[apple/security.git] / OSX / libsecurity_ssl / lib / sslCrypto.c

/*
 * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * sslCrypto.c - interface between SSL and crypto libraries
 */

#include "sslCrypto.h"
#include "sslContext.h"
#include "sslMemory.h"
#include "sslDebug.h"

#include <string.h>
#include <stdlib.h>
#include <assert.h>

#include <Security/SecTrustPriv.h>
#include <Security/SecPolicy.h>
#include <Security/SecCertificate.h>

#include <AssertMacros.h>
#include "utilities/SecCFRelease.h"

#if TARGET_OS_IPHONE
#include <Security/SecRSAKey.h>
#include <Security/SecECKey.h>
#endif

#include <tls_helpers.h>

/*
 * Get algorithm id for a SSLPubKey object.
 */
CFIndex sslPubKeyGetAlgorithmID(SecKeyRef pubKey)
{
#if TARGET_OS_IPHONE
	return SecKeyGetAlgorithmID(pubKey);
#else
	return SecKeyGetAlgorithmId(pubKey);
#endif
}

/*
 * Get algorithm id for a SSLPrivKey object.
 */
CFIndex sslPrivKeyGetAlgorithmID(SecKeyRef privKey)
{
#if TARGET_OS_IPHONE
	return SecKeyGetAlgorithmID(privKey);
#else
	return SecKeyGetAlgorithmId(privKey);
#endif
}


OSStatus
sslCreateSecTrust(
	SSLContext				*ctx,
    SecTrustRef             *pTrust)	/* RETURNED */
{
	OSStatus status = errSecAllocate;
	SecTrustRef trust = NULL;

    require_noerr(status = tls_helper_create_peer_trust(ctx->hdsk, ctx->protocolSide==kSSLServerSide, &trust), errOut);

	/* If we have trustedAnchors we set them here. */
    if (trust && ctx->trustedCerts) {
        require_noerr(status = SecTrustSetAnchorCertificates(trust, ctx->trustedCerts), errOut);
        require_noerr(status = SecTrustSetAnchorCertificatesOnly(trust, ctx->trustedCertsOnly), errOut);
    }

    status = errSecSuccess;

errOut:
    if(status != noErr) {
        CFReleaseSafe(trust);
        *pTrust = NULL;
    } else {
        *pTrust = trust;
    }

	return status;
}

#if !TARGET_OS_IPHONE
/* Return the first certificate reference from the supplied array
 * whose data matches the given certificate, or NULL if none match.
 */
static
SecCertificateRef
sslGetMatchingCertInArray(
	SecCertificateRef	certRef,
	CFArrayRef			certArray)
{
	SecCertificateRef matchedCert = NULL;

	if (certRef == NULL || certArray == NULL) {
		return NULL;
	}

	CFDataRef certData = SecCertificateCopyData(certRef);
	if (certData) {
		CFIndex idx, count = CFArrayGetCount(certArray);
		for(idx=0; idx<count; idx++) {
			SecCertificateRef aCert = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, idx);
			CFDataRef aData = SecCertificateCopyData(aCert);
			if (aData && CFEqual(aData, certData)) {
				matchedCert = aCert;
			}
			CFReleaseSafe(aData);
			if (matchedCert)
				break;
		}
		CFReleaseSafe(certData);
	}

    return matchedCert;
}
#endif

/*
 * Verify a chain of DER-encoded certs.
 */
static OSStatus sslVerifyCertChain(
	SSLContext				*ctx)
{
	OSStatus status;
	SecTrustRef trust = NULL;

    /* renegotiate - start with a new SecTrustRef */
    CFReleaseNull(ctx->peerSecTrust);

    /* on failure, we always return trust==NULL, so we don't check the returned status here */
    sslCreateSecTrust(ctx, &trust);

    if(trust==NULL) {
        if(ctx->protocolSide == kSSLClientSide) {
            /* No cert chain is always a trust failure on the server side */
            status = errSSLXCertChainInvalid;
            sslErrorLog("***Error: NULL server cert chain\n");
        } else {
            /* No cert chain on the client side is ok unless using kAlwaysAuthenticate */
            if(ctx->clientAuth == kAlwaysAuthenticate) {
                sslErrorLog("***Error: NULL client cert chain\n");
                status = errSSLXCertChainInvalid;
            } else {
                status = noErr;
            }
        }
        goto errOut;
    }


	if (!ctx->enableCertVerify) {
		/* trivial case, this is caller's responsibility */
		status = errSecSuccess;
		goto errOut;
	}

