]> git.saurik.com Git - apple/security.git/blob - libsecurity_ssl/lib/sslHandshake.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-55163.44.tar.gz
[apple/security.git] / libsecurity_ssl / lib / sslHandshake.c
1 /*
2 * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 /*
26 * sslHandshake.c - SSL 3.0 handshake state machine.
27 */
28
29 #include "sslContext.h"
30 #include "sslHandshake.h"
31 #include "sslMemory.h"
32 #include "sslAlertMessage.h"
33 #include "sslSession.h"
34 #include "sslUtils.h"
35 #include "sslDebug.h"
36 #include "sslCrypto.h"
37
38 #include "sslDigests.h"
39 #include "cipherSpecs.h"
40
41 #include <string.h>
42 #include <assert.h>
43 #include <inttypes.h>
44
45 #define REQUEST_CERT_CORRECT 0
46
47 #if __LP64__
48 #define PRIstatus "d"
49 #else
50 #define PRIstatus "ld"
51 #endif
52
53 static OSStatus SSLProcessHandshakeMessage(SSLHandshakeMsg message, SSLContext *ctx);
54
55 static OSStatus
56 SSLUpdateHandshakeMacs(const SSLBuffer *messageData, SSLContext *ctx)
57 {
58 OSStatus err = errSecParam;
59 bool do_md5 = false;
60 bool do_sha1 = false;
61 bool do_sha256 = false;
62 bool do_sha384 = false;
63
64 //TODO: We can stop updating the unecessary hashes once the CertVerify message is processed in case where we do Client Side Auth, or .
65
66 if(ctx->negProtocolVersion == SSL_Version_Undetermined)
67 {
68 // we dont know yet, so we might need MD5 & SHA1 - Server should always call in with known protocol version.
69 assert(ctx->protocolSide==kSSLClientSide);
70 do_md5 = do_sha1 = true;
71 if(ctx->isDTLS
72 ? ctx->maxProtocolVersion < DTLS_Version_1_0
73 : ctx->maxProtocolVersion >= TLS_Version_1_2)
74 {
75 // We wil need those too, unless we are sure we wont end up doing TLS 1.2
76 do_sha256 = do_sha384 = true;
77 }
78 } else {
79 // we know which version we use at this point
80 if(sslVersionIsLikeTls12(ctx)) {
81 do_sha1 = do_sha256 = do_sha384 = true;
82 } else {
83 do_md5 = do_sha1 = true;
84 }
85 }
86
87 if (do_md5 &&
88 (err = SSLHashMD5.update(&ctx->md5State, messageData)) != 0)
89 goto done;
90 if (do_sha1 &&
91 (err = SSLHashSHA1.update(&ctx->shaState, messageData)) != 0)
92 goto done;
93 if (do_sha256 &&
94 (err = SSLHashSHA256.update(&ctx->sha256State, messageData)) != 0)
95 goto done;
96 if (do_sha384 &&
97 (err = SSLHashSHA384.update(&ctx->sha512State, messageData)) != 0)
98 goto done;
99
100 sslLogNegotiateDebug("%s protocol: %02X max: %02X cipher: %02X%s%s",
101 ctx->protocolSide == kSSLClientSide ? "client" : "server",
102 ctx->negProtocolVersion,
103 ctx->maxProtocolVersion,
104 ctx->selectedCipher,
105 do_md5 ? " md5" : "",
106 do_sha1 ? " sha1" : "",
107 do_sha256 ? " sha256" : "",
108 do_sha384 ? " sha384" : "");
109 done:
110 return err;
111 }
112
113 OSStatus
114 SSLProcessHandshakeRecord(SSLRecord rec, SSLContext *ctx)
115 { OSStatus err;
116 size_t remaining;
117 UInt8 *p;
118 UInt8 *startingP; // top of record we're parsing
119 SSLHandshakeMsg message = {};
120 SSLBuffer messageData;
121
122 if (ctx->fragmentedMessageCache.data != 0)
123 {
124 size_t origLen = ctx->fragmentedMessageCache.length;
125 if ((err = SSLReallocBuffer(&ctx->fragmentedMessageCache,
126 ctx->fragmentedMessageCache.length + rec.contents.length,
127 ctx)) != 0)
128 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
129 return err;
130 }
131 memcpy(ctx->fragmentedMessageCache.data + origLen,
132 rec.contents.data, rec.contents.length);
133 remaining = ctx->fragmentedMessageCache.length;
134 p = ctx->fragmentedMessageCache.data;
135 }
136 else
137 { remaining = rec.contents.length;
138 p = rec.contents.data;
139 }
140 startingP = p;
141
142 size_t head = 4;
143
144 while (remaining > 0)
145 {
146 if (remaining < head)
147 break; /* we must have at least a header */
148
149 messageData.data = p;
150 message.type = (SSLHandshakeType)*p++;
151 message.contents.length = SSLDecodeSize(p, 3);
152
153
154 p += 3;
155
156 if ((message.contents.length + head) > remaining)
157 break;
158
159 message.contents.data = p;
160 p += message.contents.length;
161 messageData.length = head + message.contents.length;
162 assert(p == messageData.data + messageData.length);
163
164 /* message fragmentation */
165 remaining -= messageData.length;
166 if ((err = SSLProcessHandshakeMessage(message, ctx)) != 0)
167 return err;
168
169 if (message.type != SSL_HdskHelloRequest)
170
171 { if ((err = SSLUpdateHandshakeMacs(&messageData, ctx)) != 0)
172 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
173 return err;
174 }
175 }
176
177 if ((err = SSLAdvanceHandshake(message.type, ctx)) != 0)
178 return err;
179 }
180
181 if (remaining > 0) /* Fragmented handshake message */
182 { /* If there isn't a cache, allocate one */
183 if (ctx->fragmentedMessageCache.data == 0)
184 { if ((err = SSLAllocBuffer(&ctx->fragmentedMessageCache, remaining, ctx)) != 0)
185 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
186 return err;
187 }
188 }
189 if (startingP != ctx->fragmentedMessageCache.data)
190 { memcpy(ctx->fragmentedMessageCache.data, startingP, remaining);
191 ctx->fragmentedMessageCache.length = remaining;
192 }
193 }
194 else if (ctx->fragmentedMessageCache.data != 0)
195 { if ((err = SSLFreeBuffer(&ctx->fragmentedMessageCache, ctx)) != 0)
196 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
