]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ssl/lib/sslTransport.c
Security-59306.11.20.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / lib / sslTransport.c
1 /*
2 * Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * sslTransport.c - SSL transport layer
26 */
27
28 #include "ssl.h"
29 #include "sslMemory.h"
30 #include "sslContext.h"
31 #include "sslRecord.h"
32 #include "sslDebug.h"
33 #include "sslCipherSpecs.h"
34
35 #include <assert.h>
36 #include <string.h>
37
38 #include <utilities/SecIOFormat.h>
39 #include <utilities/SecCFWrappers.h>
40
41 #include <CommonCrypto/CommonDigest.h>
42 #include <Security/SecCertificatePriv.h>
43
44 #ifndef NDEBUG
45 static inline void sslIoTrace(
46 SSLContext *ctx,
47 const char *op,
48 size_t req,
49 size_t moved,
50 OSStatus stat)
51 {
52 sslLogRecordIo("[%p] ===%s: req %4lu moved %4lu status %d",
53 ctx, op, req, moved, (int)stat);
54 }
55 #else
56 #define sslIoTrace(ctx, op, req, moved, stat)
57 #endif /* NDEBUG */
58
59 extern int kSplitDefaultValue;
60
61 static OSStatus SSLProcessProtocolMessage(SSLRecord *rec, SSLContext *ctx);
62 static OSStatus SSLHandshakeProceed(SSLContext *ctx);
63 static OSStatus SSLSendAlert(SSLContext *ctx, tls_alert_level_t level, tls_alert_t description);
64
65 OSStatus
66 SSLWrite(
67 SSLContext *ctx,
68 const void * data,
69 size_t dataLength,
70 size_t *bytesWritten) /* RETURNED */
71 {
72 OSStatus err;
73 SSLRecord rec;
74 size_t dataLen, processed;
75
76 sslLogRecordIo("[%p] SSLWrite top", ctx);
77 if((ctx == NULL) || (bytesWritten == NULL)) {
78 return errSecParam;
79 }
80 dataLen = dataLength;
81 *bytesWritten = 0;
82
83 switch(ctx->state) {
84 case SSL_HdskStateGracefulClose:
85 err = errSSLClosedGraceful;
86 goto abort;
87 case SSL_HdskStateErrorClose:
88 case SSL_HdskStateOutOfBandError:
89 err = errSSLClosedAbort;
90 goto abort;
91 case SSL_HdskStateReady:
92 break;
93 case SSL_HdskStateUninit:
94 /* not ready for I/O, and handshake not in progress */
95 sslIoTrace(ctx, "SSLWrite(1)", dataLength, 0, errSecBadReq);
96 return errSecBadReq;
97 default:
98 /* handshake in progress or done. Will call SSLHandshakeProceed below if necessary */
99 break;
100 }
101
102 /* First, we have to wait until the session is ready to send data,
103 so the encryption keys and such have been established. */
104 while (!(ctx->writeCipher_ready))
105 { if ((err = SSLHandshakeProceed(ctx)) != 0)
106 goto exit;
107 }
108
109 /* Attempt to empty the write queue before queueing more data */
110 if ((err = SSLServiceWriteQueue(ctx)) != 0)
111 goto abort;
112
113 processed = 0;
114
115 /* Skip empty writes, fragmentation is done at the coreTLS layer */
116 if(dataLen) {
117 rec.contentType = SSL_RecordTypeAppData;
118 rec.contents.data = ((uint8_t *)data) + processed;
119 rec.contents.length = dataLen;
120 if ((err = SSLWriteRecord(rec, ctx)) != 0)
121 goto exit;
122 processed += rec.contents.length;
123 }
124
125 /* All the data has been advanced to the write queue */
126 *bytesWritten = processed;
127 if ((err = SSLServiceWriteQueue(ctx)) == 0) {
128 err = errSecSuccess;
129 }
130 exit:
131 switch(err) {
132 case errSecSuccess:
133 case errSSLWouldBlock:
134 case errSSLUnexpectedRecord:
135 case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */
136 case errSSLClientCertRequested:
137 case errSSLClientHelloReceived:
138 case errSSLClosedGraceful:
139 break;
140 default:
141 sslErrorLog("SSLWrite: going to state errorClose due to err %d\n",