	SecTrustResultType secTrustResult;
	require_noerr(status = SecTrustEvaluate(trust, &secTrustResult), errOut);
	switch (secTrustResult) {
        case kSecTrustResultUnspecified:
            /* cert chain valid, no special UserTrust assignments */
        case kSecTrustResultProceed:
            /* cert chain valid AND user explicitly trusts this */
            status = errSecSuccess;
            break;
        case kSecTrustResultDeny:
        case kSecTrustResultConfirm:
        case kSecTrustResultRecoverableTrustFailure:
        default:
            if(ctx->allowAnyRoot) {
                sslErrorLog("***Warning: accepting unverified cert chain\n");
                status = errSecSuccess;
            }
            else {
#if !TARGET_OS_IPHONE
				/*
				 * If the caller provided a list of trusted leaf certs, check them here
				 */
                if(ctx->trustedLeafCerts) {
                    if (sslGetMatchingCertInArray(SecTrustGetCertificateAtIndex(trust, 0),
                                                  ctx->trustedLeafCerts)) {
                        status = errSecSuccess;
                        goto errOut;
                    }
                }
#endif
				status = errSSLXCertChainInvalid;
            }
            /* Do we really need to return things like:
                   errSSLNoRootCert
                   errSSLUnknownRootCert
                   errSSLCertExpired
                   errSSLCertNotYetValid
                   errSSLHostNameMismatch
               for our client to see what went wrong, or should we just always
               return
                   errSSLXCertChainInvalid
               when something is wrong? */
            break;
	}

errOut:
	ctx->peerSecTrust = trust;

	return status;
}

/* Convert cert in DER format into an CFArray of SecCertificateRef */
CFArrayRef
tls_get_peer_certs(const SSLCertificate *certs)
{
    const SSLCertificate *cert;

    CFMutableArrayRef certArray = NULL;
    CFDataRef certData = NULL;
    SecCertificateRef cfCert = NULL;

    certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
    require(certArray, out);
    cert = certs;
    while(cert) {
        require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
        require((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out);
        CFArrayAppendValue(certArray, cfCert);
        CFReleaseNull(cfCert);
        CFReleaseNull(certData);
        cert=cert->next;
    }

    return certArray;

out:
    CFReleaseNull(cfCert);
    CFReleaseNull(certData);
    CFReleaseNull(certArray);
    return NULL;
}

int
tls_verify_peer_cert(SSLContext *ctx)
{
    int err = 0;
    OSStatus st;

    /* Note: A verification failure here does not cause the function to return an error.
       This will allow the handshake to continue, coreTLS will eventually returns an error,
       after sending the appropriate alert messages, based on the trust value set with the
       call to tls_handshake_set_peer_trust(). In some case a verification failure here is 
       normal, for example if there is no cert (eg: PSK and Anon DH ciphersuites) */

    st = sslVerifyCertChain(ctx);
    tls_handshake_trust_t trust;
    switch (st) {
        case errSecSuccess:
            trust = tls_handshake_trust_ok;
            break;
        case errSSLUnknownRootCert:
        case errSSLNoRootCert:
            trust = tls_handshake_trust_unknown_root;
            break;
        case errSSLCertExpired:
        case errSSLCertNotYetValid:
            trust = tls_handshake_trust_cert_expired;
            break;
        case errSSLXCertChainInvalid:
        default:
            trust = tls_handshake_trust_cert_invalid;
            break;
    }

    tls_handshake_set_peer_trust(ctx->hdsk, trust);

    /* Now that trust has been (possibly) evaluated,
       we check if we need to break out of the handshake */
    if(ctx->protocolSide == kSSLServerSide) {
        /*
         * Schedule return to the caller to verify the client's identity.
         * This will return even if there was no client cert sent.
         */
        if (ctx->breakOnClientAuth) {
            err = errSSLClientAuthCompleted;
        }
    } else if(ctx->peerSecTrust) {
        /*
         * Schedule return to the caller to verify the server's identity.
         * This will only return if a server cert was sent. In other cases
         * such as PSK and AnonDH, we don't want to break out of the handshake.
         */
        if (ctx->breakOnServerAuth) {
            err = errSSLServerAuthCompleted;
        }
    }

    return err;
}

/*
 * After ciphersuite negotiation is complete, verify that we have
 * the capability of actually performing the selected cipher.
 * Currently we just verify that we have a cert and private signing
 * key, if needed, and that the signing key's algorithm matches the
 * expected key exchange method.
 *
 * This is currently called from FindCipherSpec(), after it sets
 * ctx->selectedCipherSpec to a (supposedly) valid value, and from
 * sslBuildCipherSpecArray(), in server mode (pre-negotiation) only.
 */

