {
  1267. SWRAP *pswrap = (SWRAP *)pbMessage;
  1268. DWORD cbMessage;
  1269. SP_STATUS pctRet = PCT_ERR_OK;
  1271. // Compute size of encrypted message.
  1272. cbMessage = Ssl3CiphertextLen(pContext, cbPayload, fClient);
  1274. if(pContext->pWriteHashInfo)
  1275. {
  1276. SPBuffer Clean;
  1277. SPBuffer Encrypted;
  1279. Clean.pvBuffer = pbMessage + sizeof(SWRAP);
  1280. Clean.cbBuffer = cbMessage;
  1281. Clean.cbData = cbPayload;
  1283. Encrypted.pvBuffer = pbMessage;
  1284. Encrypted.cbBuffer = cbMessage;
  1285. Encrypted.cbData = cbPayload + sizeof(SWRAP);
  1287. pctRet = Ssl3EncryptRaw(pContext, &Clean, &Encrypted, bContentType);
  1288. cbMessage = Encrypted.cbData;
  1289. }
  1291. ZeroMemory(pswrap, sizeof(SWRAP));
  1292. pswrap->bCType = bContentType;
  1293. pswrap->bMajor = SSL3_CLIENT_VERSION_MSB;
  1294. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  1295. {
  1296. pswrap->bMinor = (UCHAR)SSL3_CLIENT_VERSION_LSB;
  1297. }
  1298. else
  1299. {
  1300. pswrap->bMinor = (UCHAR)TLS1_CLIENT_VERSION_LSB;
  1301. }
  1302. pswrap->bcbMSBSize = MSBOF(cbMessage - sizeof(SWRAP));
  1303. pswrap->bcbLSBSize = LSBOF(cbMessage - sizeof(SWRAP));
  1305. if(pcbDataOut != NULL)
  1306. {
  1307. *pcbDataOut = cbMessage;
  1308. }
  1310. return(pctRet);
  1311. }
  1313. void
  1314. SetWrapNoEncrypt(
  1315. PUCHAR pbMessage,
  1316. UCHAR bContentType,
  1317. DWORD cbPayload)
  1318. {
  1319. SWRAP *pswrap = (SWRAP *)pbMessage;
  1321. ZeroMemory(pswrap, sizeof(SWRAP));
  1322. pswrap->bCType = bContentType;
  1323. pswrap->bMajor = SSL3_CLIENT_VERSION_MSB;
  1324. pswrap->bMinor = SSL3_CLIENT_VERSION_LSB;
  1325. pswrap->bcbMSBSize = MSBOF(cbPayload);
  1326. pswrap->bcbLSBSize = LSBOF(cbPayload);
  1327. }
  1330. void SetHandshake(PUCHAR pb, BYTE bHandshake, PUCHAR pbData, DWORD dwSize)
  1331. {
  1332. SHSH *pshsh = (SHSH *) pb;
  1334. FillMemory(pshsh, sizeof(SHSH), 0);
  1335. pshsh->typHS = bHandshake;
  1336. pshsh->bcbMSB = MSBOF(dwSize) ;
  1337. pshsh->bcbLSB = LSBOF(dwSize) ;
  1338. if(NULL != pbData)
  1339. {
  1340. CopyMemory( pb + sizeof(SHSH) , pbData, dwSize);
  1341. }
  1342. }
  1346. //+---------------------------------------------------------------------------
  1347. //
  1348. // Function: UpdateHandshakeHash
  1349. //
  1350. // Synopsis:
  1351. //
  1352. // Arguments: [pContext] --
  1353. // [pb] --
  1354. // [dwcb] --
  1355. // [fInit] --
  1356. //
  1357. // History: 10-03-97 jbanes Added server-side CAPI integration.
  1358. //
  1359. // Notes:
  1360. //
  1361. //----------------------------------------------------------------------------
  1362. SP_STATUS
  1363. UpdateHandshakeHash(
  1364. PSPContext pContext,
  1365. PUCHAR pb,
  1366. DWORD dwcb,
  1367. BOOL fInit)
  1368. {
  1369. if(pContext->RipeZombie->hMasterProv == 0)
  1370. {
  1371. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  1372. }
  1374. if(fInit)
  1375. {
  1376. DebugLog((DEB_TRACE, "UpdateHandshakeHash: initializing\n"));
  1378. if(pContext->hMd5Handshake)
  1379. {
  1380. SchCryptDestroyHash(pContext->hMd5Handshake,
  1381. pContext->RipeZombie->dwCapiFlags);
  1382. pContext->hMd5Handshake = 0;
  1383. }
  1384. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  1385. CALG_MD5, 0, 0,
  1386. &pContext->hMd5Handshake,
  1387. pContext->RipeZombie->dwCapiFlags))
  1388. {
  1389. SP_LOG_RESULT(GetLastError());
  1390. return PCT_INT_INTERNAL_ERROR;
  1391. }
  1393. if(pContext->hShaHandshake)
  1394. {
  1395. SchCryptDestroyHash(pContext->hShaHandshake,
  1396. pContext->RipeZombie->dwCapiFlags);
  1397. pContext->hShaHandshake = 0;
  1398. }
  1399. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  1400. CALG_SHA, 0, 0,
  1401. &pContext->hShaHandshake,
  1402. pContext->RipeZombie->dwCapiFlags))
  1403. {
  1404. SP_LOG_RESULT(GetLastError());
  1405. return PCT_INT_INTERNAL_ERROR;
  1406. }
  1407. }
  1409. if(pContext->hMd5Handshake == 0 || pContext->hShaHandshake == 0)
  1410. {
  1411. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  1412. }
  1414. if(dwcb && NULL != pb)
  1415. {
  1416. DebugLog((DEB_TRACE, "UpdateHandshakeHash: %d bytes\n", dwcb));
  1418. if(!SchCryptHashData(pContext->hMd5Handshake,
  1419. pb, dwcb, 0,
  1420. pContext->RipeZombie->dwCapiFlags))
  1421. {
  1422. SP_LOG_RESULT(GetLastError());
  1423. return PCT_INT_INTERNAL_ERROR;
  1424. }
  1425. if(!SchCryptHashData(pContext->hShaHandshake,
  1426. pb, dwcb, 0,
  1427. pContext->RipeZombie->dwCapiFlags))
  1428. {
  1429. SP_LOG_RESULT(GetLastError());
  1430. return PCT_INT_INTERNAL_ERROR;
  1431. }
  1432. }
  1434. #if VERIFYHASH
  1435. CopyMemory(&rgbF[ibF], pb, dwcb);
  1436. ibF += dwcb;
  1437. #endif
  1439. return PCT_ERR_OK;
  1440. }
  1443. //+---------------------------------------------------------------------------
  1444. //
  1445. // Function: Tls1ComputeCertVerifyHashes
  1446. //
  1447. // Synopsis: Compute the hashes contained by a TLS
  1448. // CertificateVerify message.
  1449. //
  1450. // Arguments: [pContext] -- Schannel context.
  1451. // [pbHash] --
  1452. // [cbHash] --
  1453. //
  1454. // History: 10-14-97 jbanes Created.
  1455. //
  1456. // Notes: The data generated by this routine is always 36 bytes in
  1457. // length, and consists of an MD5 hash followed by an SHA
  1458. // hash.
