sslKeyExchange.cpp   [plain text]

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


/*
	File:		sslKeyExchange.c

	Contains:	Support for key exchange and server key exchange

	Written by:	Doug Mitchell

	Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.

*/

#include "sslContext.h"
#include "sslHandshake.h"
#include "sslMemory.h"
#include "sslDebug.h"
#include "sslUtils.h"
#include "appleCdsa.h"
#include "sslDigests.h"
#include "ModuleAttacher.h"
#include "sslBER.h"

#include <assert.h>
#include <string.h>

#include <Security/globalizer.h>
#include <Security/threading.h>

#pragma mark -
#pragma mark *** forward static declarations ***
static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx);
static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, UInt8 *charPtr);
static OSStatus SSLDecodeDHKeyParams(SSLContext *ctx, UInt8 *&charPtr,
	UInt32 length);

#define DH_PARAM_DUMP		0
#if 	DH_PARAM_DUMP

static void dumpBuf(const char *name, SSLBuffer &buf)
{
	printf("%s:\n", name);
	UInt8 *cp = buf.data;
	UInt8 *endCp = cp + buf.length;
	
	do {
		for(unsigned i=0; i<16; i++) {
			printf("%02x ", *cp++);
			if(cp == endCp) {
				break;
			}
		}
		if(cp == endCp) {
			break;
		}
		printf("\n");
	} while(cp < endCp);
	printf("\n");
}
#else
#define dumpBuf(n, b)
#endif	/* DH_PARAM_DUMP */

#if 	APPLE_DH

#pragma mark -
#pragma mark *** local D-H parameter generator ***
/*
 * Process-wide server-supplied Diffie-Hellman parameters. 
 * This might be overridden by some API_supplied parameters
 * in the future.
 */
class ServerDhParams
{
public:
	ServerDhParams();
	~ServerDhParams();
	const SSLBuffer &prime()		{ return mPrime; }
	const SSLBuffer &generator()	{ return mGenerator; }
	const SSLBuffer &paramBlock()	{ return mParamBlock; }
	
private:
	/* these two for sending over the wire */
	SSLBuffer		mPrime;		
	SSLBuffer		mGenerator;
	/* this one for sending to the CSP at key gen time */
	SSLBuffer		mParamBlock;
};

ServerDhParams::ServerDhParams()
{
	mPrime.data = NULL;
	mPrime.length = 0;
	mGenerator.data = NULL;
	mGenerator.length = 0;
	mParamBlock.data = NULL;
	mParamBlock.length = 0;
	
	CSSM_CSP_HANDLE cspHand;
	CSSM_CL_HANDLE clHand;			// not used here, just for 
									//   attachToModules()
	CSSM_TP_HANDLE tpHand;			// ditto
	CSSM_RETURN crtn;
	
	crtn = attachToModules(&cspHand, &clHand, &tpHand);
	if(crtn) {
		MacOSError::throwMe(errSSLModuleAttach);
	}
	
	CSSM_CC_HANDLE 	ccHandle;
	CSSM_DATA cParams = {0, NULL};
	
	crtn = CSSM_CSP_CreateKeyGenContext(cspHand,
		CSSM_ALGID_DH,
		SSL_DH_DEFAULT_PRIME_SIZE,
		NULL,					// Seed
		NULL,					// Salt
		NULL,					// StartDate
		NULL,					// EndDate
		&cParams,			// Params, may be NULL
		&ccHandle);
	if(crtn) {
		stPrintCdsaError("ServerDhParams CSSM_CSP_CreateKeyGenContext", crtn);
		MacOSError::throwMe(errSSLCrypto);
	}
	
	/* explicitly generate params and save them */
	sslDhDebug("^^^generating Diffie-Hellman parameters...");
	crtn = CSSM_GenerateAlgorithmParams(ccHandle, 
		SSL_DH_DEFAULT_PRIME_SIZE, &cParams);
	if(crtn) {
		stPrintCdsaError("ServerDhParams CSSM_GenerateAlgorithmParams", crtn);
		CSSM_DeleteContext(ccHandle);
		MacOSError::throwMe(errSSLCrypto);
	}
	CSSM_TO_SSLBUF(&cParams, &mParamBlock);
	OSStatus ortn = sslDecodeDhParams(&mParamBlock, &mPrime, &mGenerator);
	if(ortn) {
		sslErrorLog("ServerDhParams: param decode error\n");
		MacOSError::throwMe(ortn);
	}
	CSSM_DeleteContext(ccHandle);
}

ServerDhParams::~ServerDhParams()
{
	sslFree(mPrime.data);
	sslFree(mGenerator.data);
	sslFree(mParamBlock.data);
}

/* the single global thing */
static ModuleNexus<ServerDhParams> serverDhParams;

#endif	/* APPLE_DH */

#pragma mark -
#pragma mark *** RSA key exchange ***

/*
 * Client RSA Key Exchange msgs actually start with a two-byte
 * length field, contrary to the first version of RFC 2246, dated
 * January 1999. See RFC 2246, March 2002, section 7.4.7.1 for 
 * updated requirements. 
 */
#define RSA_CLIENT_KEY_ADD_LENGTH		1

typedef	CSSM_KEY_PTR	SSLRSAPrivateKey;

static OSStatus
SSLEncodeRSAKeyParams(SSLBuffer *keyParams, SSLRSAPrivateKey *key, SSLContext *ctx)
{   OSStatus    err;
    SSLBuffer   modulus, exponent;
    UInt8       *charPtr;

	if(err = attachToCsp(ctx)) {
		return err;
	}
	
	/* Note currently ALL public keys are raw, obtained from the CL... */
	assert((*key)->KeyHeader.BlobType == CSSM_KEYBLOB_RAW);
	err = sslGetPubKeyBits(ctx,
		*key,
		ctx->cspHand,
		&modulus,
		&exponent);
	if(err) {
		SSLFreeBuffer(modulus, ctx);
		SSLFreeBuffer(exponent, ctx);
		return err;
	}
    
    if ((err = SSLAllocBuffer(*keyParams, 
			modulus.length + exponent.length + 4, ctx)) != 0) {
        return err;
	}
    charPtr = keyParams->data;
    charPtr = SSLEncodeInt(charPtr, modulus.length, 2);
    memcpy(charPtr, modulus.data, modulus.length);
    charPtr += modulus.length;
    charPtr = SSLEncodeInt(charPtr, exponent.length, 2);
    memcpy(charPtr, exponent.data, exponent.length);