#if 0
OSStatus sslVerifySelectedCipher(SSLContext *ctx)
{

    if(ctx->protocolSide == kSSLClientSide) {
        return errSecSuccess;
    }
#if SSL_PAC_SERVER_ENABLE
    if((ctx->masterSecretCallback != NULL) &&
       (ctx->sessionTicket.data != NULL)) {
            /* EAP via PAC resumption; we can do it */
	return errSecSuccess;
    }
#endif	/* SSL_PAC_SERVER_ENABLE */

    CFIndex requireAlg;
    switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
        case SSL_RSA:
        case SSL_RSA_EXPORT:
	case SSL_DH_RSA:
	case SSL_DH_RSA_EXPORT:
	case SSL_DHE_RSA:
	case SSL_DHE_RSA_EXPORT:
            requireAlg = kSecRSAAlgorithmID;
            break;
 	case SSL_DHE_DSS:
	case SSL_DHE_DSS_EXPORT:
 	case SSL_DH_DSS:
	case SSL_DH_DSS_EXPORT:
            requireAlg = kSecDSAAlgorithmID;
            break;
	case SSL_DH_anon:
	case SSL_DH_anon_EXPORT:
        case TLS_PSK:
            requireAlg = kSecNullAlgorithmID; /* no signing key */
            break;
        /*
         * When SSL_ECDSA_SERVER is true and we support ECDSA on the server side,
         * we'll need to add some logic here...
         */
#if SSL_ECDSA_SERVER
        case SSL_ECDHE_ECDSA:
        case SSL_ECDHE_RSA:
        case SSL_ECDH_ECDSA:
        case SSL_ECDH_RSA:
        case SSL_ECDH_anon:
            requireAlg = kSecECDSAAlgorithmID;
            break;
#endif

	default:
            /* needs update per cipherSpecs.c */
            assert(0);
            sslErrorLog("sslVerifySelectedCipher: unknown key exchange method\n");
            return errSSLInternal;
    }

    if(requireAlg == kSecNullAlgorithmID) {
	return errSecSuccess;
    }

    /* private signing key required */
    if(ctx->signingPrivKeyRef == NULL) {
	sslErrorLog("sslVerifySelectedCipher: no signing key\n");
	return errSSLBadConfiguration;
    }

    /* Check the alg of our signing key. */
    CFIndex keyAlg = sslPrivKeyGetAlgorithmID(ctx->signingPrivKeyRef);
    if (requireAlg != keyAlg) {
	sslErrorLog("sslVerifySelectedCipher: signing key alg mismatch\n");
	return errSSLBadConfiguration;
    }