197 return err;
198 }
199 }
200
201 return noErr;
202 }
203
204 OSStatus
205 DTLSProcessHandshakeRecord(SSLRecord rec, SSLContext *ctx)
206 { OSStatus err = errSecParam;
207 size_t remaining;
208 UInt8 *p;
209 UInt8 *startingP; // top of record we're parsing
210
211 const UInt32 head = 12;
212
213 assert(ctx->isDTLS);
214
215 remaining = rec.contents.length;
216 p = rec.contents.data;
217 startingP = p;
218
219 while (remaining > 0)
220 {
221 UInt8 msgtype;
222 UInt32 msglen;
223 UInt32 msgseq;
224 UInt32 fraglen;
225 UInt32 fragofs;
226
227 if (remaining < head) {
228 /* flush it - record is too small */
229 sslErrorLog("DTLSProcessHandshakeRecord: remaining too small (%lu out of %lu)\n", remaining, rec.contents.length);
230 assert(0); // keep this assert until we find a test case that triggers it
231 goto flushit;
232 }
233
234 /* Thats the 12 bytes of header : */
235 msgtype = (SSLHandshakeType)*p++;
236 msglen = SSLDecodeInt(p, 3); p+=3;
237 msgseq = SSLDecodeInt(p, 2); p+=2;
238 fragofs = SSLDecodeInt(p, 3); p+=3;
239 fraglen = SSLDecodeInt(p, 3); p+=3;
240
241 remaining -= head;
242
243 SSLLogHdskMsg(msgtype, 0);
244 sslHdskMsgDebug("DTLS Hdsk Record: type=%lu, len=%lu, seq=%lu (%lu), f_ofs=%lu, f_len=%lu, remaining=%lu",
245 msgtype, msglen, msgseq, ctx->hdskMessageSeqNext, fragofs, fraglen, remaining);
246
247 if(
248 ((fraglen+fragofs) > msglen)
249 || (fraglen > remaining)
250 || (msgseq!=ctx->hdskMessageSeqNext)
251 || (fragofs!=ctx->hdskMessageCurrentOfs)
252 || (fragofs && (msgtype!=ctx->hdskMessageCurrent.type))
253 || (fragofs && (msglen != ctx->hdskMessageCurrent.contents.length))
254 )
255 {
256 sslErrorLog("DTLSProcessHandshakeRecord: wrong fragment\n");
257 // assert(0); // keep this assert until we find a test case that triggers it
258 // This is a recoverable error, we just drop this fragment.
259 // TODO: this should probably trigger a retransmit
260 err = noErr;
261 goto flushit;
262 }
263
264 /* First fragment - allocate */
265 if(fragofs==0) {
266 sslHdskMsgDebug("Allocating hdsk buf for msg type %d", msgtype);
267 assert(ctx->hdskMessageCurrent.contents.data==NULL);
268 assert(ctx->hdskMessageCurrent.contents.length==0);
269 if((err=SSLAllocBuffer(&(ctx->hdskMessageCurrent.contents), msglen, ctx))!=0) {
270 SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
271 return err;
272 }
273 ctx->hdskMessageCurrent.type = msgtype;
274 }
275
276 /* We have the next fragment, lets save it */
277 memcpy(ctx->hdskMessageCurrent.contents.data + ctx->hdskMessageCurrentOfs, p, fraglen);
278 ctx->hdskMessageCurrentOfs+=fraglen;
279 p+=fraglen;
280 remaining-=fraglen;
281
282 /* This was the last fragment, lets process the message */
283 if(ctx->hdskMessageCurrentOfs == ctx->hdskMessageCurrent.contents.length) {
284 err = SSLProcessHandshakeMessage(ctx->hdskMessageCurrent, ctx);
285 if(err)
286 goto flushit;
287
288 if ((msgtype != SSL_HdskHelloRequest) && (msgtype != SSL_HdskHelloVerifyRequest))
289 {
290 /* We need to hash a fake header as if no fragmentation */
291 uint8_t pseudo_header[head];
292 SSLBuffer header;
293 header.data=pseudo_header;
294 header.length=head;
295
296 pseudo_header[0]=msgtype;
297 SSLEncodeInt(pseudo_header+1, msglen, 3);
298 SSLEncodeInt(pseudo_header+4, msgseq, 2);
299 SSLEncodeInt(pseudo_header+6, 0, 3);
300 SSLEncodeInt(pseudo_header+9, msglen, 3);
301
302 if ((err = SSLHashSHA1.update(&ctx->shaState, &header)) != 0 ||
303 (err = SSLHashMD5.update(&ctx->md5State, &header)) != 0)
304 {
305 SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
306 goto flushit;
307 }
308
309 SSLBuffer *messageData=&ctx->hdskMessageCurrent.contents;
310 if ((err = SSLHashSHA1.update(&ctx->shaState, messageData)) != 0 ||
311 (err = SSLHashMD5.update(&ctx->md5State, messageData)) != 0)
312 {
313 SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
314 goto flushit;
315 }
316
317 sslHdskMsgDebug("Hashing %d bytes of msg seq %ld\n", messageData->length, msgseq);
318 }
319
320 sslHdskMsgDebug("processed message of type %d", msgtype);
321
322 if ((err = SSLAdvanceHandshake(msgtype, ctx)) != 0)
323 {
324 sslErrorLog("AdvanceHandshake error: %"PRIstatus"\n", err);
325 goto flushit;
326 }
327
328 /* Free the buffer for current message, and reset offset */
329 SSLFreeBuffer(&(ctx->hdskMessageCurrent.contents), ctx);
330 ctx->hdskMessageCurrentOfs=0;
331
332 /* If we successfully processed a message, we wait for the next one */
333 ctx->hdskMessageSeqNext++;
334
335 }
336
337 sslHdskMsgDebug("remaining = %ld", remaining);
338 }
339
340 return noErr;
341
342 flushit:
343 sslErrorLog("DTLSProcessHandshakeRecord: flusing record (err=%"PRIstatus")\n", err);
344
345 /* This will flush the current handshake message */
346 SSLFreeBuffer(&(ctx->hdskMessageCurrent.contents), ctx);
347 ctx->hdskMessageCurrentOfs=0;
348
349 return err;
350 }
351
352 OSStatus
353 DTLSRetransmit(SSLContext *ctx)
354 {
355 sslHdskMsgDebug("DTLSRetransmit in state %s. Last Sent = %d, Last Recv=%d, timeout=%f\n",
356 hdskStateToStr(ctx->state), ctx->hdskMessageSeq, ctx->hdskMessageSeqNext, ctx->timeout_duration);
357
358 /* Too many retransmits, just give up!! */
359 if(ctx->hdskMessageRetryCount>10)
360 return errSSLConnectionRefused;
361
362 /* go back to previous cipher if retransmitting a flight including changecipherspec */