	/* these were mallocd by sslGetPubKeyBits() */
	SSLFreeBuffer(modulus, ctx);
	SSLFreeBuffer(exponent, ctx);
    return noErr;
}

static OSStatus
SSLEncodeRSAPremasterSecret(SSLContext *ctx)
{   SSLBuffer           randData;
    OSStatus            err;
    SSLProtocolVersion	maxVersion;
	
    if ((err = SSLAllocBuffer(ctx->preMasterSecret, 
			SSL_RSA_PREMASTER_SECRET_SIZE, ctx)) != 0)
        return err;
    
	assert((ctx->negProtocolVersion == SSL_Version_3_0) ||
		   (ctx->negProtocolVersion == TLS_Version_1_0));
	sslGetMaxProtVersion(ctx, &maxVersion);
    SSLEncodeInt(ctx->preMasterSecret.data, maxVersion, 2);
    randData.data = ctx->preMasterSecret.data+2;
    randData.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2;
    if ((err = sslRand(ctx, &randData)) != 0)
        return err;
    return noErr;
}

/*
 * Generate a server key exchange message signed by our RSA or DSA private key. 
 */
static OSStatus
SSLEncodeSignedServerKeyExchange(SSLRecord &keyExch, SSLContext *ctx)
{   OSStatus        err;
    UInt8           *charPtr;
    int             outputLen;
    UInt8           hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
    SSLBuffer       exchangeParams,clientRandom,serverRandom,hashCtx, hash;
	UInt8			*dataToSign;
	UInt32			dataToSignLen;
	bool			isRsa = true;
    UInt32 			maxSigLen;
    UInt32	    	actSigLen;
	SSLBuffer		signature;
	const CSSM_KEY	*cssmKey;
	
    assert(ctx->protocolSide == SSL_ServerSide);
	assert(ctx->signingPubKey != NULL);
 	assert((ctx->negProtocolVersion == SSL_Version_3_0) ||
		   (ctx->negProtocolVersion == TLS_Version_1_0));
    exchangeParams.data = 0;
    hashCtx.data = 0;
	signature.data = 0;
	
	/* Set up parameter block to hash ==> exchangeParams */
	switch(ctx->selectedCipherSpec->keyExchangeMethod) {
		case SSL_RSA:
        case SSL_RSA_EXPORT:
			/* 
			 * Parameter block = encryption public key.
			 * If app hasn't supplied a separate encryption cert, abort.
			 */
			if(ctx->encryptPubKey == NULL) {
				sslErrorLog("RSAServerKeyExchange: no encrypt cert\n");
				return errSSLBadConfiguration;
			}
			err = SSLEncodeRSAKeyParams(&exchangeParams, 
				&ctx->encryptPubKey, ctx);
			break;
			
		#if 	APPLE_DH
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
			isRsa = false;
			/* and fall through */
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
		{
			/* 
			 * Parameter block = {prime, generator, public key}
			 * Obtain D-H parameters (if we don't have them) and a key pair. 
			 */
			err = SSLGenServerDHParamsAndKey(ctx);
			if(err) {
				return err;
			}
			UInt32 len = ctx->dhParamsPrime.length + 
				ctx->dhParamsGenerator.length + 
				ctx->dhExchangePublic.length + 6 /* 3 length fields */;
			err = SSLAllocBuffer(exchangeParams, len, ctx);
			if(err) {
				goto fail;
			}
			err = SSLEncodeDHKeyParams(ctx, exchangeParams.data);
			break;
		}
		#endif	/* APPLE_DH */
		default:
			/* shouldn't be here */
			assert(0);
			return errSSLInternal;
	}
	if(err) {
		goto fail;
	}
			    
	/* cook up hash(es) for raw sign */
    clientRandom.data   = ctx->clientRandom;
    clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
    serverRandom.data   = ctx->serverRandom;
    serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
    
	if(isRsa) {
		/* skip this if signing with DSA */
		dataToSign = hashes;
		dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
		hash.data = &hashes[0];
		hash.length = SSL_MD5_DIGEST_LEN;
		
		if ((err = ReadyHash(SSLHashMD5, hashCtx, ctx)) != 0)
			goto fail;
		if ((err = SSLHashMD5.update(hashCtx, clientRandom)) != 0)
			goto fail;
		if ((err = SSLHashMD5.update(hashCtx, serverRandom)) != 0)
			goto fail;
		if ((err = SSLHashMD5.update(hashCtx, exchangeParams)) != 0)
			goto fail;
		if ((err = SSLHashMD5.final(hashCtx, hash)) != 0)
			goto fail;
		if ((err = SSLFreeBuffer(hashCtx, ctx)) != 0)
			goto fail;
    }
	else {
		/* DSA - just use the SHA1 hash */
		dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
		dataToSignLen = SSL_SHA1_DIGEST_LEN;
	}
    hash.data = &hashes[SSL_MD5_DIGEST_LEN];
    hash.length = SSL_SHA1_DIGEST_LEN;
    if ((err = ReadyHash(SSLHashSHA1, hashCtx, ctx)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(hashCtx, clientRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(hashCtx, serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(hashCtx, exchangeParams)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.final(hashCtx, hash)) != 0)
        goto fail;
    if ((err = SSLFreeBuffer(hashCtx, ctx)) != 0)
        goto fail;
    
