[apple/security.git] / Security / libsecurity_ssl / lib / sslCrypto.c

/*
 * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * sslCrypto.c - interface between SSL and crypto libraries
 */

#include "sslCrypto.h"
#include "sslContext.h"
#include "sslMemory.h"
#include "sslUtils.h"
#include "sslDebug.h"

#include <string.h>
#include <stdlib.h>
#include <assert.h>

#include <Security/SecTrust.h>
#include <Security/SecPolicy.h>
#include <Security/SecCertificate.h>

#include <AssertMacros.h>
#include "utilities/SecCFRelease.h"

#if TARGET_OS_IPHONE
#include <Security/SecRSAKey.h>
#include <Security/SecECKey.h>
#endif

/*
 * Get algorithm id for a SSLPubKey object.
 */
CFIndex sslPubKeyGetAlgorithmID(SecKeyRef pubKey)
{
#if TARGET_OS_IPHONE
	return SecKeyGetAlgorithmID(pubKey);
#else
	return SecKeyGetAlgorithmId(pubKey);
#endif
}

/*
 * Get algorithm id for a SSLPrivKey object.
 */
CFIndex sslPrivKeyGetAlgorithmID(SecKeyRef privKey)
{
#if TARGET_OS_IPHONE
	return SecKeyGetAlgorithmID(privKey);
#else
	return SecKeyGetAlgorithmId(privKey);
#endif
}


OSStatus
sslCreateSecTrust(
	SSLContext				*ctx,
	CFArrayRef				certChain,
	bool					arePeerCerts,
    SecTrustRef             *pTrust)	/* RETURNED */
{
	OSStatus status = errSecAllocate;
	CFStringRef peerDomainName = NULL;
	CFTypeRef policies = NULL;
	SecTrustRef trust = NULL;
    const char *peerDomainNameData = NULL;
    size_t peerDomainNameLen = 0;

    if(ctx->protocolSide==kSSLClientSide) {
        tls_handshake_get_peer_hostname(ctx->hdsk, &peerDomainNameData, &peerDomainNameLen);
    }

    if (CFArrayGetCount(certChain) == 0) {
		status = errSSLBadCert;
		goto errOut;
	}

	if (arePeerCerts) {
		if (peerDomainNameLen && peerDomainNameData) {
			CFIndex len = peerDomainNameLen;
			if (peerDomainNameData[len - 1] == 0) {
				len--;
				//secwarning("peerDomainName is zero terminated!");
			}
			/* @@@ Double check that this is the correct encoding. */
			require(peerDomainName = CFStringCreateWithBytes(kCFAllocatorDefault,
				(const UInt8 *)peerDomainNameData, len,
				kCFStringEncodingUTF8, false), errOut);
		}
	}
    /* If we are the client, our peer certificates must satisfy the
       ssl server policy. */
    bool server = ctx->protocolSide == kSSLClientSide;
	require(policies = SecPolicyCreateSSL(server, peerDomainName), errOut);

	require_noerr(status = SecTrustCreateWithCertificates(certChain, policies,
		&trust), errOut);

	/* If we have trustedAnchors we set them here. */
    if (ctx->trustedCerts) {
        require_noerr(status = SecTrustSetAnchorCertificates(trust,
            ctx->trustedCerts), errOut);
        require_noerr(status = SecTrustSetAnchorCertificatesOnly(trust,
            ctx->trustedCertsOnly), errOut);
    }

    status = errSecSuccess;

errOut:
	CFReleaseSafe(peerDomainName);
	CFReleaseSafe(policies);

	*pTrust = trust;

	return status;
}

/* Return the first certificate reference from the supplied array
 * whose data matches the given certificate, or NULL if none match.
 */
static
SecCertificateRef
sslGetMatchingCertInArray(
	SecCertificateRef	certRef,
	CFArrayRef			certArray)
{
	SecCertificateRef matchedCert = NULL;

	if (certRef == NULL || certArray == NULL) {
		return NULL;
	}

	CFDataRef certData = SecCertificateCopyData(certRef);
	if (certData) {
		CFIndex idx, count = CFArrayGetCount(certArray);
		for(idx=0; idx<count; idx++) {
			SecCertificateRef aCert = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, idx);
			CFDataRef aData = SecCertificateCopyData(aCert);
			if (aData && CFEqual(aData, certData)) {
				matchedCert = aCert;
			}
			CFReleaseSafe(aData);
			if (matchedCert)
				break;
		}
		CFReleaseSafe(certData);
	}