  1459. //
  1460. // The hash values are computed as:
  1461. //
  1462. // md5_hash = MD5(handshake_messages);
  1463. //
  1464. // sha_hash = SHA(handshake_messages);
  1465. //
  1466. //----------------------------------------------------------------------------
  1467. SP_STATUS
  1468. Tls1ComputeCertVerifyHashes(
  1469. PSPContext pContext, // in
  1470. PBYTE pbMD5, // out
  1471. PBYTE pbSHA) // out
  1472. {
  1473. HCRYPTHASH hHash = 0;
  1474. DWORD cbData;
  1476. if((pContext == NULL) ||
  1477. (pContext->RipeZombie == NULL))
  1478. {
  1479. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  1480. }
  1482. if(pbMD5 != NULL)
  1483. {
  1484. // md5_hash = MD5(handshake_messages);
  1485. if(!SchCryptDuplicateHash(pContext->hMd5Handshake,
  1486. NULL,
  1487. 0,
  1488. &hHash,
  1489. pContext->RipeZombie->dwCapiFlags))
  1490. {
  1491. SP_LOG_RESULT(GetLastError());
  1492. return PCT_INT_INTERNAL_ERROR;
  1493. }
  1494. cbData = CB_MD5_DIGEST_LEN;
  1495. if(!SchCryptGetHashParam(hHash,
  1496. HP_HASHVAL,
  1497. pbMD5,
  1498. &cbData,
  1499. 0,
  1500. pContext->RipeZombie->dwCapiFlags))
  1501. {
  1502. SP_LOG_RESULT(GetLastError());
  1503. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  1504. return PCT_INT_INTERNAL_ERROR;
  1505. }
  1506. SP_ASSERT(cbData == CB_MD5_DIGEST_LEN);
  1507. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  1508. {
  1509. SP_LOG_RESULT(GetLastError());
  1510. }
  1511. }
  1513. if(pbSHA != NULL)
  1514. {
  1515. // sha_hash = SHA(handshake_messages);
  1516. if(!SchCryptDuplicateHash(pContext->hShaHandshake,
  1517. NULL,
  1518. 0,
  1519. &hHash,
  1520. pContext->RipeZombie->dwCapiFlags))
  1521. {
  1522. SP_LOG_RESULT(GetLastError());
  1523. return PCT_INT_INTERNAL_ERROR;
  1524. }
  1525. cbData = CB_SHA_DIGEST_LEN;
  1526. if(!SchCryptGetHashParam(hHash,
  1527. HP_HASHVAL, pbSHA,
  1528. &cbData,
  1529. 0,
  1530. pContext->RipeZombie->dwCapiFlags))
  1531. {
  1532. SP_LOG_RESULT(GetLastError());
  1533. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  1534. return PCT_INT_INTERNAL_ERROR;
  1535. }
  1536. SP_ASSERT(cbData == CB_SHA_DIGEST_LEN);
  1537. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  1538. {
  1539. SP_LOG_RESULT(GetLastError());
  1540. }
  1541. }
  1543. return PCT_ERR_OK;
  1544. }
  1546. //+---------------------------------------------------------------------------
  1547. //
  1548. // Function: Ssl3ComputeCertVerifyHashes
  1549. //
  1550. // Synopsis: Compute the hashes contained by an SSL3
  1551. // CertificateVerify message.
  1552. //
  1553. // Arguments: [pContext] -- Schannel context.
  1554. // [pbHash] --
  1555. // [cbHash] --
  1556. //
  1557. // History: 10-14-97 jbanes Added CAPI integration.
  1558. //
  1559. // Notes: The data generated by this routine is always 36 bytes in
  1560. // length, and consists of an MD5 hash followed by an SHA
  1561. // hash.
  1562. //
  1563. // The hash values are computed as follows:
  1564. //
  1565. // md5_hash = MD5(master_secret + pad2 +
  1566. // MD5(handshake_messages + master_secret +
  1567. // pad1));
  1568. //
  1569. // sha_hash = SHA(master_secret + pad2 +
  1570. // SHA(handshake_messages + master_secret +
  1571. // pad1));
  1572. //
  1573. //----------------------------------------------------------------------------
  1574. SP_STATUS
  1575. Ssl3ComputeCertVerifyHashes(
  1576. PSPContext pContext, // in
  1577. PBYTE pbMD5, // out
  1578. PBYTE pbSHA) // out
  1579. {
  1580. BYTE rgbPad1[CB_SSL3_MAX_MAC_PAD];
  1581. BYTE rgbPad2[CB_SSL3_MAX_MAC_PAD];
  1582. HCRYPTHASH hHash = 0;
  1583. DWORD cbData;
  1584. SP_STATUS pctRet;
  1586. FillMemory(rgbPad1, sizeof(rgbPad1), PAD1_CONSTANT);
  1587. FillMemory(rgbPad2, sizeof(rgbPad2), PAD2_CONSTANT);
  1589. if(pbMD5 != NULL)
  1590. {
  1591. //
  1592. // CertificateVerify.signature.md5_hash = MD5(master_secret + pad2 +
  1593. // MD5(handshake_messages + master_secret + pad1));
  1594. //
  1596. // Compute inner hash.
  1597. if(!SchCryptDuplicateHash(pContext->hMd5Handshake,
  1598. NULL,
  1599. 0,
  1600. &hHash,
  1601. pContext->RipeZombie->dwCapiFlags))
  1602. {
  1603. SP_LOG_RESULT(GetLastError());
  1604. pctRet = PCT_INT_INTERNAL_ERROR;
  1605. goto cleanup;
  1606. }
  1607. if(!SchCryptHashSessionKey(hHash,
  1608. pContext->RipeZombie->hMasterKey,
  1609. CRYPT_LITTLE_ENDIAN,
  1610. pContext->RipeZombie->dwCapiFlags))
  1611. {
  1612. SP_LOG_RESULT(GetLastError());
  1613. pctRet = PCT_INT_INTERNAL_ERROR;
  1614. goto cleanup;
  1615. }
  1616. if(!SchCryptHashData(hHash,
  1617. rgbPad1,
  1618. CB_SSL3_MD5_MAC_PAD,
  1619. 0,
  1620. pContext->RipeZombie->dwCapiFlags))
  1621. {
  1622. SP_LOG_RESULT(GetLastError());
  1623. pctRet = PCT_INT_INTERNAL_ERROR;
  1624. goto cleanup;
  1625. }
  1626. cbData = CB_MD5_DIGEST_LEN;
  1627. if(!SchCryptGetHashParam(hHash,
  1628. HP_HASHVAL,
  1629. pbMD5,
  1630. &cbData,
  1631. 0,
  1632. pContext->RipeZombie->dwCapiFlags))
  1633. {
  1634. SP_LOG_RESULT(GetLastError());
  1635. pctRet = PCT_INT_INTERNAL_ERROR;
  1636. goto cleanup;
  1637. }
  1638. SP_ASSERT(cbData == CB_MD5_DIGEST_LEN);
  1639. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  1640. {
  1641. SP_LOG_RESULT(GetLastError());
  1642. }
  1643. hHash = 0;
  1645. // Compute outer hash.