363 if(ctx->messageQueueContainsChangeCipherSpec) {
364 ctx->writePending = ctx->writeCipher;
365 ctx->writeCipher = ctx->prevCipher;
366 }
367
368 /* set timeout deadline */
369 ctx->hdskMessageRetryCount++;
370 ctx->timeout_deadline = CFAbsoluteTimeGetCurrent()+((1<<ctx->hdskMessageRetryCount)*ctx->timeout_duration);
371
372 /* Lets resend the last flight */
373 return SSLSendFlight(ctx);
374 }
375
376 static OSStatus
377 SSLProcessHandshakeMessage(SSLHandshakeMsg message, SSLContext *ctx)
378 { OSStatus err;
379
380 err = noErr;
381 SSLLogHdskMsg(message.type, 0);
382 switch (message.type)
383 { case SSL_HdskHelloRequest:
384 if (ctx->protocolSide != kSSLClientSide)
385 goto wrongMessage;
386 if (message.contents.length > 0)
387 err = errSSLProtocol;
388 break;
389 case SSL_HdskClientHello:
390 if (ctx->state != SSL_HdskStateServerUninit)
391 goto wrongMessage;
392 err = SSLProcessClientHello(message.contents, ctx);
393 break;
394 case SSL_HdskServerHello:
395 if (ctx->state != SSL_HdskStateServerHello &&
396 ctx->state != SSL_HdskStateServerHelloUnknownVersion)
397 goto wrongMessage;
398 err = SSLProcessServerHello(message.contents, ctx);
399 break;
400 #if ENABLE_DTLS
401 case SSL_HdskHelloVerifyRequest:
402 if (ctx->protocolSide != kSSLClientSide)
403 goto wrongMessage;
404 if(ctx->state != SSL_HdskStateServerHello)
405 goto wrongMessage;
406 /* TODO: Do we need to check the client state here ? */
407 err = SSLProcessServerHelloVerifyRequest(message.contents, ctx);
408 break;
409 #endif
410 case SSL_HdskCert:
411 if (ctx->state != SSL_HdskStateCert &&
412 ctx->state != SSL_HdskStateClientCert)
413 goto wrongMessage;
414 err = SSLProcessCertificate(message.contents, ctx);
415 /*
416 * Note that cert evaluation can now be performed asynchronously,
417 * so SSLProcessCertificate may return errSSLWouldBlock here.
418 */
419 break;
420 case SSL_HdskCertRequest:
421 if (((ctx->state != SSL_HdskStateHelloDone) &&
422 (ctx->state != SSL_HdskStateKeyExchange))
423 || ctx->certRequested)
424 goto wrongMessage;
425 err = SSLProcessCertificateRequest(message.contents, ctx);
426 if (ctx->breakOnCertRequest)
427 ctx->signalCertRequest = true;
428 break;
429 case SSL_HdskServerKeyExchange:
430 /*
431 * Since this message is optional for some key exchange
432 * mechanisms, and completely at the server's discretion,
433 * we need to be able to handle this in one of two states...
434 */
435 switch(ctx->state) {
436 case SSL_HdskStateKeyExchange: /* explicitly waiting for this */
437 case SSL_HdskStateHelloDone:
438 break;
439 default:
440 goto wrongMessage;
441 }
442 err = SSLProcessServerKeyExchange(message.contents, ctx);
443 break;
444 case SSL_HdskServerHelloDone:
445 if (ctx->state != SSL_HdskStateHelloDone)
446 goto wrongMessage;
447 err = SSLProcessServerHelloDone(message.contents, ctx);
448 break;
449 case SSL_HdskCertVerify:
450 if (ctx->state != SSL_HdskStateClientCertVerify)
451 goto wrongMessage;
452 err = SSLProcessCertificateVerify(message.contents, ctx);
453 assert(ctx->protocolSide == kSSLServerSide);
454 if(err) {
455 ctx->clientCertState = kSSLClientCertRejected;
456 }
457 break;
458 case SSL_HdskClientKeyExchange:
459 if (ctx->state != SSL_HdskStateClientKeyExchange)
460 goto wrongMessage;
461 err = SSLProcessKeyExchange(message.contents, ctx);
462 break;
463 case SSL_HdskFinished:
464 if (ctx->state != SSL_HdskStateFinished)
465 goto wrongMessage;
466 err = SSLProcessFinished(message.contents, ctx);
467 break;
468 default:
469 goto wrongMessage;
470 break;
471 }
472
473 if (err && !ctx->sentFatalAlert)
474 { if (err == errSSLProtocol)
475 SSLFatalSessionAlert(SSL_AlertIllegalParam, ctx);
476 else if (err == errSSLNegotiation)
477 SSLFatalSessionAlert(SSL_AlertHandshakeFail, ctx);
478 else if (err != errSSLWouldBlock &&
479 err != errSSLServerAuthCompleted /* == errSSLClientAuthCompleted */ &&
480 err != errSSLClientCertRequested)
481 SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
482 }
483 return err;
484
485 wrongMessage:
486 SSLFatalSessionAlert(SSL_AlertUnexpectedMsg, ctx);
487 return errSSLProtocol;
488 }
489
490 /*
491 * Given a server-side SSLContext that's fully restored for a resumed session,
492 * queue up the remaining outgoing messages to finish the handshake.
493 */
494 static OSStatus
495 SSLResumeServerSide(
496 SSLContext *ctx)
497 {
498 OSStatus err;
499 if ((err = SSLPrepareAndQueueMessage(SSLEncodeServerHello, ctx)) != 0)
500 return err;
501 if ((err = SSLInitPendingCiphers(ctx)) != 0)
502 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
503 return err;
504 }
505 if ((err = SSLPrepareAndQueueMessage(SSLEncodeChangeCipherSpec,
506 ctx)) != 0)
507 return err;
508
509 if ((err = SSLPrepareAndQueueMessage(SSLEncodeFinishedMessage,
510 ctx)) != 0)
511 return err;
512
513 SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
514
515 return noErr;
516
517 }
518
519 OSStatus
520 SSLAdvanceHandshake(SSLHandshakeType processed, SSLContext *ctx)
521 { OSStatus err;
522 SSLBuffer sessionIdentifier;
523
524 SSLResetFlight(ctx);
525
526 switch (processed)
527 {
528 #if ENABLE_DTLS
529 case SSL_HdskHelloVerifyRequest:
530 /* Just fall through */
531 #endif
532 case SSL_HdskHelloRequest:
533 /*
534 * Reset the client auth state machine in case this is
535 * a renegotiation.