	/* preallocate a buffer for signing */
	err = SecKeyGetCSSMKey(ctx->signingPrivKeyRef, &cssmKey);
	if(err) {
		sslErrorLog("SSLEncodeSignedServerKeyExchange: SecKeyGetCSSMKey err %d\n",
			(int)err);
        goto fail;
	}
	err = sslGetMaxSigSize(cssmKey, maxSigLen);
	if(err) {
        goto fail;
	}
	err = SSLAllocBuffer(signature, maxSigLen, ctx);
	if(err) {
		goto fail;
	}
	
	err = sslRawSign(ctx,
		ctx->signingPrivKeyRef,
		dataToSign,			// one or two hashes
		dataToSignLen,
		signature.data,
		maxSigLen,
		&actSigLen);
	if(err) {
		goto fail;
	}
	assert(actSigLen <= maxSigLen);
	
	/* package it all up */
    outputLen = exchangeParams.length + 2 + actSigLen;
    keyExch.protocolVersion = ctx->negProtocolVersion;
    keyExch.contentType = SSL_RecordTypeHandshake;
    if ((err = SSLAllocBuffer(keyExch.contents, outputLen+4, ctx)) != 0)
        goto fail;
    
    charPtr = keyExch.contents.data;
    *charPtr++ = SSL_HdskServerKeyExchange;
    charPtr = SSLEncodeInt(charPtr, outputLen, 3);
    
    memcpy(charPtr, exchangeParams.data, exchangeParams.length);
    charPtr += exchangeParams.length;
    charPtr = SSLEncodeInt(charPtr, actSigLen, 2);
	memcpy(charPtr, signature.data, actSigLen);
    assert((charPtr + actSigLen) == 
		   (keyExch.contents.data + keyExch.contents.length));
    
    err = noErr;
    
fail:
    SSLFreeBuffer(hashCtx, ctx);
    SSLFreeBuffer(exchangeParams, ctx);
    SSLFreeBuffer(signature, ctx);
    return err;
}

/*
 * Decode and verify a server key exchange message signed by server's 
 * public key. 
 */
static OSStatus
SSLDecodeSignedServerKeyExchange(SSLBuffer message, SSLContext *ctx)
{   
	OSStatus        err;
    SSLBuffer       hashOut, hashCtx, clientRandom, serverRandom;
    UInt16          modulusLen, exponentLen, signatureLen;
    UInt8           *modulus, *exponent, *signature;
    UInt8           hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
    SSLBuffer       signedHashes;
 	UInt8			*dataToSign;
	UInt32			dataToSignLen;
	bool			isRsa = true;
	
	assert(ctx->protocolSide == SSL_ClientSide);
	signedHashes.data = 0;
    hashCtx.data = 0;
    
    if (message.length < 2) {
    	sslErrorLog("SSLDecodeSignedServerKeyExchange: msg len error 1\n");
        return errSSLProtocol;
    }
	
	/* first extract the key-exchange-method-specific parameters */
    UInt8 *charPtr = message.data;
	UInt8 *endCp = charPtr + message.length;
	switch(ctx->selectedCipherSpec->keyExchangeMethod) {
		case SSL_RSA:
        case SSL_RSA_EXPORT:
			modulusLen = SSLDecodeInt(charPtr, 2);
			charPtr += 2;
			if((charPtr + modulusLen) > endCp) {
				sslErrorLog("signedServerKeyExchange: msg len error 2\n");
				return errSSLProtocol;
			}
			modulus = charPtr;
			charPtr += modulusLen;

			exponentLen = SSLDecodeInt(charPtr, 2);
			charPtr += 2;
			if((charPtr + exponentLen) > endCp) {
				sslErrorLog("signedServerKeyExchange: msg len error 3\n");
				return errSSLProtocol;
			}
			exponent = charPtr;
			charPtr += exponentLen;
			break;
		#if		APPLE_DH
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
			isRsa = false;
			/* and fall through */
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
			err = SSLDecodeDHKeyParams(ctx, charPtr, message.length);
			if(err) {
				return err;
			}
			break;
		#endif	/* APPLE_DH */
		default:
			assert(0);
			return errSSLInternal;
	}
	
	/* this is what's hashed */
	SSLBuffer signedParams;
	signedParams.data = message.data;
	signedParams.length = charPtr - message.data;
	
	signatureLen = SSLDecodeInt(charPtr, 2);
	charPtr += 2;
	if((charPtr + signatureLen) != endCp) {
		sslErrorLog("signedServerKeyExchange: msg len error 4\n");
		return errSSLProtocol;
	}
	signature = charPtr;
	
    clientRandom.data = ctx->clientRandom;
    clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
    serverRandom.data = ctx->serverRandom;
    serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
	
	if(isRsa) {
		/* skip this if signing with DSA */
		dataToSign = hashes;
		dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
		hashOut.data = hashes;
		hashOut.length = SSL_MD5_DIGEST_LEN;
		
		if ((err = ReadyHash(SSLHashMD5, hashCtx, ctx)) != 0)
			goto fail;
		if ((err = SSLHashMD5.update(hashCtx, clientRandom)) != 0)
			goto fail;
		if ((err = SSLHashMD5.update(hashCtx, serverRandom)) != 0)
			goto fail;
		if ((err = SSLHashMD5.update(hashCtx, signedParams)) != 0)
			goto fail;
		if ((err = SSLHashMD5.final(hashCtx, hashOut)) != 0)
			goto fail;
	}
	else {
		/* DSA - just use the SHA1 hash */
		dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
		dataToSignLen = SSL_SHA1_DIGEST_LEN;
	}
	hashOut.data = hashes + SSL_MD5_DIGEST_LEN; 
    hashOut.length = SSL_SHA1_DIGEST_LEN;
    if ((err = SSLFreeBuffer(hashCtx, ctx)) != 0)
        goto fail;
    
    if ((err = ReadyHash(SSLHashSHA1, hashCtx, ctx)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(hashCtx, clientRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(hashCtx, serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(hashCtx, signedParams)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.final(hashCtx, hashOut)) != 0)
        goto fail;

	err = sslRawVerify(ctx,
		ctx->peerPubKey,
		ctx->peerPubKeyCsp,
		dataToSign,				/* plaintext */
		dataToSignLen,			/* plaintext length */
		signature,
		signatureLen);
	if(err) {
		sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify "
			"returned %d\n", (int)err);
		goto fail;
	}
    