    return matchedCert;
}

/*
 * Verify a chain of DER-encoded certs.
 * Last cert in a chain is the leaf; this must also be present
 * in ctx->trustedCerts.
 *
 * If arePeerCerts is true, host name verification is enabled and we
 * save the resulting SecTrustRef in ctx->peerSecTrust. Otherwise
 * we're just validating our own certs; no host name checking and
 * peerSecTrust is transient.
 */
static OSStatus sslVerifyCertChain(
	SSLContext				*ctx,
	CFArrayRef				certChain,
	bool					arePeerCerts)
{
	OSStatus status;
	SecTrustRef trust = NULL;

    assert(certChain);

    if (arePeerCerts) {
		/* renegotiate - start with a new SecTrustRef */
        CFReleaseNull(ctx->peerSecTrust);
    }

	status = sslCreateSecTrust(ctx, certChain, arePeerCerts, &trust);

	if (!ctx->enableCertVerify) {
		/* trivial case, this is caller's responsibility */
		status = errSecSuccess;
		goto errOut;
	}

	SecTrustResultType secTrustResult;
	require_noerr(status = SecTrustEvaluate(trust, &secTrustResult), errOut);
	switch (secTrustResult) {
        case kSecTrustResultUnspecified:
            /* cert chain valid, no special UserTrust assignments */
        case kSecTrustResultProceed:
            /* cert chain valid AND user explicitly trusts this */
            status = errSecSuccess;
            break;
        case kSecTrustResultDeny:
        case kSecTrustResultConfirm:
        case kSecTrustResultRecoverableTrustFailure:
        default:
            if(ctx->allowAnyRoot) {
                sslErrorLog("***Warning: accepting unverified cert chain\n");
                status = errSecSuccess;
            }
            else {
				/*
				 * If the caller provided a list of trusted leaf certs, check them here
				 */
				if(ctx->trustedLeafCerts) {
					if (sslGetMatchingCertInArray((SecCertificateRef)CFArrayGetValueAtIndex(certChain, 0),
								ctx->trustedLeafCerts)) {
						status = errSecSuccess;
						goto errOut;
					}
				}
				status = errSSLXCertChainInvalid;
            }
            /* Do we really need to return things like:
                   errSSLNoRootCert
                   errSSLUnknownRootCert
                   errSSLCertExpired
                   errSSLCertNotYetValid
                   errSSLHostNameMismatch
               for our client to see what went wrong, or should we just always
               return
                   errSSLXCertChainInvalid
               when something is wrong? */
            break;
	}

errOut:
	if (arePeerCerts)
		ctx->peerSecTrust = trust;
	else
        CFReleaseSafe(trust);

	return status;
}

/* Extract public SecKeyRef from Certificate Chain */
static
int sslCopyPeerPubKey(const SSLCertificate *certchain,
                      SecKeyRef            *pubKey)
{
    int err;
    check(pubKey);
    SecTrustRef trust = NULL;
    const SSLCertificate *cert;
    CFMutableArrayRef certArray = NULL;
    CFDataRef certData = NULL;
    SecCertificateRef cfCert = NULL;

    err = errSSLInternal;

    certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
    cert = certchain;
    while(cert) {
        require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
        require((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out);
        CFArrayAppendValue(certArray, cfCert);
        CFReleaseNull(cfCert);
        CFReleaseNull(certData);
        cert=cert->next;
    }

    require_noerr((err=SecTrustCreateWithCertificates(certArray, NULL, &trust)), out);
    SecKeyRef key = SecTrustCopyPublicKey(trust);
    require_action(key, out, err=-9808); // errSSLBadCert

    *pubKey = key;

    err = errSecSuccess;

out:
    CFReleaseSafe(certData);
    CFReleaseSafe(cfCert);
    CFReleaseSafe(trust);
    CFReleaseSafe(certArray);

    return err;
}

/* Extract the pubkey from a cert chain, and send it to the tls_handshake context */
static int tls_set_peer_pubkey(tls_handshake_t hdsk, const SSLCertificate *certchain)
{
    int err;
    CFIndex algId;
    SecKeyRef pubkey = NULL;
    CFDataRef modulus = NULL;
    CFDataRef exponent = NULL;
    CFDataRef ecpubdata = NULL;