142 (int)err);
143 SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
144 break;
145 }
146 abort:
147 sslIoTrace(ctx, "SSLWrite(2)", dataLength, *bytesWritten, err);
148 return err;
149 }
150
151 OSStatus
152 SSLRead (
153 SSLContext *ctx,
154 void * data,
155 size_t dataLength,
156 size_t *processed) /* RETURNED */
157 {
158 OSStatus err;
159 uint8_t *charPtr;
160 size_t bufSize, remaining, count;
161 SSLRecord rec;
162
163 sslLogRecordIo("[%p] SSLRead top (dataLength=%ld)", ctx, dataLength);
164 if((ctx == NULL) || (data == NULL) || (processed == NULL)) {
165 return errSecParam;
166 }
167 bufSize = dataLength;
168 *processed = 0; /* Initialize in case we return with errSSLWouldBlock */
169
170 readRetry:
171 /* first handle cases in which we know we're finished */
172 switch(ctx->state) {
173 case SSL_HdskStateGracefulClose:
174 err = errSSLClosedGraceful;
175 goto abort;
176 case SSL_HdskStateErrorClose:
177 case SSL_HdskStateOutOfBandError:
178 err = errSSLClosedAbort;
179 goto abort;
180 case SSL_HdskStateNoNotifyClose:
181 err = errSSLClosedNoNotify;
182 goto abort;
183 default:
184 break;
185 }
186
187 /* First, we have to wait until the session is ready to receive data,
188 so the encryption keys and such have been established. */
189 while (ctx->readCipher_ready == 0) {
190 if ((err = SSLHandshakeProceed(ctx)) != 0) {
191 goto exit;
192 }
193 }
194
195 /* Need this to handle the case were SSLRead returned
196 errSSLClientHelloReceived as readCipher_ready is not set yet in that case */
197 if ((err = tls_handshake_continue(ctx->hdsk)) != 0)
198 return err;
199
200 /* Attempt to service the write queue */
201 if ((err = SSLServiceWriteQueue(ctx)) != 0) {
202 if (err != errSSLWouldBlock) {
203 goto exit;
204 }
205 }
206
207 remaining = bufSize;
208 charPtr = (uint8_t *)data;
209
210 /* If we have data in the buffer, use that first */
211 if (ctx->receivedDataBuffer.data)
212 {
213 count = ctx->receivedDataBuffer.length - ctx->receivedDataPos;
214 if (count > bufSize)
215 count = bufSize;
216 memcpy(data, ctx->receivedDataBuffer.data + ctx->receivedDataPos, count);
217 remaining -= count;
218 charPtr += count;
219 *processed += count;
220 ctx->receivedDataPos += count;
221 }
222
223 assert(ctx->receivedDataPos <= ctx->receivedDataBuffer.length);
224 assert(*processed + remaining == bufSize);
225 assert(charPtr == ((uint8_t *)data) + *processed);
226
227 if (ctx->receivedDataBuffer.data != 0 &&
228 ctx->receivedDataPos >= ctx->receivedDataBuffer.length)
229 {
230 SSLFreeBuffer(&ctx->receivedDataBuffer);
231 ctx->receivedDataBuffer.data = 0;
232 ctx->receivedDataPos = 0;
233 }
234
235 /*
236 * If we didnt fill up the users buffer, get some more data
237 */
238 if (remaining > 0 && ctx->state != SSL_HdskStateGracefulClose)
239 {
240 assert(ctx->receivedDataBuffer.data == 0);
241 if ((err = SSLReadRecord(&rec, ctx)) != 0) {
242 goto exit;
243 }
244 if (rec.contentType == SSL_RecordTypeAppData ||
245 rec.contentType == SSL_RecordTypeV2_0)
246 {
247 if (rec.contents.length <= remaining)
248 { /* Copy all we got in the user's buffer */
249 memcpy(charPtr, rec.contents.data, rec.contents.length);
250 *processed += rec.contents.length;
251 {
252 if ((err = SSLFreeRecord(rec, ctx))) {
253 goto exit;
254 }
255 }
256 }
257 else
258 { /* Copy what we can in the user's buffer, keep the rest for next SSLRead. */
259 memcpy(charPtr, rec.contents.data, remaining);
260 *processed += remaining;
261 ctx->receivedDataBuffer = rec.contents;