	/* Signature matches; now replace server key with new key */
	switch(ctx->selectedCipherSpec->keyExchangeMethod) {
		case SSL_RSA:
        case SSL_RSA_EXPORT:
		{
			SSLBuffer modBuf;
			SSLBuffer expBuf;
			
			/* first free existing peerKey */
			sslFreeKey(ctx->peerPubKeyCsp, 
				&ctx->peerPubKey,
				NULL);					/* no KCItem */
				
			/* and cook up a new one from raw bits */
			modBuf.data = modulus;
			modBuf.length = modulusLen;
			expBuf.data = exponent;
			expBuf.length = exponentLen;
			err = sslGetPubKeyFromBits(ctx,
				&modBuf,
				&expBuf,
				&ctx->peerPubKey,
				&ctx->peerPubKeyCsp);
			break;
		}
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
			break;					/* handled above */
		default:
			assert(0);				/* handled above */
	}
fail:
    SSLFreeBuffer(signedHashes, ctx);
    SSLFreeBuffer(hashCtx, ctx);
    return err;
}

static OSStatus
SSLDecodeRSAKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{   OSStatus            err;
    UInt32        		outputLen, localKeyModulusLen;
    SSLProtocolVersion  version;
    Boolean				useEncryptKey = false;
	UInt8				*src = NULL;
	SecKeyRef			keyRef = NULL;
    const CSSM_KEY		*cssmKey;
		
	assert(ctx->protocolSide == SSL_ServerSide);
	
	#if		SSL_SERVER_KEYEXCH_HACK
		/* 
		 * the way we work with Netscape.
		 * FIXME - maybe we should *require* an encryptPrivKey in this
		 * situation?
		 */
		if((ctx->selectedCipherSpec->keyExchangeMethod == SSL_RSA_EXPORT) &&
			(ctx->encryptPrivKey != NULL)) {
			useEncryptKey = true;
		}
		
	#else	/* !SSL_SERVER_KEYEXCH_HACK */
		/* The "correct" way, I think, which doesn't work with Netscape */
		if (ctx->encryptPrivKeyRef) {
			useEncryptKey = true;
		}
	#endif	/* SSL_SERVER_KEYEXCH_HACK */
	if (useEncryptKey) {
		keyRef  = ctx->encryptPrivKeyRef;
		/* FIXME: when 3420180 is implemented, pick appropriate creds here */
	} 
	else {
		keyRef  = ctx->signingPrivKeyRef;
		/* FIXME: when 3420180 is implemented, pick appropriate creds here */
	}
	err = SecKeyGetCSSMKey(keyRef, &cssmKey);
	if(err) {
		sslErrorLog("SSLDecodeRSAKeyExchange: SecKeyGetCSSMKey err %d\n",
			(int)err);
		return err;
	}
    
	localKeyModulusLen = sslKeyLengthInBytes(cssmKey);

	/* 
	 * We have to tolerate incoming key exchange msgs with and without the 
	 * two-byte "encrypted length" field.
	 */
    if (keyExchange.length == localKeyModulusLen) {
		/* no length encoded */
		src = keyExchange.data;
	}
	else if((keyExchange.length == (localKeyModulusLen + 2)) &&
		(ctx->negProtocolVersion >= TLS_Version_1_0)) {
		/* TLS only - skip the length bytes */
		src = keyExchange.data + 2;
	}
	else {
    	sslErrorLog("SSLDecodeRSAKeyExchange: length error (exp %u got %u)\n",
			(unsigned)localKeyModulusLen, (unsigned)keyExchange.length);
        return errSSLProtocol;
	}
    err = SSLAllocBuffer(ctx->preMasterSecret, SSL_RSA_PREMASTER_SECRET_SIZE, ctx);
	if(err != 0) {
        return err;
	}

	/*
	 * From this point on, to defend against the Bleichenbacher attack
	 * and its Klima-Pokorny-Rosa variant, any errors we detect are *not* 
	 * reported to the caller or the peer. If we detect any error during 
	 * decryption (e.g., bad PKCS1 padding) or in the testing of the version
	 * number in the premaster secret, we proceed by generating a random
	 * premaster secret, with the correct version number, and tell our caller
	 * that everything is fine. This session will fail as soon as the 
	 * finished messages are sent, since we will be using a bogus premaster 
	 * secret (and hence bogus session and MAC keys). Meanwhile we have 
	 * not provided any side channel information relating to the cause of 
	 * the failure.
	 *
	 * See http://eprint.iacr.org/2003/052/ for more info.
	 */
	err = sslRsaDecrypt(ctx,
		keyRef,
		src, 
		localKeyModulusLen,				// ciphertext len
		ctx->preMasterSecret.data,
		SSL_RSA_PREMASTER_SECRET_SIZE,	// plaintext buf available
		&outputLen);
    
	if(err != noErr) {									
		/* possible Bleichenbacher attack */
		sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: RSA decrypt fail");
	}
	else if(outputLen != SSL_RSA_PREMASTER_SECRET_SIZE) {	
		sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: premaster secret size error");
    	err = errSSLProtocol;							// not passed back to caller
    }
    
	if(err == noErr) {
		/*
		 * Two legal values here - the one we actually negotiated (which is 
		 * technically incorrect but not uncommon), and the one the client
		 * sent as its preferred version in the client hello msg.
		 */
		version = (SSLProtocolVersion)SSLDecodeInt(ctx->preMasterSecret.data, 2);
		if((version != ctx->negProtocolVersion) &&
		   (version != ctx->clientReqProtocol)) {
			/* possible Klima-Pokorny-Rosa attack */
			sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: version error");
			err = errSSLProtocol;
		}
    }
	if(err != noErr) {
		/* 
		 * Obfuscate failures for defense against Bleichenbacher and
		 * Klima-Pokorny-Rosa attacks.
		 */
		SSLEncodeInt(ctx->preMasterSecret.data, ctx->negProtocolVersion, 2);
		SSLBuffer tmpBuf;
		tmpBuf.data   = ctx->preMasterSecret.data + 2;
		tmpBuf.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2;
		/* must ignore failures here */
		sslRand(ctx, &tmpBuf);
	}
	