  1646. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  1647. CALG_MD5,
  1648. 0,
  1649. 0,
  1650. &hHash,
  1651. pContext->RipeZombie->dwCapiFlags))
  1652. {
  1653. SP_LOG_RESULT(GetLastError());
  1654. pctRet = PCT_INT_INTERNAL_ERROR;
  1655. goto cleanup;
  1656. }
  1657. if(!SchCryptHashSessionKey(hHash,
  1658. pContext->RipeZombie->hMasterKey,
  1659. CRYPT_LITTLE_ENDIAN,
  1660. pContext->RipeZombie->dwCapiFlags))
  1661. {
  1662. SP_LOG_RESULT(GetLastError());
  1663. pctRet = PCT_INT_INTERNAL_ERROR;
  1664. goto cleanup;
  1665. }
  1666. if(!SchCryptHashData(hHash,
  1667. rgbPad2,
  1668. CB_SSL3_MD5_MAC_PAD,
  1669. 0,
  1670. pContext->RipeZombie->dwCapiFlags))
  1671. {
  1672. SP_LOG_RESULT(GetLastError());
  1673. pctRet = PCT_INT_INTERNAL_ERROR;
  1674. goto cleanup;
  1675. }
  1676. if(!SchCryptHashData(hHash,
  1677. pbMD5,
  1678. CB_MD5_DIGEST_LEN,
  1679. 0,
  1680. pContext->RipeZombie->dwCapiFlags))
  1681. {
  1682. SP_LOG_RESULT(GetLastError());
  1683. pctRet = PCT_INT_INTERNAL_ERROR;
  1684. goto cleanup;
  1685. }
  1686. cbData = CB_MD5_DIGEST_LEN;
  1687. if(!SchCryptGetHashParam(hHash,
  1688. HP_HASHVAL,
  1689. pbMD5,
  1690. &cbData,
  1691. 0,
  1692. pContext->RipeZombie->dwCapiFlags))
  1693. {
  1694. SP_LOG_RESULT(GetLastError());
  1695. pctRet = PCT_INT_INTERNAL_ERROR;
  1696. goto cleanup;
  1697. }
  1698. SP_ASSERT(cbData == CB_MD5_DIGEST_LEN);
  1699. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  1700. {
  1701. SP_LOG_RESULT(GetLastError());
  1702. }
  1703. hHash = 0;
  1704. }
  1706. if(pbSHA != NULL)
  1707. {
  1708. //
  1709. // CertificateVerify.signature.sha_hash = SHA(master_secret + pad2 +
  1710. // SHA(handshake_messages + master_secret + pad1));
  1711. //
  1713. // Compute inner hash.
  1714. if(!SchCryptDuplicateHash(pContext->hShaHandshake,
  1715. NULL,
  1716. 0,
  1717. &hHash,
  1718. pContext->RipeZombie->dwCapiFlags))
  1719. {
  1720. SP_LOG_RESULT(GetLastError());
  1721. pctRet = PCT_INT_INTERNAL_ERROR;
  1722. goto cleanup;
  1723. }
  1724. if(!SchCryptHashSessionKey(hHash,
  1725. pContext->RipeZombie->hMasterKey,
  1726. CRYPT_LITTLE_ENDIAN,
  1727. pContext->RipeZombie->dwCapiFlags))
  1728. {
  1729. SP_LOG_RESULT(GetLastError());
  1730. pctRet = PCT_INT_INTERNAL_ERROR;
  1731. goto cleanup;
  1732. }
  1733. if(!SchCryptHashData(hHash,
  1734. rgbPad1,
  1735. CB_SSL3_SHA_MAC_PAD,
  1736. 0,
  1737. pContext->RipeZombie->dwCapiFlags))
  1738. {
  1739. SP_LOG_RESULT(GetLastError());
  1740. pctRet = PCT_INT_INTERNAL_ERROR;
  1741. goto cleanup;
  1742. }
  1743. cbData = CB_SHA_DIGEST_LEN;
  1744. if(!SchCryptGetHashParam(hHash,
  1745. HP_HASHVAL,
  1746. pbSHA,
  1747. &cbData,
  1748. 0,
  1749. pContext->RipeZombie->dwCapiFlags))
  1750. {
  1751. SP_LOG_RESULT(GetLastError());
  1752. pctRet = PCT_INT_INTERNAL_ERROR;
  1753. goto cleanup;
  1754. }
  1755. SP_ASSERT(cbData == CB_SHA_DIGEST_LEN);
  1756. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  1757. {
  1758. SP_LOG_RESULT(GetLastError());
  1759. }
  1760. hHash = 0;
  1762. // Compute outer hash.
  1763. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  1764. CALG_SHA,
  1765. 0,
  1766. 0,
  1767. &hHash,
  1768. pContext->RipeZombie->dwCapiFlags))
  1769. {
  1770. SP_LOG_RESULT(GetLastError());
  1771. pctRet = PCT_INT_INTERNAL_ERROR;
  1772. goto cleanup;
  1773. }
  1774. if(!SchCryptHashSessionKey(hHash,
  1775. pContext->RipeZombie->hMasterKey,
  1776. CRYPT_LITTLE_ENDIAN,
  1777. pContext->RipeZombie->dwCapiFlags))
  1778. {
  1779. SP_LOG_RESULT(GetLastError());
  1780. pctRet = PCT_INT_INTERNAL_ERROR;
  1781. goto cleanup;
  1782. }
  1783. if(!SchCryptHashData(hHash,
  1784. rgbPad2,
  1785. CB_SSL3_SHA_MAC_PAD,
  1786. 0,
  1787. pContext->RipeZombie->dwCapiFlags))
  1788. {
  1789. SP_LOG_RESULT(GetLastError());
  1790. pctRet = PCT_INT_INTERNAL_ERROR;
  1791. goto cleanup;
  1792. }
  1793. if(!SchCryptHashData(hHash,
  1794. pbSHA,
  1795. CB_SHA_DIGEST_LEN,
  1796. 0,
  1797. pContext->RipeZombie->dwCapiFlags))
  1798. {
  1799. SP_LOG_RESULT(GetLastError());
  1800. pctRet = PCT_INT_INTERNAL_ERROR;
  1801. goto cleanup;
  1802. }
  1803. cbData = CB_SHA_DIGEST_LEN;
  1804. if(!SchCryptGetHashParam(hHash,
  1805. HP_HASHVAL,
  1806. pbSHA,
  1807. &cbData,
  1808. 0,
  1809. pContext->RipeZombie->dwCapiFlags))
  1810. {
  1811. SP_LOG_RESULT(GetLastError());
  1812. pctRet = PCT_INT_INTERNAL_ERROR;
  1813. goto cleanup;
  1814. }
  1815. SP_ASSERT(cbData == CB_SHA_DIGEST_LEN);
  1816. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  1817. {
  1818. SP_LOG_RESULT(GetLastError());
  1819. }
  1820. hHash = 0;
  1821. }
  1823. pctRet = PCT_ERR_OK;
  1825. cleanup:
  1827. if(hHash)
  1828. {
  1829. SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags);
  1830. }
  1832. return pctRet;
  1833. }
  1836. SP_STATUS Ssl3HandleCCS(PSPContext pContext,
  1837. PUCHAR pb,
  1838. DWORD cbMessage)
  1839. {
  1841. SP_STATUS pctRet = PCT_ERR_OK;
  1842. BOOL fSender =
  1843. (0 == (pContext->RipeZombie->fProtocol & SP_PROT_SSL3TLS1_CLIENTS)) ;
  1846. SP_BEGIN("Ssl3HandleCCS");
  1848. if(cbMessage != 1 || pb[0] != 0x1)
  1849. {
  1850. pctRet = SP_LOG_RESULT(PCT_ERR_ILLEGAL_MESSAGE);
  1851. SP_RETURN(pctRet);
  1852. }
  1854. // We always zero out the read counter on receipt
  1855. // of a change cipher spec message.