    return errSecSuccess;
}

#endif
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* sslCrypto.c - interface between SSL and crypto libraries
	26	*/
	27
	28	#include "sslCrypto.h"
	29	#include "sslContext.h"
	30	#include "sslMemory.h"
d8f41ccd A	31	#include "sslDebug.h"
	32
	33	#include <string.h>
	34	#include <stdlib.h>
	35	#include <assert.h>
	36
5c19dc3a	37	#include <Security/SecTrustPriv.h>
d8f41ccd A	38	#include <Security/SecPolicy.h>
	39	#include <Security/SecCertificate.h>
	40
	41	#include <AssertMacros.h>
	42	#include "utilities/SecCFRelease.h"
	43
	44	#if TARGET_OS_IPHONE
	45	#include <Security/SecRSAKey.h>
	46	#include <Security/SecECKey.h>
	47	#endif
	48
fa7225c8 A	49	#include <tls_helpers.h>
fa7225c8 A	50
d8f41ccd A	51	/*
	52	* Get algorithm id for a SSLPubKey object.
	53	*/
	54	CFIndex sslPubKeyGetAlgorithmID(SecKeyRef pubKey)
	55	{
	56	#if TARGET_OS_IPHONE
	57	return SecKeyGetAlgorithmID(pubKey);
	58	#else
	59	return SecKeyGetAlgorithmId(pubKey);
	60	#endif
	61	}
	62
	63	/*
	64	* Get algorithm id for a SSLPrivKey object.
	65	*/
	66	CFIndex sslPrivKeyGetAlgorithmID(SecKeyRef privKey)
	67	{
	68	#if TARGET_OS_IPHONE
	69	return SecKeyGetAlgorithmID(privKey);
	70	#else
	71	return SecKeyGetAlgorithmId(privKey);
	72	#endif
	73	}
	74
	75
	76	OSStatus
	77	sslCreateSecTrust(
	78	SSLContext *ctx,
d8f41ccd A	79	SecTrustRef pTrust) / RETURNED */
	80	{
	81	OSStatus status = errSecAllocate;
d8f41ccd	82	SecTrustRef trust = NULL;
d8f41ccd	83
fa7225c8	84	require_noerr(status = tls_helper_create_peer_trust(ctx->hdsk, ctx->protocolSide==kSSLServerSide, &trust), errOut);
5c19dc3a	85
d8f41ccd	86	/* If we have trustedAnchors we set them here. */
fa7225c8 A	87	if (trust && ctx->trustedCerts) {
	88	require_noerr(status = SecTrustSetAnchorCertificates(trust, ctx->trustedCerts), errOut);
	89	require_noerr(status = SecTrustSetAnchorCertificatesOnly(trust, ctx->trustedCertsOnly), errOut);
d8f41ccd A	90	}
	91
	92	status = errSecSuccess;
	93
	94	errOut:
fa7225c8 A	95	if(status != noErr) {
	96	CFReleaseSafe(trust);
	97	*pTrust = NULL;
	98	} else {
	99	*pTrust = trust;
	100	}
d8f41ccd A	101
	102	return status;
	103	}
	104
fa7225c8	105	#if !TARGET_OS_IPHONE
d8f41ccd A	106	/* Return the first certificate reference from the supplied array
	107	* whose data matches the given certificate, or NULL if none match.
	108	*/
	109	static
	110	SecCertificateRef
	111	sslGetMatchingCertInArray(
	112	SecCertificateRef certRef,
	113	CFArrayRef certArray)
	114	{
	115	SecCertificateRef matchedCert = NULL;
	116
	117	if (certRef == NULL \|\| certArray == NULL) {
	118	return NULL;
	119	}
	120
	121	CFDataRef certData = SecCertificateCopyData(certRef);
	122	if (certData) {
	123	CFIndex idx, count = CFArrayGetCount(certArray);
	124	for(idx=0; idx<count; idx++) {
	125	SecCertificateRef aCert = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, idx);
	126	CFDataRef aData = SecCertificateCopyData(aCert);
	127	if (aData && CFEqual(aData, certData)) {
	128	matchedCert = aCert;
	129	}
	130	CFReleaseSafe(aData);
	131	if (matchedCert)
	132	break;
	133	}
	134	CFReleaseSafe(certData);
	135	}
	136
	137	return matchedCert;
	138	}
fa7225c8	139	#endif
d8f41ccd A	140
	141	/*
	142	* Verify a chain of DER-encoded certs.
d8f41ccd A	143	*/
d8f41ccd A	144	static OSStatus sslVerifyCertChain(
fa7225c8	145	SSLContext *ctx)
d8f41ccd A	146	{
	147	OSStatus status;
	148	SecTrustRef trust = NULL;
	149
5c19dc3a A	150	/* renegotiate - start with a new SecTrustRef */
5c19dc3a A	151	CFReleaseNull(ctx->peerSecTrust);
d8f41ccd	152
fa7225c8 A	153	/* on failure, we always return trust==NULL, so we don't check the returned status here */
	154	sslCreateSecTrust(ctx, &trust);
	155
	156	if(trust==NULL) {
5c19dc3a A	157	if(ctx->protocolSide == kSSLClientSide) {
	158	/* No cert chain is always a trust failure on the server side */
	159	status = errSSLXCertChainInvalid;