	/* in any case, save premaster secret (good or bogus) and proceed */
    return noErr;
}

static OSStatus
SSLEncodeRSAKeyExchange(SSLRecord &keyExchange, SSLContext *ctx)
{   OSStatus            err;
    UInt32        		outputLen, peerKeyModulusLen;
    UInt32				bufLen;
	UInt8				*dst;
	bool				encodeLen = false;
	
	assert(ctx->protocolSide == SSL_ClientSide);
    if ((err = SSLEncodeRSAPremasterSecret(ctx)) != 0)
        return err;
    
    keyExchange.contentType = SSL_RecordTypeHandshake;
	assert((ctx->negProtocolVersion == SSL_Version_3_0) ||
			(ctx->negProtocolVersion == TLS_Version_1_0));
    keyExchange.protocolVersion = ctx->negProtocolVersion;
        
	peerKeyModulusLen = sslKeyLengthInBytes(ctx->peerPubKey);
	bufLen = peerKeyModulusLen + 4;
	#if 	RSA_CLIENT_KEY_ADD_LENGTH
	if(ctx->negProtocolVersion >= TLS_Version_1_0) {
		bufLen += 2;
		encodeLen = true;
	}
	#endif
    if ((err = SSLAllocBuffer(keyExchange.contents, 
		bufLen,ctx)) != 0)
    {   
        return err;
    }
	dst = keyExchange.contents.data + 4;
	if(encodeLen) {
		dst += 2;
	}
    keyExchange.contents.data[0] = SSL_HdskClientKeyExchange;
	
	/* this is the record payload length */
    SSLEncodeInt(keyExchange.contents.data + 1, bufLen - 4, 3);
	if(encodeLen) {
		/* the length of the encrypted pre_master_secret */
		SSLEncodeInt(keyExchange.contents.data + 4, 			
			peerKeyModulusLen, 2);
	}
	err = sslRsaEncrypt(ctx,
		ctx->peerPubKey,
		/* FIXME - maybe this should be ctx->cspHand */
		ctx->peerPubKeyCsp,
		ctx->preMasterSecret.data, 
		SSL_RSA_PREMASTER_SECRET_SIZE,
		dst,
		peerKeyModulusLen,
		&outputLen);
	if(err) {
		return err;
	}
    
    assert(outputLen == encodeLen ? 
		keyExchange.contents.length - 6 :
		keyExchange.contents.length - 4 );
    
    return noErr;
}


#if APPLE_DH

#pragma mark -
#pragma mark *** Diffie-Hellman key exchange ***

/*
 * Diffie-Hellman setup, server side. On successful return, the 
 * following SSLContext members are valid:
 *
 *		dhParamsPrime
 *		dhParamsGenerator
 *		dhPrivate
 *		dhExchangePublic
 */
static OSStatus
SSLGenServerDHParamsAndKey(
	SSLContext *ctx)
{
	OSStatus ortn;
    assert(ctx->protocolSide == SSL_ServerSide);
	
	/* 
	 * Obtain D-H parameters if we don't have them.
	 */
	if(ctx->dhParamsPrime.data == NULL) {
		assert(ctx->dhParamsGenerator.data == NULL);
		const SSLBuffer &pr = serverDhParams().prime();
		ortn = SSLCopyBuffer(pr, ctx->dhParamsPrime);
		if(ortn) {
			return ortn;
		}
		const SSLBuffer &gen = serverDhParams().generator();
		ortn = SSLCopyBuffer(gen, ctx->dhParamsGenerator);
		if(ortn) {
			return ortn;
		}
		const SSLBuffer &block = serverDhParams().paramBlock();
		ortn = SSLCopyBuffer(block, ctx->dhParamsEncoded);
		if(ortn) {
			return ortn;
		}
	}
	
	/* generate per-session D-H key pair */
	sslFreeKey(ctx->cspHand, &ctx->dhPrivate, NULL);
	SSLFreeBuffer(ctx->dhExchangePublic, ctx);
	ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));
	CSSM_KEY pubKey;
	ortn = sslDhGenerateKeyPair(ctx, 
		ctx->dhParamsEncoded,
		ctx->dhParamsPrime.length * 8,
		&pubKey, ctx->dhPrivate);
	if(ortn) {
		return ortn;
	}
	CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic);
	return noErr;
} 

/*
 * Encode DH params and public key in caller-supplied buffer. 
 */
static OSStatus 
SSLEncodeDHKeyParams(
	SSLContext *ctx,
	UInt8 *charPtr)
{
    assert(ctx->protocolSide == SSL_ServerSide);
	assert(ctx->dhParamsPrime.data != NULL);
	assert(ctx->dhParamsGenerator.data != NULL);
	assert(ctx->dhExchangePublic.data != NULL);
	
	charPtr = SSLEncodeInt(charPtr, ctx->dhParamsPrime.length, 2);
	memcpy(charPtr, ctx->dhParamsPrime.data, ctx->dhParamsPrime.length);
	charPtr += ctx->dhParamsPrime.length;
	
	charPtr = SSLEncodeInt(charPtr, ctx->dhParamsGenerator.length, 2);
	memcpy(charPtr, ctx->dhParamsGenerator.data, 
		ctx->dhParamsGenerator.length);
	charPtr += ctx->dhParamsGenerator.length;
	
	charPtr = SSLEncodeInt(charPtr, ctx->dhExchangePublic.length, 2);
	memcpy(charPtr, ctx->dhExchangePublic.data, 
		ctx->dhExchangePublic.length);

	dumpBuf("server prime", ctx->dhParamsPrime);
	dumpBuf("server generator", ctx->dhParamsGenerator);
	dumpBuf("server pub key", ctx->dhExchangePublic);
	return noErr;
}

