[apple/security.git] / OSX / libsecurity_apple_csp / open_ssl / opensslUtils / opensslUtils.cpp

/*
 * Copyright (c) 2000-2001,2011,2014 Apple Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


/*
 * opensslUtils.h - Support for ssleay-derived crypto modules
 */
 
#include <openssl/rand.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/sha.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <security_utilities/debugging.h>
#include <Security/cssmerr.h>
#include "opensslUtils.h"
#include <YarrowConnection.h>
#include <AppleCSPUtils.h>
#include <security_utilities/logging.h>

#define sslUtilsDebug(args...)	secinfo("sslUtils", ## args)

openSslException::openSslException(
	int irtn, 
	const char *op)
		: mIrtn(irtn)
{ 
	if(op) {
		char buf[300];
		ERR_error_string(irtn, buf);
		sslUtilsDebug("%s: %s\n", op, buf);
	}
}

/* these are replacements for the ones in ssleay */
#define DUMP_RAND_BYTES	0

static int randDex = 1;

int  RAND_bytes(unsigned char *buf,int num)
{
	try {
		cspGetRandomBytes(buf, (unsigned)num);
	}
	catch(...) {
		/* that can only mean Yarrow failure, which we really need to 
		 * cut some slack for */
		Security::Syslog::error("Apple CSP: yarrow failure");
		for(int i=0; i<num; i++) {
			buf[i] = (i*3) + randDex++;
		}
	}
	return 1;
}

int  RAND_pseudo_bytes(unsigned char *buf,int num)
{
	return RAND_bytes(buf, num);
}

void RAND_add(const void *buf,int num,double entropy)
{
	try {
		cspAddEntropy(buf, (unsigned)num);
	}
	catch(...) {
	}
}

/* replacement for mem_dbg.c */
int CRYPTO_mem_ctrl(int mode)
{
	return 0;
}

/* Clear openssl error stack. */
void clearOpensslErrors()
{
	while(ERR_get_error()) 
		;
}

/*
 * Log error info. Returns the error code we pop off the error queue.
 */
unsigned long logSslErrInfo(const char *op)
{
	unsigned long e = ERR_get_error();
	
	/* flush out subsequent errors; we only want the first one */
	clearOpensslErrors();
	
	char outbuf[1024];
	ERR_error_string(e, outbuf);
	if(op) {
		Security::Syslog::error("Apple CSP %s: %s", op, outbuf);
	}
	else {
		Security::Syslog::error("Apple CSP %s", outbuf);
	}
	return e;
}

/*
 * Replacement for same function in openssl's sha.c, which we don't link against. 
 * The only place this is used is in DSA_generate_parameters().
 */
unsigned char *SHA1(const unsigned char *d, unsigned long n,unsigned char *md)
{
	if(md == NULL) {
		sslUtilsDebug("SHA1 with NULL md");
		CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
	}
	cspGenSha1Hash(d, n, md);
	return md;
}

void throwRsaDsa(
	const char *op)
{
	unsigned long e = logSslErrInfo(op);
	CSSM_RETURN cerr = CSSM_OK;
	
	/* try to parse into something meaningful */
	int reason = ERR_GET_REASON(e);
	int lib = ERR_GET_LIB(e);
	
	/* first try the global ones */
	switch(reason) {
		case ERR_R_MALLOC_FAILURE:
			cerr = CSSMERR_CSP_MEMORY_ERROR; break;
		case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
			/* internal */ break;
		case ERR_R_PASSED_NULL_PARAMETER:
			cerr = CSSMERR_CSP_INVALID_POINTER; break;
		case ERR_R_NESTED_ASN1_ERROR:
		case ERR_R_BAD_ASN1_OBJECT_HEADER:
		case ERR_R_BAD_GET_ASN1_OBJECT_CALL:
		case ERR_R_EXPECTING_AN_ASN1_SEQUENCE:
		case ERR_R_ASN1_LENGTH_MISMATCH:
		case ERR_R_MISSING_ASN1_EOS:
			/* ASN - shouldn't happen, right? */
			cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
		default:
			break;
	}
	if(cerr != CSSM_OK) {
		CssmError::throwMe(cerr);
	}
	