536 */
537 ctx->certRequested = 0;
538 ctx->certSent = 0;
539 ctx->certReceived = 0;
540 ctx->x509Requested = 0;
541 ctx->clientCertState = kSSLClientCertNone;
542 ctx->readCipher.ready = 0;
543 ctx->writeCipher.ready = 0;
544 ctx->wroteAppData = 0;
545 if ((err = SSLPrepareAndQueueMessage(SSLEncodeClientHello, ctx)) != 0)
546 return err;
547 SSLChangeHdskState(ctx, SSL_HdskStateServerHello);
548 break;
549 case SSL_HdskClientHello:
550 assert(ctx->protocolSide == kSSLServerSide);
551 ctx->sessionMatch = 0;
552
553 if((ctx->negProtocolVersion==DTLS_Version_1_0) && (ctx->cookieVerified==false))
554 { /* Send Hello Verify Request */
555 if((err=SSLPrepareAndQueueMessage(SSLEncodeServerHelloVerifyRequest, ctx)) !=0 )
556 return err;
557 break;
558 }
559
560 #if SSL_PAC_SERVER_ENABLE
561 if((ctx->sessionTicket.data != NULL) &&
562 (ctx->masterSecretCallback != NULL)) {
563 /*
564 * Client sent us a session ticket and we know how to ask
565 * the app for master secret. Go for it.
566 */
567 size_t secretLen = SSL_MASTER_SECRET_SIZE;
568 sslEapDebug("Server side resuming based on masterSecretCallback");
569
570 /* the master secret callback requires serverRandom, now... */
571 if ((err = SSLEncodeRandom(ctx->serverRandom, ctx)) != 0)
572 return err;
573 ctx->serverRandomValid = 1;
574
575 ctx->masterSecretCallback(ctx, ctx->masterSecretArg,
576 ctx->masterSecret, &secretLen);
577 ctx->sessionMatch = 1;
578 /* set up selectedCipherSpec */
579 if ((err = FindCipherSpec(ctx)) != 0) {
580 return err;
581 }
582 /* queue up remaining messages to finish handshake */
583 if((err = SSLResumeServerSide(ctx)) != 0)
584 return err;
585 break;
586 }
587 #endif /* SSL_PAC_SERVER_ENABLE */
588 if (ctx->sessionID.data != 0)
589 /* If session ID != 0, client is trying to resume */
590 { if (ctx->resumableSession.data != 0)
591 {
592 SSLProtocolVersion sessionProt;
593 if ((err = SSLRetrieveSessionID(ctx->resumableSession,
594 &sessionIdentifier, ctx)) != 0)
595 return err;
596 if ((err = SSLRetrieveSessionProtocolVersion(ctx->resumableSession,
597 &sessionProt, ctx)) != 0)
598 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
599 return err;
600 }
601 if ((sessionIdentifier.length == ctx->sessionID.length) &&
602 (memcmp(sessionIdentifier.data, ctx->sessionID.data,
603 ctx->sessionID.length) == 0) &&
604 (sessionProt == ctx->negProtocolVersion))
605 { /* Everything matches; resume the session */
606 sslLogResumSessDebug("===RESUMING SSL3 server-side session");
607 if ((err = SSLInstallSessionFromData(ctx->resumableSession,
608 ctx)) != 0)
609 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
610 return err;
611 }
612 ctx->sessionMatch = 1;
613 SSLFreeBuffer(&sessionIdentifier, ctx);
614
615 /* queue up remaining messages to finish handshake */
616 if((err = SSLResumeServerSide(ctx)) != 0)
617 return err;
618 break;
619 }
620 else {
621 sslLogResumSessDebug(
622 "===FAILED TO RESUME SSL3 server-side session");
623 }
624 if ((err = SSLFreeBuffer(&sessionIdentifier, ctx)) != 0 ||
625 (err = SSLDeleteSessionData(ctx)) != 0)
626 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
627 return err;
628 }
629 }
630 if ((err = SSLFreeBuffer(&ctx->sessionID, ctx)) != 0)
631 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
632 return err;
633 }
634 }
635
636 /*
637 * If we get here, we're not resuming; generate a new session ID
638 * if we know our peer
639 */
640 if (ctx->peerID.data != 0)
641 { /* Ignore errors; just treat as uncached session */
642 assert(ctx->sessionID.data == 0);
643 err = SSLAllocBuffer(&ctx->sessionID, SSL_SESSION_ID_LEN, ctx);
644 if (err == 0)
645 {
646 if((err = sslRand(ctx, &ctx->sessionID)) != 0)
647 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
648 return err;
649 }
650 }
651 }
652
653 if ((err = SSLPrepareAndQueueMessage(SSLEncodeServerHello, ctx)) != 0)
654 return err;
655 switch (ctx->selectedCipherSpec.keyExchangeMethod)
656 { case SSL_NULL_auth:
657 #if APPLE_DH
658 case SSL_DH_anon:
659 case SSL_DH_anon_EXPORT:
660 if(ctx->clientAuth == kAlwaysAuthenticate) {
661 /* app requires this; abort */
662 SSLFatalSessionAlert(SSL_AlertHandshakeFail, ctx);
663 return errSSLNegotiation;
664 }
665 ctx->tryClientAuth = false;
666 /* DH server side needs work */
667 break;
668 #endif /* APPLE_DH */
669 default: /* everything else */
670 if(ctx->localCert == NULL) {
671 /* no cert but configured for, and negotiated, a
672 * ciphersuite which requires one */
673 sslErrorLog("SSLAdvanceHandshake: No server key!\n");
674 return errSSLBadConfiguration;
675 }
676 if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificate,
677 ctx)) != 0)
678 return err;
679 break;
680 }
681 /*
682 * At this point we decide whether to send a server key exchange
683 * method. For Apple servers, I think we'll ALWAYS do this, because
684 * of key usage restrictions (can't decrypt and sign with the same
685 * private key), but conceptually in this code, we do it if
686 * enabled by the presence of encryptPrivKey.