#if 0
    { /* dump certs */
        int i=0;
        int j;
        const SSLCertificate *tmp = certchain;
        while(tmp) {
            printf("cert%d[] = {", i);
            for(j=0; j<tmp->derCert.length; j++) {
                if((j&0xf)==0)
                    printf("\n");
                printf("0x%02x, ", tmp->derCert.data[j]);
            }
            printf("}\n");
            tmp=tmp->next;
            i++;
        }
    }
#endif

    require_noerr((err=sslCopyPeerPubKey(certchain, &pubkey)), errOut);

#if TARGET_OS_IPHONE
	algId = SecKeyGetAlgorithmID(pubkey);
#else
	algId = SecKeyGetAlgorithmId(pubkey);
#endif

    err = errSSLCrypto;

    switch(algId) {
        case kSecRSAAlgorithmID:
        {
            require((modulus = SecKeyCopyModulus(pubkey)), errOut);
            require((exponent = SecKeyCopyExponent(pubkey)), errOut);

            tls_buffer mod;
            tls_buffer exp;

            mod.data = (uint8_t *)CFDataGetBytePtr(modulus);
            mod.length = CFDataGetLength(modulus);

            exp.data = (uint8_t *)CFDataGetBytePtr(exponent);
            exp.length = CFDataGetLength(exponent);

            err = tls_handshake_set_peer_rsa_public_key(hdsk, &mod, &exp);
            break;
        }
        case kSecECDSAAlgorithmID:
        {
            tls_named_curve curve = SecECKeyGetNamedCurve(pubkey);
            require((ecpubdata = SecECKeyCopyPublicBits(pubkey)), errOut);

            tls_buffer pubdata;
            pubdata.data = (uint8_t *)CFDataGetBytePtr(ecpubdata);
            pubdata.length = CFDataGetLength(ecpubdata);

            err = tls_handshake_set_peer_ec_public_key(hdsk, curve, &pubdata);

            break;
        }
        default:
            break;
    }

errOut:
    CFReleaseSafe(pubkey);
    CFReleaseSafe(modulus);
    CFReleaseSafe(exponent);
    CFReleaseSafe(ecpubdata);
    
    return err;
}

/* Convert cert in DER format into an CFArray of SecCertificateRef */
CFArrayRef
tls_get_peer_certs(const SSLCertificate *certs)
{
    const SSLCertificate *cert;

    CFMutableArrayRef certArray = NULL;
    CFDataRef certData = NULL;
    SecCertificateRef cfCert = NULL;

    certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
    require(certArray, out);
    cert = certs;
    while(cert) {
        require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
        require((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out);
        CFArrayAppendValue(certArray, cfCert);
        CFReleaseNull(cfCert);
        CFReleaseNull(certData);
        cert=cert->next;
    }

    return certArray;

out:
    CFReleaseNull(cfCert);
    CFReleaseNull(certData);
    CFReleaseNull(certArray);
    return NULL;
}

int
tls_verify_peer_cert(SSLContext *ctx)
{
    int err;
    const SSLCertificate *certs;

    certs = tls_handshake_get_peer_certificates(ctx->hdsk);
    CFReleaseNull(ctx->peerCert);
    ctx->peerCert = tls_get_peer_certs(certs);

    err = sslVerifyCertChain(ctx, ctx->peerCert, true);
    tls_handshake_trust_t trust;
    switch (err) {
        case errSecSuccess:
            trust = tls_handshake_trust_ok;
            break;
        case errSSLUnknownRootCert:
        case errSSLNoRootCert:
            trust = tls_handshake_trust_unknown_root;
            break;
        case errSSLCertExpired:
        case errSSLCertNotYetValid:
            trust = tls_handshake_trust_cert_expired;
            break;
        case errSSLXCertChainInvalid:
        default:
            trust = tls_handshake_trust_cert_invalid;
            break;
    }

    tls_handshake_set_peer_trust(ctx->hdsk, trust);

    if(err)
        goto out;

    /* Set the public key */
    tls_set_peer_pubkey(ctx->hdsk, certs);