  1856. pContext->ReadCounter = 0;
  1859. // Move pending ciphers to real ciphers
  1860. pctRet = ContextInitCiphers(pContext, TRUE, FALSE);
  1862. if(pctRet != PCT_ERR_OK)
  1863. {
  1864. SP_RETURN(pctRet);
  1865. }
  1867. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  1868. {
  1869. pctRet = Ssl3MakeReadSessionKeys(pContext);
  1870. }
  1871. else
  1872. {
  1873. pctRet = Tls1MakeReadSessionKeys(pContext);
  1874. }
  1875. if(pctRet != PCT_ERR_OK)
  1876. {
  1877. SP_RETURN(pctRet);
  1878. }
  1880. if(fSender)
  1881. {
  1882. pContext->wS3CipherSuiteClient = (WORD)UniAvailableCiphers[pContext->dwPendingCipherSuiteIndex].CipherKind;
  1883. pContext->State = SSL3_STATE_CHANGE_CIPHER_SPEC_SERVER;
  1884. }
  1885. else
  1886. {
  1887. pContext->wS3CipherSuiteServer = (WORD)UniAvailableCiphers[pContext->dwPendingCipherSuiteIndex].CipherKind;
  1888. pContext->State = SSL3_STATE_CHANGE_CIPHER_SPEC_CLIENT;
  1889. }
  1890. SP_RETURN(PCT_ERR_OK);
  1891. }
  1894. /*****************************************************************************/
  1895. // Create a (possibly encrypted) ChangeCipherSpec and an encrypted
  1896. // Finish message, adding them to the end of the specified buffer object.
  1897. //
  1898. SP_STATUS
  1899. BuildCCSAndFinishMessage(
  1900. PSPContext pContext,
  1901. PSPBuffer pBuffer,
  1902. BOOL fClient)
  1903. {
  1904. SP_STATUS pctRet;
  1905. PBYTE pbMessage = (PBYTE)pBuffer->pvBuffer + pBuffer->cbData;
  1906. DWORD cbDataOut;
  1908. // Build ChangeCipherSpec message body.
  1909. *(pbMessage + sizeof(SWRAP)) = 0x1;
  1911. // Add record header and encrypt message.
  1912. pctRet = SPSetWrap(pContext,
  1913. pbMessage,
  1914. SSL3_CT_CHANGE_CIPHER_SPEC,
  1915. 1,
  1916. fClient,
  1917. &cbDataOut);
  1919. if(pctRet != PCT_ERR_OK)
  1920. return(pctRet);
  1922. // Update buffer length.
  1923. pBuffer->cbData += cbDataOut;
  1925. SP_ASSERT(pBuffer->cbData <= pBuffer->cbBuffer);
  1927. // Update cipher suites.
  1928. pContext->WriteCounter = 0;
  1930. pctRet = ContextInitCiphers(pContext, FALSE, TRUE);
  1931. if(pctRet != PCT_ERR_OK)
  1932. {
  1933. return(pctRet);
  1934. }
  1936. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  1937. {
  1938. pctRet = Ssl3MakeWriteSessionKeys(pContext);
  1939. }
  1940. else
  1941. {
  1942. pctRet = Tls1MakeWriteSessionKeys(pContext);
  1943. }
  1944. if(pctRet != PCT_ERR_OK)
  1945. {
  1946. return(pctRet);
  1947. }
  1949. if(fClient)
  1950. {
  1951. pContext->wS3CipherSuiteClient = (WORD)UniAvailableCiphers[pContext->dwPendingCipherSuiteIndex].CipherKind;
  1952. }
  1953. else
  1954. {
  1955. pContext->wS3CipherSuiteServer = (WORD)UniAvailableCiphers[pContext->dwPendingCipherSuiteIndex].CipherKind;
  1956. }
  1958. // Build Finish message.
  1959. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3)
  1960. {
  1961. pctRet = SPBuildS3FinalFinish(pContext, pBuffer, fClient);
  1962. }
  1963. else
  1964. {
  1965. pctRet = SPBuildTls1FinalFinish(pContext, pBuffer, fClient);
  1966. }
  1968. return pctRet;
  1969. }
  1973. SP_STATUS
  1974. Ssl3SelectCipher
  1975. (
  1976. PSPContext pContext,
  1977. WORD wCipher
  1978. )
  1979. {
  1980. SP_STATUS pctRet=PCT_ERR_ILLEGAL_MESSAGE;
  1981. DWORD i;
  1982. PCipherInfo pCipherInfo = NULL;
  1983. PHashInfo pHashInfo = NULL;
  1984. PKeyExchangeInfo pExchInfo = NULL;
  1986. pContext->dwPendingCipherSuiteIndex = 0;
  1988. for(i = 0; i < UniNumCiphers; i++)
  1989. {
  1990. // Is this an SSL3 cipher suite?
  1991. if(!(UniAvailableCiphers[i].fProt & pContext->RipeZombie->fProtocol))
  1992. {
  1993. continue;
  1994. }
  1996. // Is this the right cipher suite?
  1997. if(UniAvailableCiphers[i].CipherKind != wCipher)
  1998. {
  1999. continue;
  2000. }
  2002. pCipherInfo = GetCipherInfo(UniAvailableCiphers[i].aiCipher, UniAvailableCiphers[i].dwStrength);
  2003. pHashInfo = GetHashInfo(UniAvailableCiphers[i].aiHash);
  2004. pExchInfo = GetKeyExchangeInfo(UniAvailableCiphers[i].KeyExch);
  2006. if(!IsCipherAllowed(pContext,
  2007. pCipherInfo,
  2008. pContext->RipeZombie->fProtocol,
  2009. pContext->RipeZombie->dwCF))
  2010. {
  2011. continue;
  2012. }
  2013. if(!IsHashAllowed(pContext, pHashInfo, pContext->RipeZombie->fProtocol))
  2014. {
  2015. continue;
  2016. }
  2017. if(!IsExchAllowed(pContext, pExchInfo, pContext->RipeZombie->fProtocol))
  2018. {
  2019. continue;
  2020. }
  2023. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3TLS1_SERVERS)
  2024. {
  2025. // Determine the credentials (and CSP) to use, based on the
  2026. // key exchange algorithm.
  2027. pctRet = SPPickClientCertificate(pContext,
  2028. UniAvailableCiphers[i].KeyExch);
  2030. if(pctRet != PCT_ERR_OK)
  2031. {
  2032. continue;
  2033. }
  2034. }
  2036. pContext->RipeZombie->dwCipherSuiteIndex = i;
  2037. pContext->RipeZombie->aiCipher = UniAvailableCiphers[i].aiCipher;
  2038. pContext->RipeZombie->dwStrength = UniAvailableCiphers[i].dwStrength;
  2039. pContext->RipeZombie->aiHash = UniAvailableCiphers[i].aiHash;
  2040. pContext->RipeZombie->SessExchSpec = UniAvailableCiphers[i].KeyExch;
  2042. return ContextInitCiphersFromCache(pContext);
  2043. }
  2045. return(SP_LOG_RESULT(PCT_ERR_ILLEGAL_MESSAGE));
  2046. }
  2048. // Server side cipher selection
  2050. SP_STATUS
  2051. Ssl3SelectCipherEx(
  2052. PSPContext pContext,
  2053. DWORD *pCipherSpecs,
  2054. DWORD cCipherSpecs)
  2055. {
  2056. DWORD i, j;
  2057. SP_STATUS pctRet;
  2058. PCipherInfo pCipherInfo = NULL;
  2059. PHashInfo pHashInfo = NULL;
  2060. PKeyExchangeInfo pExchInfo = NULL;
  2061. PSPCredential pCred = NULL;
  2062. BOOL fFound;
  2064. pContext->dwPendingCipherSuiteIndex = 0;
  2066. // Loop through the supported SSL3 cipher suites.