	160	sslErrorLog("***Error: NULL server cert chain\n");
	161	} else {
	162	/* No cert chain on the client side is ok unless using kAlwaysAuthenticate */
	163	if(ctx->clientAuth == kAlwaysAuthenticate) {
	164	sslErrorLog("***Error: NULL client cert chain\n");
	165	status = errSSLXCertChainInvalid;
	166	} else {
	167	status = noErr;
	168	}
	169	}
d87e1158 A	170	goto errOut;
	171	}
	172
d8f41ccd A	173
	174	if (!ctx->enableCertVerify) {
	175	/* trivial case, this is caller's responsibility */
	176	status = errSecSuccess;
	177	goto errOut;
	178	}
	179
	180	SecTrustResultType secTrustResult;
	181	require_noerr(status = SecTrustEvaluate(trust, &secTrustResult), errOut);
	182	switch (secTrustResult) {
	183	case kSecTrustResultUnspecified:
	184	/* cert chain valid, no special UserTrust assignments */
	185	case kSecTrustResultProceed:
	186	/* cert chain valid AND user explicitly trusts this */
	187	status = errSecSuccess;
	188	break;
	189	case kSecTrustResultDeny:
	190	case kSecTrustResultConfirm:
	191	case kSecTrustResultRecoverableTrustFailure:
	192	default:
	193	if(ctx->allowAnyRoot) {
	194	sslErrorLog("***Warning: accepting unverified cert chain\n");
	195	status = errSecSuccess;
	196	}
	197	else {
fa7225c8	198	#if !TARGET_OS_IPHONE
d8f41ccd A	199	/*
	200	* If the caller provided a list of trusted leaf certs, check them here
	201	*/
fa7225c8 A	202	if(ctx->trustedLeafCerts) {
	203	if (sslGetMatchingCertInArray(SecTrustGetCertificateAtIndex(trust, 0),
	204	ctx->trustedLeafCerts)) {
	205	status = errSecSuccess;
	206	goto errOut;
	207	}
	208	}
	209	#endif
d8f41ccd A	210	status = errSSLXCertChainInvalid;
	211	}
	212	/* Do we really need to return things like:
	213	errSSLNoRootCert
	214	errSSLUnknownRootCert
	215	errSSLCertExpired
	216	errSSLCertNotYetValid
	217	errSSLHostNameMismatch
	218	for our client to see what went wrong, or should we just always
	219	return
	220	errSSLXCertChainInvalid
	221	when something is wrong? */
	222	break;
	223	}
	224
	225	errOut:
5c19dc3a	226	ctx->peerSecTrust = trust;
d8f41ccd A	227
	228	return status;
	229	}
	230
d8f41ccd A	231	/* Convert cert in DER format into an CFArray of SecCertificateRef */
	232	CFArrayRef
	233	tls_get_peer_certs(const SSLCertificate *certs)
	234	{
	235	const SSLCertificate *cert;
	236
	237	CFMutableArrayRef certArray = NULL;
	238	CFDataRef certData = NULL;
	239	SecCertificateRef cfCert = NULL;
	240
	241	certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
	242	require(certArray, out);
	243	cert = certs;
	244	while(cert) {
	245	require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
	246	require((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out);
	247	CFArrayAppendValue(certArray, cfCert);
	248	CFReleaseNull(cfCert);
	249	CFReleaseNull(certData);
	250	cert=cert->next;
	251	}
	252
	253	return certArray;
	254
	255	out:
	256	CFReleaseNull(cfCert);
	257	CFReleaseNull(certData);
	258	CFReleaseNull(certArray);
	259	return NULL;
	260	}
	261
	262	int
	263	tls_verify_peer_cert(SSLContext *ctx)
	264	{
5c19dc3a A	265	int err = 0;
5c19dc3a A	266	OSStatus st;
d8f41ccd	267
5c19dc3a A	268	/* Note: A verification failure here does not cause the function to return an error.
	269	This will allow the handshake to continue, coreTLS will eventually returns an error,
	270	after sending the appropriate alert messages, based on the trust value set with the
	271	call to tls_handshake_set_peer_trust(). In some case a verification failure here is
	272	normal, for example if there is no cert (eg: PSK and Anon DH ciphersuites) */
d8f41ccd	273
fa7225c8	274	st = sslVerifyCertChain(ctx);
d8f41ccd	275	tls_handshake_trust_t trust;
5c19dc3a	276	switch (st) {
d8f41ccd A	277	case errSecSuccess:
	278	trust = tls_handshake_trust_ok;
	279	break;
	280	case errSSLUnknownRootCert:
	281	case errSSLNoRootCert:
	282	trust = tls_handshake_trust_unknown_root;
	283	break;