687 */
688 {
689 bool doServerKeyExch = false;
690 switch(ctx->selectedCipherSpec.keyExchangeMethod) {
691 case SSL_RSA_EXPORT:
692 #if !SSL_SERVER_KEYEXCH_HACK
693 /* the "proper" way - app decides. */
694 case SSL_RSA:
695 #endif
696 if(ctx->encryptPrivKeyRef != NULL) {
697 doServerKeyExch = true;
698 }
699 break;
700 case SSL_DH_anon:
701 case SSL_DH_anon_EXPORT:
702 case SSL_DHE_RSA:
703 case SSL_DHE_RSA_EXPORT:
704 case SSL_DHE_DSS:
705 case SSL_DHE_DSS_EXPORT:
706 doServerKeyExch = true;
707 break;
708 default:
709 break;
710 }
711 if(doServerKeyExch) {
712 err = SSLPrepareAndQueueMessage(SSLEncodeServerKeyExchange, ctx);
713 if(err) {
714 return err;
715 }
716 }
717 }
718 if (ctx->tryClientAuth)
719 { if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificateRequest,
720 ctx)) != 0)
721 return err;
722 ctx->certRequested = 1;
723 ctx->clientCertState = kSSLClientCertRequested;
724 }
725 if ((err = SSLPrepareAndQueueMessage(SSLEncodeServerHelloDone, ctx)) != 0)
726 return err;
727 if (ctx->certRequested) {
728 SSLChangeHdskState(ctx, SSL_HdskStateClientCert);
729 }
730 else {
731 SSLChangeHdskState(ctx, SSL_HdskStateClientKeyExchange);
732 }
733 break;
734 case SSL_HdskServerHello:
735 ctx->sessionMatch = 0;
736 if (ctx->resumableSession.data != 0 && ctx->sessionID.data != 0)
737 {
738 SSLProtocolVersion sessionProt;
739 if ((err = SSLRetrieveSessionID(ctx->resumableSession,
740 &sessionIdentifier, ctx)) != 0)
741 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
742 return err;
743 }
744 if ((err = SSLRetrieveSessionProtocolVersion(ctx->resumableSession,
745 &sessionProt, ctx)) != 0)
746 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
747 return err;
748 }
749 if ((sessionIdentifier.length == ctx->sessionID.length) &&
750 (memcmp(sessionIdentifier.data, ctx->sessionID.data,
751 ctx->sessionID.length) == 0) &&
752 (sessionProt == ctx->negProtocolVersion))
753 { /* Everything matches; resume the session */
754 sslLogResumSessDebug("===RESUMING SSL3 client-side session");
755 if ((err = SSLInstallSessionFromData(ctx->resumableSession,
756 ctx)) != 0 ||
757 (err = SSLInitPendingCiphers(ctx)) != 0 ||
758 (err = SSLFreeBuffer(&sessionIdentifier, ctx)) != 0)
759 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
760 return err;
761 }
762 ctx->sessionMatch = 1;
763 SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
764 break;
765 }
766 else {
767 sslLogResumSessDebug("===FAILED TO RESUME SSL3 client-side "
768 "session");
769 }
770 if ((err = SSLFreeBuffer(&sessionIdentifier, ctx)) != 0)
771 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
772 return err;
773 }
774 }
775 switch (ctx->selectedCipherSpec.keyExchangeMethod)
776 {
777 /* these require a key exchange message */
778 case SSL_NULL_auth:
779 case SSL_DH_anon:
780 case SSL_DH_anon_EXPORT:
781 SSLChangeHdskState(ctx, SSL_HdskStateKeyExchange);
782 break;
783 case SSL_RSA:
784 case SSL_DH_DSS:
785 case SSL_DH_DSS_EXPORT:
786 case SSL_DH_RSA:
787 case SSL_DH_RSA_EXPORT:
788 case SSL_RSA_EXPORT:
789 case SSL_DHE_DSS:
790 case SSL_DHE_DSS_EXPORT:
791 case SSL_DHE_RSA:
792 case SSL_DHE_RSA_EXPORT:
793 case SSL_Fortezza:
794 case SSL_ECDH_ECDSA:
795 case SSL_ECDHE_ECDSA:
796 case SSL_ECDH_RSA:
797 case SSL_ECDHE_RSA:
798 SSLChangeHdskState(ctx, SSL_HdskStateCert);
799 break;
800 default:
801 assert("Unknown key exchange method");
802 break;
803 }
804 break;
805 case SSL_HdskCert:
806 if (ctx->state == SSL_HdskStateCert)
807 switch (ctx->selectedCipherSpec.keyExchangeMethod)
808 { case SSL_RSA:
809 /*
810 * I really think the two RSA cases should be
811 * handled the same here - the server key exchange is
812 * optional, and is up to the server.
813 * Note this isn't the same as SSL_SERVER_KEYEXCH_HACK;
814 * we're a client here.
815 */
816 case SSL_RSA_EXPORT:
817 case SSL_DH_DSS:
818 case SSL_DH_DSS_EXPORT:
819 case SSL_DH_RSA:
820 case SSL_DH_RSA_EXPORT:
821 case SSL_ECDH_ECDSA:
822 case SSL_ECDH_RSA:
823 SSLChangeHdskState(ctx, SSL_HdskStateHelloDone);
824 break;
825 case SSL_DHE_DSS:
826 case SSL_DHE_DSS_EXPORT:
827 case SSL_DHE_RSA:
828 case SSL_DHE_RSA_EXPORT:
829 case SSL_Fortezza:
830 case SSL_ECDHE_ECDSA:
831 case SSL_ECDHE_RSA:
832 SSLChangeHdskState(ctx, SSL_HdskStateKeyExchange);
833 break;
834 default:
835 assert("Unknown or unexpected key exchange method");
836 break;
837 }
838 else if (ctx->state == SSL_HdskStateClientCert)
839 { SSLChangeHdskState(ctx, SSL_HdskStateClientKeyExchange);
840 if (ctx->peerCert != 0)
841 ctx->certReceived = 1;
842 }
843 break;
844 case SSL_HdskCertRequest:
845 /* state stays in SSL_HdskStateHelloDone; distinction is in
846 * ctx->certRequested */
847 if (ctx->peerCert == 0)
848 { SSLFatalSessionAlert(SSL_AlertHandshakeFail, ctx);
849 return errSSLProtocol;
850 }
851 assert(ctx->protocolSide == kSSLClientSide);
852 ctx->certRequested = 1;
853 ctx->clientCertState = kSSLClientCertRequested;
854 break;
855 case SSL_HdskServerKeyExchange:
856 SSLChangeHdskState(ctx, SSL_HdskStateHelloDone);
857 break;
858 case SSL_HdskServerHelloDone:
859 /*
860 * Waiting until server has sent hello done to interrupt and allow
861 * setting client cert, so we can send certificate, keyexchange and
862 * cert verify message together
863 */
864 if (ctx->state != SSL_HdskStateClientCert) {
865 if (ctx->signalServerAuth) {
866 ctx->signalServerAuth = false;
867 SSLChangeHdskState(ctx, SSL_HdskStateClientCert);
868 return errSSLServerAuthCompleted;
869 } else if (ctx->signalCertRequest) {
870 ctx->signalCertRequest = false;
871 SSLChangeHdskState(ctx, SSL_HdskStateClientCert);
872 return errSSLClientCertRequested;
873 } else if (ctx->signalClientAuth) {
874 ctx->signalClientAuth = false;
875 return errSSLClientAuthCompleted;
876 }
877 }
878
879 if (ctx->clientCertState == kSSLClientCertRequested) {
880 /*
881 * Server wants a client authentication cert - do
882 * we have one?