  2067. for(i = 0; i < UniNumCiphers; i++)
  2068. {
  2069. // Is this an SSL3 cipher suite?
  2070. if(!(UniAvailableCiphers[i].fProt & pContext->RipeZombie->fProtocol))
  2071. {
  2072. continue;
  2073. }
  2075. pCipherInfo = GetCipherInfo(UniAvailableCiphers[i].aiCipher,
  2076. UniAvailableCiphers[i].dwStrength);
  2077. pHashInfo = GetHashInfo(UniAvailableCiphers[i].aiHash);
  2078. pExchInfo = GetKeyExchangeInfo(UniAvailableCiphers[i].KeyExch);
  2080. // Do we currently support this hash and key exchange algorithm?
  2081. if(!IsHashAllowed(pContext, pHashInfo, pContext->RipeZombie->fProtocol))
  2082. {
  2083. DebugLog((DEB_TRACE, "Cipher %d - hash not supported\n", i));
  2084. continue;
  2085. }
  2086. if(!IsExchAllowed(pContext, pExchInfo, pContext->RipeZombie->fProtocol))
  2087. {
  2088. DebugLog((DEB_TRACE, "Cipher %d - exch not supported\n", i));
  2089. continue;
  2090. }
  2092. // Do we have an appropriate certificate?
  2093. if(pContext->RipeZombie->fProtocol & SP_PROT_SSL3TLS1_SERVERS)
  2094. {
  2095. pctRet = SPPickServerCertificate(pContext,
  2096. UniAvailableCiphers[i].KeyExch);
  2098. if(pctRet != PCT_ERR_OK)
  2099. {
  2100. DebugLog((DEB_TRACE, "Cipher %d - certificate %d not found\n",
  2101. i, UniAvailableCiphers[i].KeyExch));
  2102. continue;
  2103. }
  2104. }
  2105. pCred = pContext->RipeZombie->pActiveServerCred;
  2108. // Do we support this encryption algorithm/key length?
  2109. if(!IsCipherSuiteAllowed(pContext,
  2110. pCipherInfo,
  2111. pContext->RipeZombie->fProtocol,
  2112. pCred->dwCF,
  2113. UniAvailableCiphers[i].dwFlags))
  2114. {
  2115. DebugLog((DEB_TRACE, "Cipher %d - cipher not supported\n", i));
  2116. continue;
  2117. }
  2119. // Is this cipher suite supported by the client?
  2120. for(fFound = FALSE, j = 0; j < cCipherSpecs; j++)
  2121. {
  2122. if(UniAvailableCiphers[i].CipherKind == pCipherSpecs[j])
  2123. {
  2124. fFound = TRUE;
  2125. break;
  2126. }
  2127. }
  2128. if(!fFound)
  2129. {
  2130. DebugLog((DEB_TRACE, "Cipher %d - not supported by client\n", i));
  2131. continue;
  2132. }
  2135. if(UniAvailableCiphers[i].KeyExch == SP_EXCH_RSA_PKCS1)
  2136. {
  2137. // This is an RSA cipher suite, so make sure that the
  2138. // CSP supports it.
  2139. if(!IsAlgSupportedCapi(pContext->RipeZombie->fProtocol,
  2140. UniAvailableCiphers + i,
  2141. pCred->pCapiAlgs,
  2142. pCred->cCapiAlgs))
  2143. {
  2144. DebugLog((DEB_TRACE, "Cipher %d - not supported by csp\n", i));
  2145. continue;
  2146. }
  2147. }
  2150. if(UniAvailableCiphers[i].KeyExch == SP_EXCH_DH_PKCS3)
  2151. {
  2152. // This is a DH cipher suite, so make sure that the
  2153. // CSP supports it.
  2154. if(!IsAlgSupportedCapi(pContext->RipeZombie->fProtocol,
  2155. UniAvailableCiphers + i,
  2156. pCred->pCapiAlgs,
  2157. pCred->cCapiAlgs))
  2158. {
  2159. DebugLog((DEB_TRACE, "Cipher %d - not supported by csp\n", i));
  2160. continue;
  2161. }
  2162. }
  2165. // Use this cipher.
  2166. pContext->RipeZombie->dwCipherSuiteIndex = i;
  2167. pContext->RipeZombie->aiCipher = UniAvailableCiphers[i].aiCipher;
  2168. pContext->RipeZombie->dwStrength = UniAvailableCiphers[i].dwStrength;
  2169. pContext->RipeZombie->aiHash = UniAvailableCiphers[i].aiHash;
  2170. pContext->RipeZombie->SessExchSpec = UniAvailableCiphers[i].KeyExch;
  2171. pContext->RipeZombie->dwCF = pCred->dwCF;
  2173. return ContextInitCiphersFromCache(pContext);
  2174. }
  2176. LogCipherMismatchEvent();
  2178. return SP_LOG_RESULT(PCT_ERR_SPECS_MISMATCH);
  2179. }
  2182. /*****************************************************************************/
  2183. VOID ComputeServerExchangeHashes(
  2184. PSPContext pContext,
  2185. PBYTE pbServerParams, // in
  2186. INT iServerParamsLen, // in
  2187. PBYTE pbMd5HashVal, // out
  2188. PBYTE pbShaHashVal) // out
  2189. {
  2190. MD5_CTX Md5Hash;
  2191. A_SHA_CTX ShaHash;
  2193. //
  2194. // md5_hash = MD5(ClientHello.random + ServerHello.random + ServerParams);
  2195. //
  2196. // sha_hash = SHA(ClientHello.random + ServerHello.random + ServerParams);
  2197. //
  2199. MD5Init(&Md5Hash);
  2200. MD5Update(&Md5Hash, pContext->rgbS3CRandom, 32);
  2201. MD5Update(&Md5Hash, pContext->rgbS3SRandom, 32);
  2202. MD5Update(&Md5Hash, pbServerParams, iServerParamsLen);
  2203. MD5Final(&Md5Hash);
  2204. CopyMemory(pbMd5HashVal, Md5Hash.digest, 16);
  2206. A_SHAInit(&ShaHash);
  2207. A_SHAUpdate(&ShaHash, pContext->rgbS3CRandom, 32);
  2208. A_SHAUpdate(&ShaHash, pContext->rgbS3SRandom, 32);
  2209. A_SHAUpdate(&ShaHash, pbServerParams, iServerParamsLen);
  2210. A_SHAFinal(&ShaHash, pbShaHashVal);
  2211. }
  2213. SP_STATUS
  2214. UnwrapSsl3Message(
  2215. PSPContext pContext,
  2216. PSPBuffer pMsgInput)
  2217. {
  2218. SPBuffer Encrypted;
  2219. SPBuffer Clean;
  2220. SP_STATUS pctRet;
  2221. SWRAP *pswrap = (SWRAP *)pMsgInput->pvBuffer;
  2222. PBYTE pbMsg = (PBYTE)pMsgInput->pvBuffer;
  2224. //
  2225. // Validate 5 byte header.