	284	case errSSLCertExpired:
	285	case errSSLCertNotYetValid:
	286	trust = tls_handshake_trust_cert_expired;
	287	break;
	288	case errSSLXCertChainInvalid:
	289	default:
	290	trust = tls_handshake_trust_cert_invalid;
	291	break;
	292	}
	293
	294	tls_handshake_set_peer_trust(ctx->hdsk, trust);
	295
5c19dc3a A	296	/* Now that trust has been (possibly) evaluated,
5c19dc3a A	297	we check if we need to break out of the handshake */
d8f41ccd A	298	if(ctx->protocolSide == kSSLServerSide) {
	299	/*
	300	* Schedule return to the caller to verify the client's identity.
5c19dc3a	301	* This will return even if there was no client cert sent.
d8f41ccd A	302	*/
	303	if (ctx->breakOnClientAuth) {
	304	err = errSSLClientAuthCompleted;
	305	}
fa7225c8	306	} else if(ctx->peerSecTrust) {
d8f41ccd A	307	/*
d8f41ccd A	308	* Schedule return to the caller to verify the server's identity.
5c19dc3a A	309	* This will only return if a server cert was sent. In other cases
5c19dc3a A	310	* such as PSK and AnonDH, we don't want to break out of the handshake.
d8f41ccd A	311	*/
	312	if (ctx->breakOnServerAuth) {
	313	err = errSSLServerAuthCompleted;
	314	}
	315	}
	316
d8f41ccd A	317	return err;
	318	}
	319
	320	/*
	321	* After ciphersuite negotiation is complete, verify that we have
	322	* the capability of actually performing the selected cipher.
	323	* Currently we just verify that we have a cert and private signing
	324	* key, if needed, and that the signing key's algorithm matches the
	325	* expected key exchange method.
	326	*
	327	* This is currently called from FindCipherSpec(), after it sets
	328	* ctx->selectedCipherSpec to a (supposedly) valid value, and from
	329	* sslBuildCipherSpecArray(), in server mode (pre-negotiation) only.
	330	*/
	331
	332	#if 0
	333	OSStatus sslVerifySelectedCipher(SSLContext *ctx)
	334	{
	335
	336	if(ctx->protocolSide == kSSLClientSide) {
	337	return errSecSuccess;
	338	}
	339	#if SSL_PAC_SERVER_ENABLE
	340	if((ctx->masterSecretCallback != NULL) &&
	341	(ctx->sessionTicket.data != NULL)) {
	342	/* EAP via PAC resumption; we can do it */
	343	return errSecSuccess;
	344	}
	345	#endif /* SSL_PAC_SERVER_ENABLE */
	346
	347	CFIndex requireAlg;
	348	switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
	349	case SSL_RSA:
	350	case SSL_RSA_EXPORT:
	351	case SSL_DH_RSA:
	352	case SSL_DH_RSA_EXPORT:
	353	case SSL_DHE_RSA:
	354	case SSL_DHE_RSA_EXPORT:
	355	requireAlg = kSecRSAAlgorithmID;
	356	break;
	357	case SSL_DHE_DSS:
	358	case SSL_DHE_DSS_EXPORT:
	359	case SSL_DH_DSS:
	360	case SSL_DH_DSS_EXPORT:
	361	requireAlg = kSecDSAAlgorithmID;
	362	break;
	363	case SSL_DH_anon:
	364	case SSL_DH_anon_EXPORT:
	365	case TLS_PSK:
	366	requireAlg = kSecNullAlgorithmID; /* no signing key */
	367	break;
	368	/*
	369	* When SSL_ECDSA_SERVER is true and we support ECDSA on the server side,
	370	* we'll need to add some logic here...
	371	*/
	372	#if SSL_ECDSA_SERVER
	373	case SSL_ECDHE_ECDSA:
	374	case SSL_ECDHE_RSA:
	375	case SSL_ECDH_ECDSA:
	376	case SSL_ECDH_RSA:
	377	case SSL_ECDH_anon:
	378	requireAlg = kSecECDSAAlgorithmID;
	379	break;
	380	#endif
381
382	default:
383	/* needs update per cipherSpecs.c */
384	assert(0);
385	sslErrorLog("sslVerifySelectedCipher: unknown key exchange method\n");
386	return errSSLInternal;
387	}
388
389	if(requireAlg == kSecNullAlgorithmID) {
390	return errSecSuccess;
391	}
392
393	/* private signing key required */
394	if(ctx->signingPrivKeyRef == NULL) {
395	sslErrorLog("sslVerifySelectedCipher: no signing key\n");
396	return errSSLBadConfiguration;
397	}
398
399	/* Check the alg of our signing key. */
400	CFIndex keyAlg = sslPrivKeyGetAlgorithmID(ctx->signingPrivKeyRef);
401	if (requireAlg != keyAlg) {
402	sslErrorLog("sslVerifySelectedCipher: signing key alg mismatch\n");
403	return errSSLBadConfiguration;
404	}
405
406	return errSecSuccess;
407	}
408
409	#endif