883 */
884 if (ctx->localCert != 0 && ctx->x509Requested) {
885 if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificate,
886 ctx)) != 0) {
887 return err;
888 }
889 }
890 else {
891 /* response for no cert depends on protocol version */
892 if(ctx->negProtocolVersion >= TLS_Version_1_0) {
893 /* TLS: send empty cert msg */
894 if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificate,
895 ctx)) != 0) {
896 return err;
897 }
898 }
899 else {
900 /* SSL3: "no cert" alert */
901 if ((err = SSLSendAlert(SSL_AlertLevelWarning, SSL_AlertNoCert_RESERVED,
902 ctx)) != 0) {
903 return err;
904 }
905 }
906 } /* no cert to send */
907 } /* server requested a cert */
908 if ((err = SSLPrepareAndQueueMessage(SSLEncodeKeyExchange, ctx)) != 0)
909 return err;
910 assert(ctx->sslTslCalls != NULL);
911 if ((err = ctx->sslTslCalls->generateMasterSecret(ctx)) != 0 ||
912 (err = SSLInitPendingCiphers(ctx)) != 0)
913 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
914 return err;
915 }
916 memset(ctx->preMasterSecret.data, 0, ctx->preMasterSecret.length);
917 if ((err = SSLFreeBuffer(&ctx->preMasterSecret, ctx)) != 0) {
918 return err;
919 }
920 if (ctx->certSent) {
921 /* Not all client auth mechanisms require a cert verify message */
922 switch(ctx->negAuthType) {
923 case SSLClientAuth_RSASign:
924 case SSLClientAuth_ECDSASign:
925 if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificateVerify,
926 ctx)) != 0) {
927 return err;
928 }
929 break;
930 default:
931 break;
932 }
933 }
934 if ((err = SSLPrepareAndQueueMessage(SSLEncodeChangeCipherSpec,
935 ctx)) != 0) {
936 return err;
937 }
938 if ((err = SSLPrepareAndQueueMessage(SSLEncodeFinishedMessage, ctx)) != 0)
939 return err;
940 SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
941 break;
942 case SSL_HdskCertVerify:
943 SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
944 break;
945 case SSL_HdskClientKeyExchange:
946 assert(ctx->sslTslCalls != NULL);
947 if ((err = ctx->sslTslCalls->generateMasterSecret(ctx)) != 0 ||
948 (err = SSLInitPendingCiphers(ctx)) != 0)
949 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
950 return err;
951 }
952 memset(ctx->preMasterSecret.data, 0, ctx->preMasterSecret.length);
953 if ((err = SSLFreeBuffer(&ctx->preMasterSecret, ctx)) != 0)
954 return err;
955 if (ctx->certReceived) {
956 SSLChangeHdskState(ctx, SSL_HdskStateClientCertVerify);
957 }
958 else {
959 SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
960 }
961 break;
962 case SSL_HdskFinished:
963 /* Handshake is over; enable data transfer on read channel */
964 ctx->readCipher.ready = 1;
965 /* If writePending is set, we haven't yet sent a finished message;
966 * send it */
967 if (ctx->writePending.ready != 0)
968 { if ((err = SSLPrepareAndQueueMessage(SSLEncodeChangeCipherSpec,
969 ctx)) != 0)
970 return err;
971 if ((err = SSLPrepareAndQueueMessage(SSLEncodeFinishedMessage,
972 ctx)) != 0)
973 return err;
974 }
975 if (ctx->protocolSide == kSSLServerSide) {
976 SSLChangeHdskState(ctx, SSL_HdskStateServerReady);
977 }
978 else {
979 SSLChangeHdskState(ctx, SSL_HdskStateClientReady);
980 }
981 if ((ctx->peerID.data != 0) && (ctx->sessionTicket.data == NULL)) {
982 /* note we avoid caching session data for PAC-style resumption */
983 SSLAddSessionData(ctx);
984 }
985 break;
986 default:
987 assert(0);
988 break;
989 }
990
991 /* We should have a full flight when we reach here, sending it for the first time */
992 ctx->hdskMessageRetryCount = 0;
993 ctx->timeout_deadline = CFAbsoluteTimeGetCurrent() + ctx->timeout_duration;
994 return SSLSendFlight(ctx);
995 }
996
997 OSStatus
998 SSLPrepareAndQueueMessage(EncodeMessageFunc msgFunc, SSLContext *ctx)
999 { OSStatus err;
1000 SSLRecord rec = {0, 0, {0, NULL}};
1001 WaitingMessage *out;
1002 WaitingMessage *queue;
1003
1004 if ((err = msgFunc(&rec, ctx)) != 0)
1005 { SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
1006 goto fail;
1007 }
1008
1009 if (rec.contentType == SSL_RecordTypeHandshake)
1010 {
1011 if ((err = SSLUpdateHandshakeMacs(&rec.contents, ctx)) != 0)
1012 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
1013 goto fail;
1014 }
1015 SSLLogHdskMsg((SSLHandshakeType)rec.contents.data[0], 1);
1016 ctx->hdskMessageSeq++;
1017 }
1018
1019 err=errSSLInternal;
1020 out = (WaitingMessage *)sslMalloc(sizeof(WaitingMessage));
1021 if(out==NULL) goto fail;
1022
1023 out->next = NULL;
1024 out->rec = rec;
1025
1026 queue=ctx->messageWriteQueue;
1027 if (queue == NULL) {
1028 sslHdskMsgDebug("Queuing first message in flight\n");
1029 ctx->messageWriteQueue = out;
1030 } else {
1031 int n=1;
1032 while (queue->next != 0) {
1033 queue = queue->next;