  2226. //
  2228. // ProtocolVersion version;
  2229. if(COMBINEBYTES(pbMsg[1], pbMsg[2]) < SSL3_CLIENT_VERSION)
  2230. {
  2231. pctRet = SP_LOG_RESULT(PCT_ERR_ILLEGAL_MESSAGE);
  2232. }
  2234. if(COMBINEBYTES(pswrap->bcbMSBSize, pswrap->bcbLSBSize) <
  2235. pContext->pReadHashInfo->cbCheckSum)
  2236. {
  2237. return(PCT_ERR_ILLEGAL_MESSAGE);
  2238. }
  2240. Encrypted.pvBuffer = pMsgInput->pvBuffer;
  2241. Encrypted.cbBuffer = pMsgInput->cbBuffer;
  2242. Encrypted.cbData = pMsgInput->cbData;
  2243. Clean.pvBuffer = (PUCHAR)pMsgInput->pvBuffer + sizeof(SWRAP);
  2244. pctRet = Ssl3DecryptMessage(pContext, &Encrypted, &Clean);
  2245. if(pctRet == PCT_ERR_OK)
  2246. {
  2247. pswrap->bcbMSBSize = MSBOF(Clean.cbData);
  2248. pswrap->bcbLSBSize = LSBOF(Clean.cbData);
  2249. }
  2250. return(pctRet);
  2251. }
  2255. SP_STATUS
  2256. ParseAlertMessage(
  2257. PSPContext pContext,
  2258. PUCHAR pbAlertMsg,
  2259. DWORD cbMessage
  2260. )
  2261. {
  2262. SP_STATUS pctRet=PCT_ERR_OK;
  2263. if(cbMessage != 2)
  2264. {
  2265. return SP_LOG_RESULT(PCT_ERR_ILLEGAL_MESSAGE);
  2266. }
  2268. if(pbAlertMsg[0] != SSL3_ALERT_WARNING && pbAlertMsg[0] != SSL3_ALERT_FATAL)
  2269. {
  2270. return SP_LOG_RESULT(PCT_ERR_ILLEGAL_MESSAGE);
  2271. }
  2273. DebugLog((DEB_WARN, "AlertMessage, Alert Level - %lx\n", (DWORD)pbAlertMsg[0]));
  2274. DebugLog((DEB_WARN, "AlertMessage, Alert Description - %lx\n", (DWORD)pbAlertMsg[1]));
  2276. if(pbAlertMsg[0] == SSL3_ALERT_WARNING)
  2277. {
  2278. switch(pbAlertMsg[1])
  2279. {
  2280. case SSL3_ALERT_NO_CERTIFICATE:
  2281. DebugLog((DEB_TRACE, "no_certificate alert\n"));
  2282. pContext->State = SSL3_STATE_NO_CERT_ALERT;
  2283. pctRet = PCT_ERR_OK;
  2284. break;
  2286. case SSL3_ALERT_CLOSE_NOTIFY:
  2287. DebugLog((DEB_TRACE, "close_notify alert\n"));
  2288. pctRet = SEC_I_CONTEXT_EXPIRED;
  2289. break;
  2291. default:
  2292. DebugLog((DEB_TRACE, "Ignoring warning alert\n"));
  2293. pctRet = PCT_ERR_OK;
  2294. break;
  2295. }
  2296. }
  2297. else
  2298. {
  2299. switch(pbAlertMsg[1])
  2300. {
  2301. case SSL3_ALERT_UNEXPECTED_MESSAGE:
  2302. DebugLog((DEB_TRACE, "unexpected_message alert\n"));
  2303. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2304. break;
  2306. case TLS1_ALERT_BAD_RECORD_MAC:
  2307. DebugLog((DEB_TRACE, "bad_record_mac alert\n"));
  2308. pctRet = SP_LOG_RESULT(SEC_E_MESSAGE_ALTERED);
  2309. break;
  2311. case TLS1_ALERT_DECRYPTION_FAILED:
  2312. DebugLog((DEB_TRACE, "decryption_failed alert\n"));
  2313. pctRet = SP_LOG_RESULT(SEC_E_DECRYPT_FAILURE);
  2314. break;
  2316. case TLS1_ALERT_RECORD_OVERFLOW:
  2317. DebugLog((DEB_TRACE, "record_overflow alert\n"));
  2318. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2319. break;
  2321. case SSL3_ALERT_DECOMPRESSION_FAIL:
  2322. DebugLog((DEB_TRACE, "decompression_fail alert\n"));
  2323. pctRet = SP_LOG_RESULT(SEC_E_MESSAGE_ALTERED);
  2324. break;
  2326. case SSL3_ALERT_HANDSHAKE_FAILURE:
  2327. DebugLog((DEB_TRACE, "handshake_failure alert\n"));
  2328. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2329. break;
  2331. case TLS1_ALERT_BAD_CERTIFICATE:
  2332. DebugLog((DEB_TRACE, "bad_certificate alert\n"));
  2333. pctRet = SP_LOG_RESULT(SEC_E_CERT_UNKNOWN);
  2334. break;
  2336. case TLS1_ALERT_UNSUPPORTED_CERT:
  2337. DebugLog((DEB_TRACE, "unsupported_cert alert\n"));
  2338. pctRet = SP_LOG_RESULT(SEC_E_CERT_UNKNOWN);
  2339. break;
  2341. case TLS1_ALERT_CERTIFICATE_REVOKED:
  2342. DebugLog((DEB_TRACE, "certificate_revoked alert\n"));
  2343. pctRet = SP_LOG_RESULT(CRYPT_E_REVOKED);
  2344. break;
  2346. case TLS1_ALERT_CERTIFICATE_EXPIRED:
  2347. DebugLog((DEB_TRACE, "certificate_expired alert\n"));
  2348. pctRet = SP_LOG_RESULT(SEC_E_CERT_EXPIRED);
  2349. break;
  2351. case TLS1_ALERT_CERTIFICATE_UNKNOWN:
  2352. DebugLog((DEB_TRACE, "certificate_unknown alert\n"));
  2353. pctRet = SP_LOG_RESULT(SEC_E_CERT_UNKNOWN);
  2354. break;
  2356. case SSL3_ALERT_ILLEGAL_PARAMETER:
  2357. DebugLog((DEB_TRACE, "illegal_parameter alert\n"));
  2358. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2359. break;
  2361. case TLS1_ALERT_UNKNOWN_CA:
  2362. DebugLog((DEB_TRACE, "unknown_ca alert\n"));
  2363. pctRet = SP_LOG_RESULT(SEC_E_UNTRUSTED_ROOT);
  2364. break;
  2366. case TLS1_ALERT_ACCESS_DENIED:
  2367. DebugLog((DEB_TRACE, "access_denied alert\n"));
  2368. pctRet = SP_LOG_RESULT(SEC_E_LOGON_DENIED);
  2369. break;
  2371. case TLS1_ALERT_DECODE_ERROR:
  2372. DebugLog((DEB_TRACE, "decode_error alert\n"));
  2373. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2374. break;
  2376. case TLS1_ALERT_DECRYPT_ERROR:
  2377. DebugLog((DEB_TRACE, "decrypt_error alert\n"));
  2378. pctRet = SP_LOG_RESULT(SEC_E_DECRYPT_FAILURE);
  2379. break;
  2381. case TLS1_ALERT_EXPORT_RESTRICTION:
  2382. DebugLog((DEB_TRACE, "export_restriction alert\n"));
  2383. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2384. break;
  2386. case TLS1_ALERT_PROTOCOL_VERSION:
  2387. DebugLog((DEB_TRACE, "protocol_version alert\n"));
  2388. pctRet = SP_LOG_RESULT(SEC_E_UNSUPPORTED_FUNCTION);
  2389. break;
  2391. case TLS1_ALERT_INSUFFIENT_SECURITY:
  2392. DebugLog((DEB_TRACE, "insuffient_security alert\n"));