/*
 * Decode DH params and server public key.
 */
static OSStatus
SSLDecodeDHKeyParams(
	SSLContext *ctx,
	UInt8 *&charPtr,		// IN/OUT
	UInt32 length)
{   
	OSStatus        err = noErr;
	
	assert(ctx->protocolSide == SSL_ClientSide);
    UInt8 *endCp = charPtr + length;

	/* Allow reuse via renegotiation */
    SSLFreeBuffer(ctx->dhParamsPrime, ctx);
    SSLFreeBuffer(ctx->dhParamsGenerator, ctx);
	SSLFreeBuffer(ctx->dhPeerPublic, ctx);
	
	/* Prime, with a two-byte length */
	UInt32 len = SSLDecodeInt(charPtr, 2);
	charPtr += 2;
	if((charPtr + len) > endCp) {
		return errSSLProtocol;
	}
	err = SSLAllocBuffer(ctx->dhParamsPrime, len, ctx);
	if(err) {
		return err;
	}
	memmove(ctx->dhParamsPrime.data, charPtr, len);
	charPtr += len;
	
	/* Generator, with a two-byte length */
	len = SSLDecodeInt(charPtr, 2);
	charPtr += 2;
	if((charPtr + len) > endCp) {
		return errSSLProtocol;
	}
	err = SSLAllocBuffer(ctx->dhParamsGenerator, len, ctx);
	if(err) {
		return err;
	}
	memmove(ctx->dhParamsGenerator.data, charPtr, len);
	charPtr += len;
	
	/* peer public key, with a two-byte length */
	len = SSLDecodeInt(charPtr, 2);
	charPtr += 2;
	err = SSLAllocBuffer(ctx->dhPeerPublic, len, ctx);
	if(err) {
		return err;
	}
	memmove(ctx->dhPeerPublic.data, charPtr, len);
	charPtr += len;
	
	dumpBuf("client peer pub", ctx->dhPeerPublic);
	dumpBuf("client prime", ctx->dhParamsPrime);
	dumpBuf("client generator", ctx->dhParamsGenerator);
		
	return err;	
}

/* 
 * Given the server's Diffie-Hellman parameters, generate our
 * own DH key pair, and perform key exchange using the server's 
 * public key and our private key. The result is the premaster 
 * secret.
 *
 * SSLContext members valid on entry:
 *		dhParamsPrime
 *		dhParamsGenerator
 *		dhPeerPublic
 *  
 * SSLContext members valid on successful return:
 *		dhPrivate
 *		dhExchangePublic
 *		preMasterSecret
 */
static OSStatus
SSLGenClientDHKeyAndExchange(SSLContext *ctx)
{   
	OSStatus            ortn;

    assert(ctx->protocolSide == SSL_ClientSide);
	if((ctx->dhParamsPrime.data == NULL) ||
	   (ctx->dhParamsGenerator.data == NULL) ||
	   (ctx->dhPeerPublic.data == NULL)) {
	   sslErrorLog("SSLGenClientDHKeyAndExchange: incomplete server params\n");
	   return errSSLProtocol;
	}
	
    /* generate two keys */
	CSSM_KEY pubKey;
	ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));
	ortn = sslDhGenKeyPairClient(ctx, 
		ctx->dhParamsPrime,	ctx->dhParamsGenerator,
		&pubKey, ctx->dhPrivate);
	if(ortn) {
		sslFree(ctx->dhPrivate);
		ctx->dhPrivate = NULL;
		return ortn;
	}
	
	/* do the exchange, size of prime */
	ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8, 
		&ctx->preMasterSecret);
	if(ortn) {
		return ortn;
	}
	CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic);
	return noErr;
}

static OSStatus
SSLEncodeDHanonServerKeyExchange(SSLRecord &keyExch, SSLContext *ctx)
{   
	OSStatus            ortn = noErr;
	
	assert((ctx->negProtocolVersion == SSL_Version_3_0) ||
			(ctx->negProtocolVersion == TLS_Version_1_0));
	assert(ctx->protocolSide == SSL_ServerSide);

	/* 
	 * Obtain D-H parameters (if we don't have them) and a key pair. 
	 */
	ortn = SSLGenServerDHParamsAndKey(ctx);
	if(ortn) {
		return ortn;
	}
	
	UInt32 length = 6 + 
		ctx->dhParamsPrime.length + 
		ctx->dhParamsGenerator.length + ctx->dhExchangePublic.length;
	
	keyExch.protocolVersion = ctx->negProtocolVersion;
	keyExch.contentType = SSL_RecordTypeHandshake;
	if ((ortn = SSLAllocBuffer(keyExch.contents, length+4, ctx)) != 0)
		return ortn;
	
	UInt8 *charPtr = keyExch.contents.data;
	*charPtr++ = SSL_HdskServerKeyExchange;
	charPtr = SSLEncodeInt(charPtr, length, 3);
	
	/* encode prime, generator, our public key */
	return SSLEncodeDHKeyParams(ctx, charPtr);
}


static OSStatus
SSLDecodeDHanonServerKeyExchange(SSLBuffer message, SSLContext *ctx)
{   
	OSStatus        err = noErr;
	
	assert(ctx->protocolSide == SSL_ClientSide);
    if (message.length < 6) {
    	sslErrorLog("SSLDecodeDHanonServerKeyExchange error: msg len %u\n",
    		(unsigned)message.length);
        return errSSLProtocol;
    }
    UInt8 *charPtr = message.data;
	err = SSLDecodeDHKeyParams(ctx, charPtr, message.length);
	if(err == noErr) {
		if((message.data + message.length) != charPtr) {
			err = errSSLProtocol;
		}
	}
	return err;
}

static OSStatus
SSLDecodeDHClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{   
	OSStatus        ortn = noErr;
    unsigned int    publicLen;

	assert(ctx->protocolSide == SSL_ServerSide);
	if(ctx->dhParamsPrime.data == NULL) {
		/* should never happen */
		assert(0);
		return errSSLInternal;
	}
	