1034 n++;
1035 }
1036 sslHdskMsgDebug("Queuing message %d in flight\n", n);
1037 queue->next = out;
1038 }
1039
1040 return noErr;
1041 fail:
1042 SSLFreeBuffer(&rec.contents, ctx);
1043 return err;
1044 }
1045
1046 static
1047 OSStatus SSLSendMessage(SSLRecord rec, SSLContext *ctx)
1048 {
1049 OSStatus err;
1050
1051 assert(ctx->sslTslCalls != NULL);
1052
1053 if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
1054 return err;
1055 if(rec.contentType == SSL_RecordTypeChangeCipher) {
1056 /* Install new cipher spec on write side */
1057 if ((err = SSLDisposeCipherSuite(&ctx->writeCipher, ctx)) != 0)
1058 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
1059 return err;
1060 }
1061 ctx->prevCipher = ctx->writeCipher;
1062 ctx->writeCipher = ctx->writePending;
1063 /* Can't send data until Finished is sent */
1064 ctx->writeCipher.ready = 0;
1065 ctx->wroteAppData = 0;
1066
1067 /* Zero out old data */
1068 memset(&ctx->writePending, 0, sizeof(CipherContext));
1069 ctx->writePending.encrypting = 1;
1070
1071 /* TODO: that should only happen after Finished message is sent. <rdar://problem/9682471> */
1072 ctx->writeCipher.ready = 1;
1073 }
1074
1075 return noErr;
1076 }
1077
1078 static
1079 OSStatus DTLSSendMessage(SSLRecord rec, SSLContext *ctx)
1080 {
1081 OSStatus err=noErr;
1082
1083 assert(ctx->sslTslCalls != NULL);
1084
1085 if(rec.contentType != SSL_RecordTypeHandshake) {
1086 sslHdskMsgDebug("Not fragmenting message type=%d len=%d\n", rec.contentType, rec.contents.length);
1087 if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
1088 return err;
1089 if(rec.contentType == SSL_RecordTypeChangeCipher) {
1090 /* Install new cipher spec on write side */
1091 if ((err = SSLDisposeCipherSuite(&ctx->writeCipher, ctx)) != 0)
1092 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
1093 return err;
1094 }
1095 ctx->prevCipher = ctx->writeCipher;
1096 ctx->writeCipher = ctx->writePending;
1097 /* Can't send data until Finished is sent */
1098 ctx->writeCipher.ready = 0;
1099 ctx->wroteAppData = 0;
1100
1101 /* Zero out old data */
1102 memset(&ctx->writePending, 0, sizeof(CipherContext));
1103 ctx->writePending.encrypting = 1;
1104
1105 /* TODO: that should only happen after Finished message is sent. See <rdar://problem/9682471> */
1106 ctx->writeCipher.ready = 1;
1107
1108 }
1109 } else {
1110 /* fragmenting */
1111 SSLRecord fragrec;
1112
1113 int msghead = 12; /* size of message header in DTLS */
1114 size_t fraglen;
1115 size_t len = rec.contents.length-msghead;
1116 UInt32 seq = SSLDecodeInt(rec.contents.data+4, 2);
1117 (void) seq; // Suppress warnings
1118 size_t ofs = 0;
1119
1120 sslHdskMsgDebug("Fragmenting msg seq %ld (rl=%d, ml=%d)", seq, rec.contents.length,
1121 SSLDecodeInt(rec.contents.data+1, 3));
1122
1123
1124 SSLGetDatagramWriteSize(ctx, &fraglen);
1125 fraglen -= msghead;
1126
1127 fragrec.contentType = rec.contentType;
1128 fragrec.protocolVersion = rec.protocolVersion;
1129 if((err=SSLAllocBuffer(&fragrec.contents, fraglen + msghead, ctx))!=0)
1130 return err;
1131
1132 /* copy the constant part of the header */
1133 memcpy(fragrec.contents.data,rec.contents.data, 6);
1134
1135 while(len>fraglen) {
1136
1137 sslHdskMsgDebug("Fragmenting msg seq %ld (o=%d,l=%d)", seq, ofs, fraglen);
1138
1139 /* fragment offset and fragment length */
1140 SSLEncodeSize(fragrec.contents.data+6, ofs, 3);
1141 SSLEncodeSize(fragrec.contents.data+9, fraglen, 3);
1142 /* copy the payload */
1143 memcpy(fragrec.contents.data+msghead, rec.contents.data+msghead+ofs, fraglen);
1144 if ((err = ctx->sslTslCalls->writeRecord(fragrec, ctx)) != 0)
1145 goto cleanup;
1146 len-=fraglen;
1147 ofs+=fraglen;
1148 }
1149
1150 sslHdskMsgDebug("Fragmenting msg seq %ld - Last Fragment (o=%d,l=%d)", seq, ofs, len);
1151
1152 /* last fragment */
1153 /* fragment offset and fragment length */
1154 SSLEncodeSize(fragrec.contents.data+6, ofs, 3);
1155 SSLEncodeSize(fragrec.contents.data+9, len, 3);
1156 /* copy the payload */
1157 memcpy(fragrec.contents.data+msghead, rec.contents.data+msghead+ofs, len);
1158 fragrec.contents.length=len+msghead;
1159 err = ctx->sslTslCalls->writeRecord(fragrec, ctx);
1160
1161 cleanup:
1162 /* Free the allocated fragment buffer */
1163 SSLFreeBuffer(&fragrec.contents, ctx);
1164
1165 }
1166
1167 return err;
1168 }
1169
1170
1171 OSStatus SSLResetFlight(SSLContext *ctx)
1172 {
1173 OSStatus err;
1174 WaitingMessage *queue;
1175 WaitingMessage *next;
1176 int n=0;
1177
1178 assert(ctx->sslTslCalls != NULL);
1179
1180 queue=ctx->messageWriteQueue;
1181 ctx->messageQueueContainsChangeCipherSpec=false;
1182
1183 while(queue) {
1184 n++;