  2393. pctRet = SP_LOG_RESULT(SEC_E_ALGORITHM_MISMATCH);
  2394. break;
  2396. case TLS1_ALERT_INTERNAL_ERROR:
  2397. DebugLog((DEB_TRACE, "internal_error alert\n"));
  2398. pctRet = SP_LOG_RESULT(SEC_E_INTERNAL_ERROR);
  2399. break;
  2401. default:
  2402. DebugLog((DEB_TRACE, "Unknown fatal alert\n"));
  2403. pctRet = SP_LOG_RESULT(SEC_E_ILLEGAL_MESSAGE);
  2404. break;
  2405. }
  2406. }
  2408. return pctRet;
  2409. }
  2412. void BuildAlertMessage(PBYTE pbAlertMsg, UCHAR bAlertLevel, UCHAR bAlertDesc)
  2413. {
  2414. ALRT *palrt = (ALRT *) pbAlertMsg;
  2416. FillMemory(palrt, sizeof(ALRT), 0);
  2418. palrt->bCType = SSL3_CT_ALERT;
  2419. palrt->bMajor = SSL3_CLIENT_VERSION_MSB;
  2420. // palrt->bMinor = SSL3_CLIENT_VERSION_LSB; DONE by FillMemory
  2421. // palrt->bcbMSBSize = 0; Done by FillMemory
  2422. palrt->bcbLSBSize = 2;
  2423. palrt->bAlertLevel = bAlertLevel;
  2424. palrt->bAlertDesc = bAlertDesc ;
  2425. }
  2428. SP_STATUS SPPacketSplit(BYTE bContentType, PSPBuffer pPlain)
  2429. //Now let's us see whether we have the FULL-handshake
  2430. {
  2431. SP_STATUS pctRet = PCT_ERR_OK;
  2432. PBYTE pb;
  2433. DWORD cb;
  2435. pb = pPlain->pvBuffer;
  2437. switch(bContentType)
  2438. {
  2439. case SSL3_CT_HANDSHAKE:
  2440. if(pPlain->cbData >= sizeof(SHSH))
  2441. {
  2442. cb = ((INT)pb[1] << 16) + ((INT)pb[2] << 8) + (INT)pb[3];
  2443. cb += sizeof(SHSH);
  2444. if( cb > pPlain->cbData)
  2445. {
  2446. return(PCT_INT_INCOMPLETE_MSG);
  2447. }
  2449. }
  2450. else
  2451. return(PCT_INT_INCOMPLETE_MSG);
  2452. break;
  2453. case SSL3_CT_ALERT:
  2454. if(pPlain->cbData != 2)
  2455. return(PCT_INT_INCOMPLETE_MSG);
  2456. break;
  2457. case SSL3_CT_CHANGE_CIPHER_SPEC:
  2458. if(pPlain->cbData != 1)
  2459. return(PCT_INT_INTERNAL_ERROR);
  2460. default:
  2461. break;
  2462. }
  2464. return(pctRet);
  2465. }
  2469. /*****************************************************************************/
  2470. // Create an encrypted Finish message, adding it to the end of the
  2471. // specified buffer object.
  2472. //
  2473. SP_STATUS SPBuildTls1FinalFinish(PSPContext pContext, PSPBuffer pBuffer, BOOL fClient)
  2474. {
  2475. PBYTE pbMessage = (PBYTE)pBuffer->pvBuffer + pBuffer->cbData;
  2476. DWORD cbFinished;
  2477. SP_STATUS pctRet;
  2478. DWORD cbDataOut;
  2480. BYTE rgbDigest[CB_TLS1_VERIFYDATA];
  2482. // Build Finished message body.
  2483. pctRet = Tls1BuildFinishMessage(pContext, rgbDigest, sizeof(rgbDigest), fClient);
  2484. if(pctRet != PCT_ERR_OK)
  2485. {
  2486. return pctRet;
  2487. }
  2489. CopyMemory(pbMessage + sizeof(SWRAP) + sizeof(SHSH),
  2490. rgbDigest,
  2491. CB_TLS1_VERIFYDATA);
  2493. // Build Finished handshake header.
  2494. SetHandshake(pbMessage + sizeof(SWRAP),
  2495. SSL3_HS_FINISHED,
  2496. NULL,
  2497. CB_TLS1_VERIFYDATA);
  2498. cbFinished = sizeof(SHSH) + CB_TLS1_VERIFYDATA;
  2500. // Update handshake hash objects.
  2501. pctRet = UpdateHandshakeHash(pContext,
  2502. pbMessage + sizeof(SWRAP),
  2503. cbFinished,
  2504. FALSE);
  2505. if(pctRet != PCT_ERR_OK)
  2506. {
  2507. return(pctRet);
  2508. }
  2510. // Add record header and encrypt message.
  2511. pctRet = SPSetWrap(pContext,
  2512. pbMessage,
  2513. SSL3_CT_HANDSHAKE,
  2514. cbFinished,
  2515. fClient,
  2516. &cbDataOut);
  2518. if(pctRet != PCT_ERR_OK)
  2519. {
  2520. return(pctRet);
  2521. }
  2523. // Update buffer length .
  2524. pBuffer->cbData += cbDataOut;
  2526. SP_ASSERT(pBuffer->cbData <= pBuffer->cbBuffer);
  2528. return pctRet;
  2529. }
  2532. //+---------------------------------------------------------------------------
  2533. //
  2534. // Function: Tls1BuildFinishMessage
  2535. //
  2536. // Synopsis: Compute a TLS MAC for the specified message.
  2537. //
  2538. // Arguments: [pContext] -- Schannel context.
  2539. // [pbVerifyData] -- Verify data buffer.
  2540. // [cbVerifyData] -- Length of verify data buffer.
  2541. // [fClient] -- Client-generated Finished?
  2542. //
  2543. // History: 10-13-97 jbanes Created.
  2544. //
  2545. // Notes: The Finished message is computed using the following formula:
  2546. //
  2547. // verify_data = PRF(master_secret, finished_label,
  2548. // MD5(handshake_messages) +
  2549. // SHA-1(handshake_messages)) [0..11];
  2550. //
  2551. //----------------------------------------------------------------------------
  2552. SP_STATUS
  2553. Tls1BuildFinishMessage(
  2554. PSPContext pContext, // in
  2555. PBYTE pbVerifyData, // out
  2556. DWORD cbVerifyData, // in
  2557. BOOL fClient) // in
  2558. {
  2559. PBYTE pbLabel;
  2560. DWORD cbLabel;
  2561. UCHAR rgbData[CB_MD5_DIGEST_LEN + CB_SHA_DIGEST_LEN];
  2562. DWORD cbData;
  2563. HCRYPTHASH hHash = 0;
  2564. CRYPT_DATA_BLOB Data;
  2565. SP_STATUS pctRet;
  2567. if(cbVerifyData < CB_TLS1_VERIFYDATA)
  2568. {
  2569. return SP_LOG_RESULT(PCT_INT_BUFF_TOO_SMALL);
  2570. }
  2572. if(fClient)
  2573. {
  2574. pbLabel = TLS1_LABEL_CLIENTFINISHED;
  2575. }
  2576. else
  2577. {
  2578. pbLabel = TLS1_LABEL_SERVERFINISHED;
  2579. }
  2580. cbLabel = CB_TLS1_LABEL_FINISHED;
  2583. // Get the MD5 hash of the handshake messages so far.