	/* this message simply contains the client's public DH key */
	UInt8 *charPtr = keyExchange.data;
    publicLen = SSLDecodeInt(charPtr, 2);
	charPtr += 2;
	if((keyExchange.length != publicLen + 2) ||
	   (publicLen > ctx->dhParamsPrime.length)) {
        return errSSLProtocol;
    }
	SSLFreeBuffer(ctx->dhPeerPublic, ctx);	// allow reuse via renegotiation
	ortn = SSLAllocBuffer(ctx->dhPeerPublic, publicLen, ctx);
	if(ortn) {
		return ortn;
	}
	memmove(ctx->dhPeerPublic.data, charPtr, publicLen);
	
	/* DH Key exchange, result --> premaster secret */
	SSLFreeBuffer(ctx->preMasterSecret, ctx);
	ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8, 
		&ctx->preMasterSecret);

	dumpBuf("server peer pub", ctx->dhPeerPublic);
	dumpBuf("server premaster", ctx->preMasterSecret);
	return ortn;
}

static OSStatus
SSLEncodeDHClientKeyExchange(SSLRecord &keyExchange, SSLContext *ctx)
{   OSStatus            err;
    unsigned int        outputLen;
    
	assert(ctx->protocolSide == SSL_ClientSide);
    if ((err = SSLGenClientDHKeyAndExchange(ctx)) != 0)
        return err;
    
    outputLen = ctx->dhExchangePublic.length + 2;
    
    keyExchange.contentType = SSL_RecordTypeHandshake;
	assert((ctx->negProtocolVersion == SSL_Version_3_0) ||
			(ctx->negProtocolVersion == TLS_Version_1_0));
    keyExchange.protocolVersion = ctx->negProtocolVersion;
    
    if ((err = SSLAllocBuffer(keyExchange.contents,outputLen + 4,ctx)) != 0)
        return err;
    
    keyExchange.contents.data[0] = SSL_HdskClientKeyExchange;
    SSLEncodeInt(keyExchange.contents.data+1, 
		ctx->dhExchangePublic.length+2, 3);
    
    SSLEncodeInt(keyExchange.contents.data+4, 
		ctx->dhExchangePublic.length, 2);
    memcpy(keyExchange.contents.data+6, ctx->dhExchangePublic.data, 
		ctx->dhExchangePublic.length);

	dumpBuf("client pub key", ctx->dhExchangePublic);
	dumpBuf("client premaster", ctx->preMasterSecret);
    return noErr;
}

#endif	/* APPLE_DH */

#pragma mark -
#pragma mark *** Public Functions ***
OSStatus
SSLEncodeServerKeyExchange(SSLRecord &keyExch, SSLContext *ctx)
{   OSStatus      err;
    
    switch (ctx->selectedCipherSpec->keyExchangeMethod)
    {   case SSL_RSA:
        case SSL_RSA_EXPORT:
        #if		APPLE_DH
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
		#endif	/* APPLE_DH */
            if ((err = SSLEncodeSignedServerKeyExchange(keyExch, ctx)) != 0)
                return err;
            break;
        #if		APPLE_DH
        case SSL_DH_anon:
		case SSL_DH_anon_EXPORT:
            if ((err = SSLEncodeDHanonServerKeyExchange(keyExch, ctx)) != 0)
                return err;
            break;
        #endif
        default:
            return unimpErr;
    }
    
    return noErr;
}

OSStatus
SSLProcessServerKeyExchange(SSLBuffer message, SSLContext *ctx)
{   
	OSStatus      err;
    
    switch (ctx->selectedCipherSpec->keyExchangeMethod) {   
		case SSL_RSA:
        case SSL_RSA_EXPORT:
        #if		APPLE_DH
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
		#endif
            err = SSLDecodeSignedServerKeyExchange(message, ctx);
            break;
        #if		APPLE_DH
        case SSL_DH_anon:
		case SSL_DH_anon_EXPORT:
            err = SSLDecodeDHanonServerKeyExchange(message, ctx);
            break;
        #endif
        default:
            err = unimpErr;
			break;
    }
    
    return err;
}

OSStatus
SSLEncodeKeyExchange(SSLRecord &keyExchange, SSLContext *ctx)
{   OSStatus      err;
    
    assert(ctx->protocolSide == SSL_ClientSide);
    
    switch (ctx->selectedCipherSpec->keyExchangeMethod) {
		case SSL_RSA:
        case SSL_RSA_EXPORT:
            err = SSLEncodeRSAKeyExchange(keyExchange, ctx);
            break;
        #if		APPLE_DH
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
        case SSL_DH_anon:
		case SSL_DH_anon_EXPORT:
            err = SSLEncodeDHClientKeyExchange(keyExchange, ctx);
            break;
        #endif
        default:
            err = unimpErr;
    }
    
    return err;
}

OSStatus
SSLProcessKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
{   OSStatus      err;
    
    switch (ctx->selectedCipherSpec->keyExchangeMethod)
    {   case SSL_RSA:
        case SSL_RSA_EXPORT:
            if ((err = SSLDecodeRSAKeyExchange(keyExchange, ctx)) != 0)
                return err;
            break;
		#if		APPLE_DH
        case SSL_DH_anon:
		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
		case SSL_DH_anon_EXPORT:
            if ((err = SSLDecodeDHClientKeyExchange(keyExchange, ctx)) != 0)
                return err;
            break;
        #endif
        default:
            return unimpErr;
    }
    