1185 err = SSLFreeBuffer(&queue->rec.contents, ctx);
1186 if (err != 0)
1187 goto fail;
1188 next=queue->next;
1189 sslFree(queue);
1190 queue=next;
1191 }
1192
1193 ctx->messageWriteQueue=NULL;
1194
1195 return noErr;
1196 fail:
1197 assert(0);
1198 return err;
1199 }
1200
1201
1202 OSStatus SSLSendFlight(SSLContext *ctx)
1203 {
1204 OSStatus err;
1205 WaitingMessage *queue;
1206 int n=0;
1207
1208 assert(ctx->sslTslCalls != NULL);
1209
1210 queue=ctx->messageWriteQueue;
1211
1212 while(queue) {
1213 if (ctx->isDTLS) {
1214 err=DTLSSendMessage(queue->rec, ctx);
1215 } else {
1216 err=SSLSendMessage(queue->rec, ctx);
1217 }
1218 if (err != 0)
1219 goto fail;
1220 queue=queue->next;
1221 n++;
1222 }
1223
1224 return noErr;
1225 fail:
1226 assert(0);
1227 return err;
1228 }
1229
1230 OSStatus
1231 SSL3ReceiveSSL2ClientHello(SSLRecord rec, SSLContext *ctx)
1232 { OSStatus err;
1233
1234 if ((err = SSLInitMessageHashes(ctx)) != 0)
1235 return err;
1236
1237 if ((err = SSLHashSHA1.update(&ctx->shaState, &rec.contents)) != 0 ||
1238 (err = SSLHashMD5.update(&ctx->md5State, &rec.contents)) != 0)
1239 { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
1240 return err;
1241 }
1242
1243 if ((err = SSLAdvanceHandshake(SSL_HdskClientHello, ctx)) != 0)
1244 return err;
1245
1246 return noErr;
1247 }
1248
1249 /* log changes in handshake state */
1250 #ifndef NDEBUG
1251 #include <stdio.h>
1252
1253 char *hdskStateToStr(SSLHandshakeState state)
1254 {
1255 static char badStr[100];
1256
1257 switch(state) {
1258 case SSL_HdskStateUninit:
1259 return "Uninit";
1260 case SSL_HdskStateServerUninit:
1261 return "ServerUninit";
1262 case SSL_HdskStateClientUninit:
1263 return "ClientUninit";
1264 case SSL_HdskStateGracefulClose:
1265 return "GracefulClose";
1266 case SSL_HdskStateErrorClose:
1267 return "ErrorClose";
1268 case SSL_HdskStateNoNotifyClose:
1269 return "NoNotifyClose";
1270 case SSL_HdskStateServerHello:
1271 return "ServerHello";
1272 case SSL_HdskStateServerHelloUnknownVersion:
1273 return "ServerHelloUnknownVersion";
1274 case SSL_HdskStateKeyExchange:
1275 return "KeyExchange";
1276 case SSL_HdskStateCert:
1277 return "Cert";
1278 case SSL_HdskStateHelloDone:
1279 return "HelloDone";
1280 case SSL_HdskStateClientCert:
1281 return "ClientCert";
1282 case SSL_HdskStateClientKeyExchange:
1283 return "ClientKeyExchange";
1284 case SSL_HdskStateClientCertVerify:
1285 return "ClientCertVerify";
1286 case SSL_HdskStateChangeCipherSpec:
1287 return "ChangeCipherSpec";
1288 case SSL_HdskStateFinished:
1289 return "Finished";
1290 case SSL2_HdskStateClientMasterKey:
1291 return "SSL2_ClientMasterKey";
1292 case SSL2_HdskStateClientFinished:
1293 return "SSL2_ClientFinished";
1294 case SSL2_HdskStateServerHello:
1295 return "SSL2_ServerHello";
1296 case SSL2_HdskStateServerVerify:
1297 return "SSL2_ServerVerify";
1298 case SSL2_HdskStateServerFinished:
1299 return "SSL2_ServerFinished";
1300 case SSL_HdskStateServerReady:
1301 return "SSL_ServerReady";
1302 case SSL_HdskStateClientReady:
1303 return "SSL_ClientReady";
1304 default:
1305 sprintf(badStr, "Unknown state (%d(d)", state);
1306 return badStr;
1307 }
1308 }
1309
1310 void SSLChangeHdskState(SSLContext *ctx, SSLHandshakeState newState)
1311 {
1312 /* FIXME - this ifndef should not be necessary */
1313 #ifndef NDEBUG
1314 sslHdskStateDebug("...hdskState = %s", hdskStateToStr(newState));
1315 #endif
1316 ctx->state = newState;
1317 }
1318
1319
1320 /* log handshake messages */
1321
1322 static char *hdskMsgToStr(SSLHandshakeType msg)
1323 {
1324 static char badStr[100];
1325
1326 switch(msg) {
1327 case SSL_HdskHelloRequest:
1328 return "SSL_HdskHelloRequest";
1329 case SSL_HdskClientHello:
1330 return "SSL_HdskClientHello";
1331 case SSL_HdskServerHello:
1332 return "SSL_HdskServerHello";
1333 case SSL_HdskHelloVerifyRequest:
1334 return "SSL_HdskHelloVerifyRequest";
1335 case SSL_HdskCert:
1336 return "SSL_HdskCert";
1337 case SSL_HdskServerKeyExchange:
1338 return "SSL_HdskServerKeyExchange";
1339 case SSL_HdskCertRequest:
1340 return "SSL_HdskCertRequest";
1341 case SSL_HdskServerHelloDone:
1342 return "SSL_HdskServerHelloDone";
1343 case SSL_HdskCertVerify:
1344 return "SSL_HdskCertVerify";
1345 case SSL_HdskClientKeyExchange:
1346 return "SSL_HdskClientKeyExchange";
1347 case SSL_HdskFinished:
1348 return "SSL_HdskFinished";
1349 default:
1350 sprintf(badStr, "Unknown msg (%d(d))", msg);
1351 return badStr;
1352 }
1353 }
1354
1355 void SSLLogHdskMsg(SSLHandshakeType msg, char sent)
1356 {
1357 sslHdskMsgDebug("---%s handshake msg %s",
1358 hdskMsgToStr(msg), (sent ? "sent" : "recv"));
1359 }
1360
1361 #endif /* NDEBUG */
1362
mirror of Security