	/* now the lib-specific ones */
	switch(lib) {
		case ERR_R_BN_LIB:
			/* all indicate serious internal error...right? */
			cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
		case ERR_R_RSA_LIB:
			switch(reason) {
				case RSA_R_ALGORITHM_MISMATCH:
					cerr = CSSMERR_CSP_ALGID_MISMATCH; break;
				case RSA_R_BAD_SIGNATURE:
					cerr = CSSMERR_CSP_VERIFY_FAILED; break;
				case RSA_R_DATA_TOO_LARGE:
				case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
				case RSA_R_DATA_TOO_SMALL:
				case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:
				case RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY:
					cerr = CSSMERR_CSP_INPUT_LENGTH_ERROR; break;
				case RSA_R_KEY_SIZE_TOO_SMALL:
					cerr = CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH; break;
				case RSA_R_PADDING_CHECK_FAILED:
				case RSA_R_BLOCK_TYPE_IS_NOT_01:
				case RSA_R_BLOCK_TYPE_IS_NOT_02:
				case RSA_R_DATA_GREATER_THAN_MOD_LEN:
				case RSA_R_BAD_PAD_BYTE_COUNT:
					cerr = CSSMERR_CSP_INVALID_DATA; break;
				case RSA_R_RSA_OPERATIONS_NOT_SUPPORTED:
					cerr = CSSMERR_CSP_FUNCTION_NOT_IMPLEMENTED; break;
				case RSA_R_UNKNOWN_ALGORITHM_TYPE:
					cerr = CSSMERR_CSP_INVALID_ALGORITHM; break;
				case RSA_R_WRONG_SIGNATURE_LENGTH:
					cerr = CSSMERR_CSP_VERIFY_FAILED; break;
				case RSA_R_SSLV3_ROLLBACK_ATTACK:
					cerr = CSSMERR_CSP_APPLE_SSLv2_ROLLBACK; break;
				default:
					cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
			}
			break;
		case ERR_R_DSA_LIB:
			switch(reason) {
				case DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
					cerr = CSSMERR_CSP_INPUT_LENGTH_ERROR; break;
				default:
					cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
			}
			break;
		case ERR_R_DH_LIB:
			/* actually none of the DH errors make sense at the CDSA level */
			cerr = CSSMERR_CSP_INTERNAL_ERROR; 
			break;
		default:
			cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
	}
	CssmError::throwMe(cerr);
}