    /* Now that cert verification is done, update context state */
    /* (this code was formerly in SSLProcessHandshakeMessage, */
    /* directly after the return from SSLProcessCertificate) */
    if(ctx->protocolSide == kSSLServerSide) {
        /*
         * Schedule return to the caller to verify the client's identity.
         * Note that an error during processing will cause early
         * termination of the handshake.
         */
        if (ctx->breakOnClientAuth) {
            err = errSSLClientAuthCompleted;
        }
    } else {
        /*
         * Schedule return to the caller to verify the server's identity.
         * Note that an error during processing will cause early
         * termination of the handshake.
         */
        if (ctx->breakOnServerAuth) {
            err = errSSLServerAuthCompleted;
        }
    }

out:

    return err;
}

/*
 * After ciphersuite negotiation is complete, verify that we have
 * the capability of actually performing the selected cipher.
 * Currently we just verify that we have a cert and private signing
 * key, if needed, and that the signing key's algorithm matches the
 * expected key exchange method.
 *
 * This is currently called from FindCipherSpec(), after it sets
 * ctx->selectedCipherSpec to a (supposedly) valid value, and from
 * sslBuildCipherSpecArray(), in server mode (pre-negotiation) only.
 */

#if 0
OSStatus sslVerifySelectedCipher(SSLContext *ctx)
{

    if(ctx->protocolSide == kSSLClientSide) {
        return errSecSuccess;
    }
#if SSL_PAC_SERVER_ENABLE
    if((ctx->masterSecretCallback != NULL) &&
       (ctx->sessionTicket.data != NULL)) {
            /* EAP via PAC resumption; we can do it */
	return errSecSuccess;
    }
#endif	/* SSL_PAC_SERVER_ENABLE */

    CFIndex requireAlg;
    switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
        case SSL_RSA:
        case SSL_RSA_EXPORT:
	case SSL_DH_RSA:
	case SSL_DH_RSA_EXPORT:
	case SSL_DHE_RSA:
	case SSL_DHE_RSA_EXPORT:
            requireAlg = kSecRSAAlgorithmID;
            break;
 	case SSL_DHE_DSS:
	case SSL_DHE_DSS_EXPORT:
 	case SSL_DH_DSS:
	case SSL_DH_DSS_EXPORT:
            requireAlg = kSecDSAAlgorithmID;
            break;
	case SSL_DH_anon:
	case SSL_DH_anon_EXPORT:
        case TLS_PSK:
            requireAlg = kSecNullAlgorithmID; /* no signing key */
            break;
        /*
         * When SSL_ECDSA_SERVER is true and we support ECDSA on the server side,
         * we'll need to add some logic here...
         */
#if SSL_ECDSA_SERVER
        case SSL_ECDHE_ECDSA:
        case SSL_ECDHE_RSA:
        case SSL_ECDH_ECDSA:
        case SSL_ECDH_RSA:
        case SSL_ECDH_anon:
            requireAlg = kSecECDSAAlgorithmID;
            break;
#endif

	default:
            /* needs update per cipherSpecs.c */
            assert(0);
            sslErrorLog("sslVerifySelectedCipher: unknown key exchange method\n");
            return errSSLInternal;
    }

    if(requireAlg == kSecNullAlgorithmID) {
	return errSecSuccess;
    }

    /* private signing key required */
    if(ctx->signingPrivKeyRef == NULL) {
	sslErrorLog("sslVerifySelectedCipher: no signing key\n");
	return errSSLBadConfiguration;
    }

    /* Check the alg of our signing key. */
    CFIndex keyAlg = sslPrivKeyGetAlgorithmID(ctx->signingPrivKeyRef);
    if (requireAlg != keyAlg) {
	sslErrorLog("sslVerifySelectedCipher: signing key alg mismatch\n");
	return errSSLBadConfiguration;
    }