  2584. if(!SchCryptDuplicateHash(pContext->hMd5Handshake,
  2585. NULL,
  2586. 0,
  2587. &hHash,
  2588. pContext->RipeZombie->dwCapiFlags))
  2589. {
  2590. SP_LOG_RESULT(GetLastError());
  2591. pctRet = PCT_INT_INTERNAL_ERROR;
  2592. goto error;
  2593. }
  2595. cbData = CB_MD5_DIGEST_LEN;
  2596. if(!SchCryptGetHashParam(hHash,
  2597. HP_HASHVAL,
  2598. rgbData,
  2599. &cbData,
  2600. 0,
  2601. pContext->RipeZombie->dwCapiFlags))
  2602. {
  2603. SP_LOG_RESULT(GetLastError());
  2604. pctRet = PCT_INT_INTERNAL_ERROR;
  2605. goto error;
  2606. }
  2608. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  2609. {
  2610. SP_LOG_RESULT(GetLastError());
  2611. }
  2612. hHash = 0;
  2614. // Get the SHA hash of the handshake messages so far.
  2615. if(!SchCryptDuplicateHash(pContext->hShaHandshake,
  2616. NULL,
  2617. 0,
  2618. &hHash,
  2619. pContext->RipeZombie->dwCapiFlags))
  2620. {
  2621. SP_LOG_RESULT(GetLastError());
  2622. pctRet = PCT_INT_INTERNAL_ERROR;
  2623. goto error;
  2624. }
  2626. cbData = A_SHA_DIGEST_LEN;
  2627. if(!SchCryptGetHashParam(hHash,
  2628. HP_HASHVAL,
  2629. rgbData + CB_MD5_DIGEST_LEN,
  2630. &cbData,
  2631. 0,
  2632. pContext->RipeZombie->dwCapiFlags))
  2633. {
  2634. SP_LOG_RESULT(GetLastError());
  2635. pctRet = PCT_INT_INTERNAL_ERROR;
  2636. goto error;
  2637. }
  2639. cbData = CB_MD5_DIGEST_LEN + CB_SHA_DIGEST_LEN;
  2641. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  2642. {
  2643. SP_LOG_RESULT(GetLastError());
  2644. }
  2645. hHash = 0;
  2647. // Compute the PRF
  2648. if(!SchCryptCreateHash(pContext->RipeZombie->hMasterProv,
  2649. CALG_TLS1PRF,
  2650. pContext->RipeZombie->hMasterKey,
  2651. 0,
  2652. &hHash,
  2653. pContext->RipeZombie->dwCapiFlags))
  2654. {
  2655. SP_LOG_RESULT(GetLastError());
  2656. pctRet = PCT_INT_INTERNAL_ERROR;
  2657. goto error;
  2658. }
  2660. Data.pbData = pbLabel;
  2661. Data.cbData = cbLabel;
  2662. if(!SchCryptSetHashParam(hHash,
  2663. HP_TLS1PRF_LABEL,
  2664. (PBYTE)&Data,
  2665. 0,
  2666. pContext->RipeZombie->dwCapiFlags))
  2667. {
  2668. SP_LOG_RESULT(GetLastError());
  2669. pctRet = PCT_INT_INTERNAL_ERROR;
  2670. goto error;
  2671. }
  2673. Data.pbData = rgbData;
  2674. Data.cbData = cbData;
  2675. if(!SchCryptSetHashParam(hHash,
  2676. HP_TLS1PRF_SEED,
  2677. (PBYTE)&Data,
  2678. 0,
  2679. pContext->RipeZombie->dwCapiFlags))
  2680. {
  2681. SP_LOG_RESULT(GetLastError());
  2682. pctRet = PCT_INT_INTERNAL_ERROR;
  2683. goto error;
  2684. }
  2686. if(!SchCryptGetHashParam(hHash,
  2687. HP_HASHVAL,
  2688. pbVerifyData,
  2689. &cbVerifyData,
  2690. 0,
  2691. pContext->RipeZombie->dwCapiFlags))
  2692. {
  2693. SP_LOG_RESULT(GetLastError());
  2694. pctRet = PCT_INT_INTERNAL_ERROR;
  2695. goto error;
  2696. }
  2698. pctRet = PCT_ERR_OK;
  2701. error:
  2703. if(hHash)
  2704. {
  2705. if(!SchCryptDestroyHash(hHash, pContext->RipeZombie->dwCapiFlags))
  2706. {
  2707. SP_LOG_RESULT(GetLastError());
  2708. }
  2709. }
  2711. return pctRet;
  2712. }
  2714. SP_STATUS
  2715. SPBuildTlsAlertMessage(
  2716. PSPContext pContext, // in
  2717. PSPBuffer pCommOutput)
  2718. {
  2719. PBYTE pbMessage = NULL;
  2720. DWORD cbMessage;
  2721. BOOL fAllocated = FALSE;
  2722. SP_STATUS pctRet;
  2723. DWORD cbDataOut;
  2725. SP_BEGIN("SPBuildTlsAlertMessage");
  2727. cbMessage = sizeof(SWRAP) +
  2728. CB_SSL3_ALERT_ONLY +
  2729. SP_MAX_DIGEST_LEN +
  2730. SP_MAX_BLOCKCIPHER_SIZE;
  2732. if(pContext->State != TLS1_STATE_ERROR)
  2733. {
  2734. SP_RETURN(SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR));
  2735. }
  2737. if(pCommOutput->pvBuffer)
  2738. {
  2739. // Application has allocated memory.
  2740. if(pCommOutput->cbBuffer < cbMessage)
  2741. {
  2742. pCommOutput->cbData = cbMessage;
  2743. return SP_LOG_RESULT(PCT_INT_BUFF_TOO_SMALL);
  2744. }
  2745. fAllocated = TRUE;
  2746. }
  2747. else
  2748. {
  2749. // Schannel is to allocate memory.
  2750. pCommOutput->cbBuffer = cbMessage;
  2751. pCommOutput->pvBuffer = SPExternalAlloc(cbMessage);
  2752. if(pCommOutput->pvBuffer == NULL)
  2753. {
  2754. SP_RETURN(SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY));
  2755. }
  2756. }
  2757. pCommOutput->cbData = 0;
  2760. pbMessage = (PBYTE)pCommOutput->pvBuffer;
  2763. // Build alert message.
  2764. BuildAlertMessage(pbMessage,
  2765. pContext->bAlertLevel,
  2766. pContext->bAlertNumber);
  2768. #if DBG
  2769. DBG_HEX_STRING(DEB_TRACE, pbMessage, sizeof(ALRT));
  2770. #endif
  2772. // Build record header and encrypt message.
  2773. pctRet = SPSetWrap(pContext,
  2774. pbMessage,
  2775. SSL3_CT_ALERT,
  2776. CB_SSL3_ALERT_ONLY,
  2777. pContext->dwProtocol & SP_PROT_SSL3TLS1_CLIENTS,
  2778. &cbDataOut);
  2780. if(pctRet != PCT_ERR_OK)
  2781. {
  2782. if(!fAllocated)
  2783. {
  2784. SPExternalFree(pCommOutput->pvBuffer);
  2785. pCommOutput->pvBuffer = NULL;
  2786. }
  2787. SP_RETURN(SP_LOG_RESULT(pctRet));
  2788. }
  2790. // Update buffer length.
  2791. pCommOutput->cbData = cbDataOut;
  2793. SP_ASSERT(pCommOutput->cbData <= pCommOutput->cbBuffer);
  2795. SP_RETURN(PCT_ERR_OK);
  2796. }
  2799. void
  2800. SetTls1Alert(
  2801. PSPContext pContext,
  2802. BYTE bAlertLevel,
  2803. BYTE bAlertNumber)
  2804. {
  2805. pContext->State = TLS1_STATE_ERROR;
  2806. pContext->bAlertLevel = bAlertLevel;
  2807. pContext->bAlertNumber = bAlertNumber;
  2808. }