    return noErr;
}

OSStatus
SSLInitPendingCiphers(SSLContext *ctx)
{   OSStatus        err;
    SSLBuffer       key;
    UInt8           *keyDataProgress, *keyPtr, *ivPtr;
    int             keyDataLen;
    CipherContext   *serverPending, *clientPending;
        
    key.data = 0;
    
    ctx->readPending.macRef = ctx->selectedCipherSpec->macAlgorithm;
    ctx->writePending.macRef = ctx->selectedCipherSpec->macAlgorithm;
    ctx->readPending.symCipher = ctx->selectedCipherSpec->cipher;
    ctx->writePending.symCipher = ctx->selectedCipherSpec->cipher;
    ctx->readPending.sequenceNum.high = ctx->readPending.sequenceNum.low = 0;
    ctx->writePending.sequenceNum.high = ctx->writePending.sequenceNum.low = 0;
    
    keyDataLen = ctx->selectedCipherSpec->macAlgorithm->hash->digestSize +
                     ctx->selectedCipherSpec->cipher->secretKeySize;
    if (ctx->selectedCipherSpec->isExportable == NotExportable)
        keyDataLen += ctx->selectedCipherSpec->cipher->ivSize;
    keyDataLen *= 2;        /* two of everything */
    
    if ((err = SSLAllocBuffer(key, keyDataLen, ctx)) != 0)
        return err;
	assert(ctx->sslTslCalls != NULL);
    if ((err = ctx->sslTslCalls->generateKeyMaterial(key, ctx)) != 0)
        goto fail;
    
    if (ctx->protocolSide == SSL_ServerSide)
    {   serverPending = &ctx->writePending;
        clientPending = &ctx->readPending;
    }
    else
    {   serverPending = &ctx->readPending;
        clientPending = &ctx->writePending;
    }
    
    keyDataProgress = key.data;
    memcpy(clientPending->macSecret, keyDataProgress, 
		ctx->selectedCipherSpec->macAlgorithm->hash->digestSize);
    keyDataProgress += ctx->selectedCipherSpec->macAlgorithm->hash->digestSize;
    memcpy(serverPending->macSecret, keyDataProgress, 
		ctx->selectedCipherSpec->macAlgorithm->hash->digestSize);
    keyDataProgress += ctx->selectedCipherSpec->macAlgorithm->hash->digestSize;
    
	/* init the reusable-per-record MAC contexts */
	err = ctx->sslTslCalls->initMac(clientPending, ctx);
	if(err) {
		goto fail;
	}
	err = ctx->sslTslCalls->initMac(serverPending, ctx);
	if(err) {
		goto fail;
	}
	
    if (ctx->selectedCipherSpec->isExportable == NotExportable)
    {   keyPtr = keyDataProgress;
        keyDataProgress += ctx->selectedCipherSpec->cipher->secretKeySize;
        /* Skip server write key to get to IV */
        ivPtr = keyDataProgress + ctx->selectedCipherSpec->cipher->secretKeySize;
        if ((err = ctx->selectedCipherSpec->cipher->initialize(keyPtr, ivPtr,
                                    clientPending, ctx)) != 0)
            goto fail;
        keyPtr = keyDataProgress;
        keyDataProgress += ctx->selectedCipherSpec->cipher->secretKeySize;
        /* Skip client write IV to get to server write IV */
        ivPtr = keyDataProgress + ctx->selectedCipherSpec->cipher->ivSize;
        if ((err = ctx->selectedCipherSpec->cipher->initialize(keyPtr, ivPtr,
                                    serverPending, ctx)) != 0)
            goto fail;
    }
    else {
        UInt8		clientExportKey[16], serverExportKey[16], 
					clientExportIV[16],  serverExportIV[16];
        SSLBuffer   clientWrite, serverWrite;
        SSLBuffer	finalClientWrite, finalServerWrite;
		SSLBuffer	finalClientIV, finalServerIV;
		
        assert(ctx->selectedCipherSpec->cipher->keySize <= 16);
        assert(ctx->selectedCipherSpec->cipher->ivSize <= 16);
        
		/* Inputs to generateExportKeyAndIv are clientRandom, serverRandom,
		 *    clientWriteKey, serverWriteKey. The first two are already present
		 *    in ctx.
		 * Outputs are a key and IV for each of {server, client}.
		 */
        clientWrite.data = keyDataProgress;
        clientWrite.length = ctx->selectedCipherSpec->cipher->secretKeySize;
        serverWrite.data = keyDataProgress + clientWrite.length;
        serverWrite.length = ctx->selectedCipherSpec->cipher->secretKeySize;
		finalClientWrite.data = clientExportKey;
		finalServerWrite.data   = serverExportKey;
		finalClientIV.data      = clientExportIV;
		finalServerIV.data      = serverExportIV;
		finalClientWrite.length = 16;
		finalServerWrite.length = 16;
		/* these can be zero */
		finalClientIV.length    = ctx->selectedCipherSpec->cipher->ivSize;
		finalServerIV.length    = ctx->selectedCipherSpec->cipher->ivSize;

		assert(ctx->sslTslCalls != NULL);
		err = ctx->sslTslCalls->generateExportKeyAndIv(ctx, clientWrite, serverWrite,
			finalClientWrite, finalServerWrite, finalClientIV, finalServerIV);
		if(err) {
			goto fail;
		}
        if ((err = ctx->selectedCipherSpec->cipher->initialize(clientExportKey, 
				clientExportIV, clientPending, ctx)) != 0)
            goto fail;
        if ((err = ctx->selectedCipherSpec->cipher->initialize(serverExportKey, 
				serverExportIV, serverPending, ctx)) != 0)
            goto fail;
    }
    
	/* Ciphers are ready for use */
    ctx->writePending.ready = 1;
    ctx->readPending.ready = 1;
    
	/* Ciphers get swapped by sending or receiving a change cipher spec message */
    
    err = noErr;
fail:
    SSLFreeBuffer(key, ctx);
    return err;
}