    return errSecSuccess;
}

#endif
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* sslCrypto.c - interface between SSL and crypto libraries
	26	*/
	27
	28	#include "sslCrypto.h"
	29	#include "sslContext.h"
	30	#include "sslMemory.h"
	31	#include "sslUtils.h"
	32	#include "sslDebug.h"
	33
	34	#include <string.h>
	35	#include <stdlib.h>
	36	#include <assert.h>
	37
	38	#include <Security/SecTrust.h>
	39	#include <Security/SecPolicy.h>
	40	#include <Security/SecCertificate.h>
	41
	42	#include <AssertMacros.h>
	43	#include "utilities/SecCFRelease.h"
	44
	45	#if TARGET_OS_IPHONE
	46	#include <Security/SecRSAKey.h>
	47	#include <Security/SecECKey.h>
	48	#endif
	49
	50	/*
	51	* Get algorithm id for a SSLPubKey object.
	52	*/
	53	CFIndex sslPubKeyGetAlgorithmID(SecKeyRef pubKey)
	54	{
	55	#if TARGET_OS_IPHONE
	56	return SecKeyGetAlgorithmID(pubKey);
	57	#else
	58	return SecKeyGetAlgorithmId(pubKey);
	59	#endif
	60	}
	61
	62	/*
	63	* Get algorithm id for a SSLPrivKey object.
	64	*/
65	CFIndex sslPrivKeyGetAlgorithmID(SecKeyRef privKey)
66	{
67	#if TARGET_OS_IPHONE
68	return SecKeyGetAlgorithmID(privKey);
69	#else
70	return SecKeyGetAlgorithmId(privKey);
71	#endif
72	}
73
74
75	OSStatus
76	sslCreateSecTrust(
77	SSLContext *ctx,
78	CFArrayRef certChain,
79	bool arePeerCerts,
80	SecTrustRef pTrust) / RETURNED */
81	{
82	OSStatus status = errSecAllocate;
83	CFStringRef peerDomainName = NULL;
84	CFTypeRef policies = NULL;
85	SecTrustRef trust = NULL;
86	const char *peerDomainNameData = NULL;
87	size_t peerDomainNameLen = 0;
88
89	if(ctx->protocolSide==kSSLClientSide) {
90	tls_handshake_get_peer_hostname(ctx->hdsk, &peerDomainNameData, &peerDomainNameLen);
91	}
92
93	if (CFArrayGetCount(certChain) == 0) {
94	status = errSSLBadCert;
95	goto errOut;
96	}
97
98	if (arePeerCerts) {
99	if (peerDomainNameLen && peerDomainNameData) {
100	CFIndex len = peerDomainNameLen;
101	if (peerDomainNameData[len - 1] == 0) {
102	len--;
103	//secwarning("peerDomainName is zero terminated!");
104	}
105	/* @@@ Double check that this is the correct encoding. */
106	require(peerDomainName = CFStringCreateWithBytes(kCFAllocatorDefault,
107	(const UInt8 *)peerDomainNameData, len,
108	kCFStringEncodingUTF8, false), errOut);
109	}
110	}
111	/* If we are the client, our peer certificates must satisfy the
112	ssl server policy. */
113	bool server = ctx->protocolSide == kSSLClientSide;
114	require(policies = SecPolicyCreateSSL(server, peerDomainName), errOut);
115
116	require_noerr(status = SecTrustCreateWithCertificates(certChain, policies,
117	&trust), errOut);
118
119	/* If we have trustedAnchors we set them here. */
120	if (ctx->trustedCerts) {
121	require_noerr(status = SecTrustSetAnchorCertificates(trust,
122	ctx->trustedCerts), errOut);
123	require_noerr(status = SecTrustSetAnchorCertificatesOnly(trust,
124	ctx->trustedCertsOnly), errOut);
125	}
126
127	status = errSecSuccess;
128
129	errOut:
130	CFReleaseSafe(peerDomainName);
131	CFReleaseSafe(policies);
132
133	*pTrust = trust;
134
135	return status;
136	}
137
138	/* Return the first certificate reference from the supplied array
139	* whose data matches the given certificate, or NULL if none match.
140	*/
141	static
142	SecCertificateRef
143	sslGetMatchingCertInArray(
144	SecCertificateRef certRef,
145	CFArrayRef certArray)
146	{
147	SecCertificateRef matchedCert = NULL;
148
149	if (certRef == NULL \|\| certArray == NULL) {
150	return NULL;
151	}
152
153	CFDataRef certData = SecCertificateCopyData(certRef);
154	if (certData) {
155	CFIndex idx, count = CFArrayGetCount(certArray);
156	for(idx=0; idx<count; idx++) {
157	SecCertificateRef aCert = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, idx);