/*
 * given an openssl-style error, throw appropriate CssmError.
 */
void throwOpensslErr(int irtn)
{
	/* FIXME */
	CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2000-2001,2011,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please obtain
	7	* a copy of the License at http://www.apple.com/publicsource and read it before
	8	* using this file.
	9	*
	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
	12	* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
	13	* LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	14	* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
	15	* specific language governing rights and limitations under the License.
	16	*/
	17
	18
	19	/*
	20	* opensslUtils.h - Support for ssleay-derived crypto modules
	21	*/
	22
	23	#include <openssl/rand.h>
	24	#include <openssl/crypto.h>
	25	#include <openssl/err.h>
	26	#include <openssl/sha.h>
	27	#include <openssl/rsa.h>
	28	#include <openssl/dsa.h>
	29	#include <openssl/dh.h>
	30	#include <openssl/err.h>
	31	#include <security_utilities/debugging.h>
	32	#include <Security/cssmerr.h>
	33	#include "opensslUtils.h"
	34	#include <YarrowConnection.h>
	35	#include <AppleCSPUtils.h>
	36	#include <security_utilities/logging.h>
	37
fa7225c8	38	#define sslUtilsDebug(args...) secinfo("sslUtils", ## args)
b1ab9ed8 A	39
	40	openSslException::openSslException(
	41	int irtn,
	42	const char *op)
	43	: mIrtn(irtn)
	44	{
	45	if(op) {
	46	char buf[300];
	47	ERR_error_string(irtn, buf);
	48	sslUtilsDebug("%s: %s\n", op, buf);
	49	}
	50	}
	51
	52	/* these are replacements for the ones in ssleay */
	53	#define DUMP_RAND_BYTES 0
	54
	55	static int randDex = 1;
	56
	57	int RAND_bytes(unsigned char *buf,int num)
	58	{
	59	try {
	60	cspGetRandomBytes(buf, (unsigned)num);
	61	}
	62	catch(...) {
	63	/* that can only mean Yarrow failure, which we really need to
	64	* cut some slack for */
	65	Security::Syslog::error("Apple CSP: yarrow failure");
	66	for(int i=0; i<num; i++) {
	67	buf[i] = (i*3) + randDex++;
	68	}
	69	}
	70	return 1;
	71	}
	72
	73	int RAND_pseudo_bytes(unsigned char *buf,int num)
	74	{
	75	return RAND_bytes(buf, num);
	76	}
	77
	78	void RAND_add(const void *buf,int num,double entropy)
	79	{
	80	try {
	81	cspAddEntropy(buf, (unsigned)num);
	82	}
	83	catch(...) {
	84	}
	85	}
	86
	87	/* replacement for mem_dbg.c */
	88	int CRYPTO_mem_ctrl(int mode)
	89	{
	90	return 0;
	91	}
	92
	93	/* Clear openssl error stack. */
	94	void clearOpensslErrors()
	95	{
	96	while(ERR_get_error())
	97	;
	98	}
	99
	100	/*
	101	* Log error info. Returns the error code we pop off the error queue.
	102	*/
103	unsigned long logSslErrInfo(const char *op)
104	{
105	unsigned long e = ERR_get_error();
106
107	/* flush out subsequent errors; we only want the first one */
108	clearOpensslErrors();
109
110	char outbuf[1024];
111	ERR_error_string(e, outbuf);
112	if(op) {
113	Security::Syslog::error("Apple CSP %s: %s", op, outbuf);
114	}
115	else {
116	Security::Syslog::error("Apple CSP %s", outbuf);
117	}
118	return e;
119	}
120
121	/*
122	* Replacement for same function in openssl's sha.c, which we don't link against.
123	* The only place this is used is in DSA_generate_parameters().
124	*/
125	unsigned char SHA1(const unsigned char d, unsigned long n,unsigned char *md)
126	{
127	if(md == NULL) {
128	sslUtilsDebug("SHA1 with NULL md");
129	CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
130	}
131	cspGenSha1Hash(d, n, md);
132	return md;
133	}
134
135	void throwRsaDsa(
136	const char *op)
137	{
138	unsigned long e = logSslErrInfo(op);
139	CSSM_RETURN cerr = CSSM_OK;
140
141	/* try to parse into something meaningful */
142	int reason = ERR_GET_REASON(e);
143	int lib = ERR_GET_LIB(e);
144
145	/* first try the global ones */
146	switch(reason) {
147	case ERR_R_MALLOC_FAILURE:
148	cerr = CSSMERR_CSP_MEMORY_ERROR; break;
149	case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
150	/* internal */ break;
151	case ERR_R_PASSED_NULL_PARAMETER:
152	cerr = CSSMERR_CSP_INVALID_POINTER; break;
153	case ERR_R_NESTED_ASN1_ERROR:
154	case ERR_R_BAD_ASN1_OBJECT_HEADER:
155	case ERR_R_BAD_GET_ASN1_OBJECT_CALL:
156	case ERR_R_EXPECTING_AN_ASN1_SEQUENCE:
157	case ERR_R_ASN1_LENGTH_MISMATCH:
158	case ERR_R_MISSING_ASN1_EOS:
159	/* ASN - shouldn't happen, right? */
160	cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
161	default:
162	break;
163	}
164	if(cerr != CSSM_OK) {
165	CssmError::throwMe(cerr);
166	}
167
168	/* now the lib-specific ones */
169	switch(lib) {
170	case ERR_R_BN_LIB:
171	/* all indicate serious internal error...right? */
172	cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
173	case ERR_R_RSA_LIB:
174	switch(reason) {
175	case RSA_R_ALGORITHM_MISMATCH:
176	cerr = CSSMERR_CSP_ALGID_MISMATCH; break;
177	case RSA_R_BAD_SIGNATURE:
178	cerr = CSSMERR_CSP_VERIFY_FAILED; break;
179	case RSA_R_DATA_TOO_LARGE:
180	case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
181	case RSA_R_DATA_TOO_SMALL:
182	case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:
183	case RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY:
184	cerr = CSSMERR_CSP_INPUT_LENGTH_ERROR; break;
185	case RSA_R_KEY_SIZE_TOO_SMALL:
186	cerr = CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH; break;
187	case RSA_R_PADDING_CHECK_FAILED:
188	case RSA_R_BLOCK_TYPE_IS_NOT_01:
189	case RSA_R_BLOCK_TYPE_IS_NOT_02:
190	case RSA_R_DATA_GREATER_THAN_MOD_LEN:
191	case RSA_R_BAD_PAD_BYTE_COUNT:
192	cerr = CSSMERR_CSP_INVALID_DATA; break;
193	case RSA_R_RSA_OPERATIONS_NOT_SUPPORTED:
194	cerr = CSSMERR_CSP_FUNCTION_NOT_IMPLEMENTED; break;
195	case RSA_R_UNKNOWN_ALGORITHM_TYPE:
196	cerr = CSSMERR_CSP_INVALID_ALGORITHM; break;
197	case RSA_R_WRONG_SIGNATURE_LENGTH:
198	cerr = CSSMERR_CSP_VERIFY_FAILED; break;
199	case RSA_R_SSLV3_ROLLBACK_ATTACK:
200	cerr = CSSMERR_CSP_APPLE_SSLv2_ROLLBACK; break;
201	default:
202	cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
203	}
204	break;
205	case ERR_R_DSA_LIB:
206	switch(reason) {
207	case DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
208	cerr = CSSMERR_CSP_INPUT_LENGTH_ERROR; break;
209	default:
210	cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
211	}
212	break;
213	case ERR_R_DH_LIB:
214	/* actually none of the DH errors make sense at the CDSA level */
215	cerr = CSSMERR_CSP_INTERNAL_ERROR;
216	break;
217	default:
218	cerr = CSSMERR_CSP_INTERNAL_ERROR; break;
219	}
220	CssmError::throwMe(cerr);
221	}
222
223	/*
224	* given an openssl-style error, throw appropriate CssmError.
225	*/
226	void throwOpensslErr(int irtn)
227	{
228	/* FIXME */
229	CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
230	}
231