158	CFDataRef aData = SecCertificateCopyData(aCert);
159	if (aData && CFEqual(aData, certData)) {
160	matchedCert = aCert;
161	}
162	CFReleaseSafe(aData);
163	if (matchedCert)
164	break;
165	}
166	CFReleaseSafe(certData);
167	}
168
169	return matchedCert;
170	}
171
172	/*
173	* Verify a chain of DER-encoded certs.
174	* Last cert in a chain is the leaf; this must also be present
175	* in ctx->trustedCerts.
176	*
177	* If arePeerCerts is true, host name verification is enabled and we
178	* save the resulting SecTrustRef in ctx->peerSecTrust. Otherwise
179	* we're just validating our own certs; no host name checking and
180	* peerSecTrust is transient.
181	*/
182	static OSStatus sslVerifyCertChain(
183	SSLContext *ctx,
184	CFArrayRef certChain,
185	bool arePeerCerts)
186	{
187	OSStatus status;
188	SecTrustRef trust = NULL;
189
190	assert(certChain);
191
192	if (arePeerCerts) {
193	/* renegotiate - start with a new SecTrustRef */
194	CFReleaseNull(ctx->peerSecTrust);
195	}
196
197	status = sslCreateSecTrust(ctx, certChain, arePeerCerts, &trust);
198
199	if (!ctx->enableCertVerify) {
200	/* trivial case, this is caller's responsibility */
201	status = errSecSuccess;
202	goto errOut;
203	}
204
205	SecTrustResultType secTrustResult;
206	require_noerr(status = SecTrustEvaluate(trust, &secTrustResult), errOut);
207	switch (secTrustResult) {
208	case kSecTrustResultUnspecified:
209	/* cert chain valid, no special UserTrust assignments */
210	case kSecTrustResultProceed:
211	/* cert chain valid AND user explicitly trusts this */
212	status = errSecSuccess;
213	break;
214	case kSecTrustResultDeny:
215	case kSecTrustResultConfirm:
216	case kSecTrustResultRecoverableTrustFailure:
217	default:
218	if(ctx->allowAnyRoot) {
219	sslErrorLog("***Warning: accepting unverified cert chain\n");
220	status = errSecSuccess;
221	}
222	else {
223	/*
224	* If the caller provided a list of trusted leaf certs, check them here
225	*/
226	if(ctx->trustedLeafCerts) {
227	if (sslGetMatchingCertInArray((SecCertificateRef)CFArrayGetValueAtIndex(certChain, 0),
228	ctx->trustedLeafCerts)) {
229	status = errSecSuccess;
230	goto errOut;
231	}
232	}
233	status = errSSLXCertChainInvalid;
234	}
235	/* Do we really need to return things like:
236	errSSLNoRootCert
237	errSSLUnknownRootCert
238	errSSLCertExpired
239	errSSLCertNotYetValid
240	errSSLHostNameMismatch
241	for our client to see what went wrong, or should we just always
242	return
243	errSSLXCertChainInvalid
244	when something is wrong? */
245	break;
246	}
247
248	errOut:
249	if (arePeerCerts)
250	ctx->peerSecTrust = trust;
251	else
252	CFReleaseSafe(trust);
253
254	return status;
255	}
256
257	/* Extract public SecKeyRef from Certificate Chain */
258	static
259	int sslCopyPeerPubKey(const SSLCertificate *certchain,
260	SecKeyRef *pubKey)
261	{
262	int err;
263	check(pubKey);
264	SecTrustRef trust = NULL;
265	const SSLCertificate *cert;
266	CFMutableArrayRef certArray = NULL;
267	CFDataRef certData = NULL;
268	SecCertificateRef cfCert = NULL;
269
270	err = errSSLInternal;
271
272	certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
273	cert = certchain;
274	while(cert) {
275	require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
276	require((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out);
277	CFArrayAppendValue(certArray, cfCert);
278	CFReleaseNull(cfCert);
279	CFReleaseNull(certData);
280	cert=cert->next;
281	}
282
283	require_noerr((err=SecTrustCreateWithCertificates(certArray, NULL, &trust)), out);
284	SecKeyRef key = SecTrustCopyPublicKey(trust);
285	require_action(key, out, err=-9808); // errSSLBadCert
286
287	*pubKey = key;
288
289	err = errSecSuccess;
290
291	out:
292	CFReleaseSafe(certData);
293	CFReleaseSafe(cfCert);
294	CFReleaseSafe(trust);
295	CFReleaseSafe(certArray);
296
297	return err;
298	}
299
300	/* Extract the pubkey from a cert chain, and send it to the tls_handshake context */
301	static int tls_set_peer_pubkey(tls_handshake_t hdsk, const SSLCertificate *certchain)
302	{
303	int err;
304	CFIndex algId;
305	SecKeyRef pubkey = NULL;
306	CFDataRef modulus = NULL;
307	CFDataRef exponent = NULL;
308	CFDataRef ecpubdata = NULL;
309
310	#if 0
311	{ /* dump certs */
312	int i=0;
313	int j;
314	const SSLCertificate *tmp = certchain;
315	while(tmp) {
316	printf("cert%d[] = {", i);
317	for(j=0; j<tmp->derCert.length; j++) {
318	if((j&0xf)==0)
319	printf("\n");
320	printf("0x%02x, ", tmp->derCert.data[j]);
321	}
322	printf("}\n");
323	tmp=tmp->next;
324	i++;
325	}
326	}
327	#endif
328
329	require_noerr((err=sslCopyPeerPubKey(certchain, &pubkey)), errOut);
330
331	#if TARGET_OS_IPHONE
332	algId = SecKeyGetAlgorithmID(pubkey);
333	#else
334	algId = SecKeyGetAlgorithmId(pubkey);
335	#endif
336
337	err = errSSLCrypto;
338
339	switch(algId) {
340	case kSecRSAAlgorithmID:
341	{
342	require((modulus = SecKeyCopyModulus(pubkey)), errOut);
343	require((exponent = SecKeyCopyExponent(pubkey)), errOut);
344
345	tls_buffer mod;
346	tls_buffer exp;
347
348	mod.data = (uint8_t *)CFDataGetBytePtr(modulus);
349	mod.length = CFDataGetLength(modulus);
350
351	exp.data = (uint8_t *)CFDataGetBytePtr(exponent);
352	exp.length = CFDataGetLength(exponent);
353
354	err = tls_handshake_set_peer_rsa_public_key(hdsk, &mod, &exp);
355	break;
356	}
357	case kSecECDSAAlgorithmID:
358	{
359	tls_named_curve curve = SecECKeyGetNamedCurve(pubkey);
360	require((ecpubdata = SecECKeyCopyPublicBits(pubkey)), errOut);
361
362	tls_buffer pubdata;
363	pubdata.data = (uint8_t *)CFDataGetBytePtr(ecpubdata);
364	pubdata.length = CFDataGetLength(ecpubdata);
365
366	err = tls_handshake_set_peer_ec_public_key(hdsk, curve, &pubdata);
367
368	break;
369	}
370	default:
371	break;
372	}
373
374	errOut:
375	CFReleaseSafe(pubkey);
376	CFReleaseSafe(modulus);
377	CFReleaseSafe(exponent);
378	CFReleaseSafe(ecpubdata);
379
380	return err;
381	}
382
383	/* Convert cert in DER format into an CFArray of SecCertificateRef */
384	CFArrayRef
385	tls_get_peer_certs(const SSLCertificate *certs)
386	{
387	const SSLCertificate *cert;
388
389	CFMutableArrayRef certArray = NULL;
390	CFDataRef certData = NULL;
391	SecCertificateRef cfCert = NULL;
392
393	certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
394	require(certArray, out);
395	cert = certs;
396	while(cert) {
397	require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
398	require((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out);
399	CFArrayAppendValue(certArray, cfCert);
400	CFReleaseNull(cfCert);
401	CFReleaseNull(certData);
402	cert=cert->next;
403	}
404
405	return certArray;
406
407	out:
408	CFReleaseNull(cfCert);
409	CFReleaseNull(certData);
410	CFReleaseNull(certArray);
411	return NULL;
412	}
413
414	int
415	tls_verify_peer_cert(SSLContext *ctx)
416	{
417	int err;
418	const SSLCertificate *certs;
419
420	certs = tls_handshake_get_peer_certificates(ctx->hdsk);
421	CFReleaseNull(ctx->peerCert);
422	ctx->peerCert = tls_get_peer_certs(certs);
423
424	err = sslVerifyCertChain(ctx, ctx->peerCert, true);
425	tls_handshake_trust_t trust;
426	switch (err) {
427	case errSecSuccess:
428	trust = tls_handshake_trust_ok;
429	break;
430	case errSSLUnknownRootCert:
431	case errSSLNoRootCert:
432	trust = tls_handshake_trust_unknown_root;
433	break;
434	case errSSLCertExpired:
435	case errSSLCertNotYetValid:
436	trust = tls_handshake_trust_cert_expired;
437	break;
438	case errSSLXCertChainInvalid:
439	default:
440	trust = tls_handshake_trust_cert_invalid;
441	break;
442	}
443
444	tls_handshake_set_peer_trust(ctx->hdsk, trust);
445
446	if(err)
447	goto out;
448
449	/* Set the public key */
450	tls_set_peer_pubkey(ctx->hdsk, certs);
451
452	/* Now that cert verification is done, update context state */
453	/* (this code was formerly in SSLProcessHandshakeMessage, */
454	/* directly after the return from SSLProcessCertificate) */
455	if(ctx->protocolSide == kSSLServerSide) {
456	/*
457	* Schedule return to the caller to verify the client's identity.
458	* Note that an error during processing will cause early
459	* termination of the handshake.
460	*/
461	if (ctx->breakOnClientAuth) {
462	err = errSSLClientAuthCompleted;
463	}
464	} else {
465	/*
466	* Schedule return to the caller to verify the server's identity.
467	* Note that an error during processing will cause early
468	* termination of the handshake.
469	*/
470	if (ctx->breakOnServerAuth) {
471	err = errSSLServerAuthCompleted;
472	}
473	}
474
475	out:
476
477	return err;
478	}
479
480	/*
481	* After ciphersuite negotiation is complete, verify that we have
482	* the capability of actually performing the selected cipher.
483	* Currently we just verify that we have a cert and private signing
484	* key, if needed, and that the signing key's algorithm matches the
485	* expected key exchange method.
486	*
487	* This is currently called from FindCipherSpec(), after it sets
488	* ctx->selectedCipherSpec to a (supposedly) valid value, and from
489	* sslBuildCipherSpecArray(), in server mode (pre-negotiation) only.
490	*/
491
492	#if 0
493	OSStatus sslVerifySelectedCipher(SSLContext *ctx)
494	{
495
496	if(ctx->protocolSide == kSSLClientSide) {
497	return errSecSuccess;
498	}
499	#if SSL_PAC_SERVER_ENABLE
500	if((ctx->masterSecretCallback != NULL) &&
501	(ctx->sessionTicket.data != NULL)) {
502	/* EAP via PAC resumption; we can do it */
503	return errSecSuccess;
504	}
505	#endif /* SSL_PAC_SERVER_ENABLE */
506
507	CFIndex requireAlg;
508	switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
509	case SSL_RSA:
510	case SSL_RSA_EXPORT:
511	case SSL_DH_RSA:
512	case SSL_DH_RSA_EXPORT:
513	case SSL_DHE_RSA:
514	case SSL_DHE_RSA_EXPORT:
515	requireAlg = kSecRSAAlgorithmID;
516	break;
517	case SSL_DHE_DSS:
518	case SSL_DHE_DSS_EXPORT:
519	case SSL_DH_DSS:
520	case SSL_DH_DSS_EXPORT:
521	requireAlg = kSecDSAAlgorithmID;
522	break;
523	case SSL_DH_anon:
524	case SSL_DH_anon_EXPORT:
525	case TLS_PSK:
526	requireAlg = kSecNullAlgorithmID; /* no signing key */
527	break;
528	/*
529	* When SSL_ECDSA_SERVER is true and we support ECDSA on the server side,
530	* we'll need to add some logic here...
531	*/
532	#if SSL_ECDSA_SERVER
533	case SSL_ECDHE_ECDSA:
534	case SSL_ECDHE_RSA:
535	case SSL_ECDH_ECDSA:
536	case SSL_ECDH_RSA:
537	case SSL_ECDH_anon:
538	requireAlg = kSecECDSAAlgorithmID;
539	break;
540	#endif
541
542	default:
543	/* needs update per cipherSpecs.c */
544	assert(0);
545	sslErrorLog("sslVerifySelectedCipher: unknown key exchange method\n");
546	return errSSLInternal;
547	}
548
549	if(requireAlg == kSecNullAlgorithmID) {
550	return errSecSuccess;
551	}
552
553	/* private signing key required */
554	if(ctx->signingPrivKeyRef == NULL) {
555	sslErrorLog("sslVerifySelectedCipher: no signing key\n");
556	return errSSLBadConfiguration;
557	}
558
559	/* Check the alg of our signing key. */
560	CFIndex keyAlg = sslPrivKeyGetAlgorithmID(ctx->signingPrivKeyRef);
561	if (requireAlg != keyAlg) {
562	sslErrorLog("sslVerifySelectedCipher: signing key alg mismatch\n");
563	return errSSLBadConfiguration;
564	}
565
566	return errSecSuccess;
567	}
568
569	#endif