262 ctx->receivedDataPos = remaining;
263 }
264 }
265 else {
266 if ((err = SSLProcessProtocolMessage(&rec, ctx)) != 0) {
267 /* This may not make much sense, but this is required so that we
268 process the write queue. This replicate exactly the behavior
269 before the coreTLS adoption */
270 if(err == errSSLClosedGraceful) {
271 SSLClose(ctx);
272 } else {
273 goto exit;
274 }
275 }
276 if ((err = SSLFreeRecord(rec, ctx))) {
277 goto exit;
278 }
279 }
280 }
281
282 err = errSecSuccess;
283
284 exit:
285 /* test for renegotiate: loop until something useful happens */
286 if(((err == errSecSuccess) && (*processed == 0) && dataLength) || (err == errSSLUnexpectedRecord)) {
287 sslLogNegotiateDebug("SSLRead recursion");
288 goto readRetry;
289 }
290 /* shut down on serious errors */
291 switch(err) {
292 case errSecSuccess:
293 case errSSLWouldBlock:
294 case errSSLUnexpectedRecord:
295 case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */
296 case errSSLClientCertRequested:
297 case errSSLClientHelloReceived:
298 case errSSLClosedGraceful:
299 case errSSLClosedNoNotify:
300 break;
301 default:
302 sslErrorLog("SSLRead: going to state errorClose due to err %d\n",
303 (int)err);
304 SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
305 break;
306 }
307 abort:
308 sslIoTrace(ctx, "SSLRead returns", dataLength, *processed, err);
309 return err;
310 }
311
312 #if SSL_DEBUG
313 #include "sslCrypto.h"
314 #endif
315
316
317
318 static void get_extended_peer_id(SSLContext *ctx, tls_buffer *extended_peer_id)
319 {
320 uint8_t md[CC_SHA256_DIGEST_LENGTH];
321 __block CC_SHA256_CTX hash_ctx;
322
323 CC_SHA256_Init(&hash_ctx);
324
325 CC_SHA256_Update(&hash_ctx, &ctx->allowAnyRoot, sizeof(ctx->allowAnyRoot));
326
327 #if !TARGET_OS_IPHONE
328 if(ctx->trustedLeafCerts) {
329 CFArrayForEach(ctx->trustedLeafCerts, ^(const void *value) {
330 SecCertificateRef cert = (SecCertificateRef) value;
331 CC_SHA256_Update(&hash_ctx, SecCertificateGetBytePtr(cert), (CC_LONG)SecCertificateGetLength(cert));
332 });
333 }
334 #endif
335
336 CC_SHA256_Update(&hash_ctx, &ctx->trustedCertsOnly, sizeof(ctx->trustedCertsOnly));
337
338
339 if(ctx->trustedCerts) {
340 CFArrayForEach(ctx->trustedCerts, ^(const void *value) {
341 SecCertificateRef cert = (SecCertificateRef) value;
342 CC_SHA256_Update(&hash_ctx, SecCertificateGetBytePtr(cert), (CC_LONG)SecCertificateGetLength(cert));
343 });
344 }
345
346 CC_SHA256_Final(md, &hash_ctx);
347
348 extended_peer_id->length = ctx->peerID.length + sizeof(md);
349 extended_peer_id->data = sslMalloc(extended_peer_id->length);
350 memcpy(extended_peer_id->data, ctx->peerID.data, ctx->peerID.length);
351 memcpy(extended_peer_id->data+ctx->peerID.length, md, sizeof(md));
352 }
353
354 /* Send the initial client hello */
355 static OSStatus
356 SSLHandshakeStart(SSLContext *ctx)
357 {
358 int err;
359 tls_buffer extended_peer_id;
360 get_extended_peer_id(ctx, &extended_peer_id);
361 err = tls_handshake_negotiate(ctx->hdsk, &extended_peer_id);
362 free(extended_peer_id.data);
363 if(err)
364 return err;
365
366 ctx->readCipher_ready = 0;
367 ctx->writeCipher_ready = 0;
368 SSLChangeHdskState(ctx, SSL_HdskStatePending);
369
370 return noErr;
371 }
372
373 OSStatus
374 SSLReHandshake(SSLContext *ctx)
375 {
376 if(ctx == NULL) {
377 return errSecParam;
378 }
379
380 switch (ctx->state) {
381 case SSL_HdskStateGracefulClose:
382 return errSSLClosedGraceful;
383 case SSL_HdskStateErrorClose:
384 case SSL_HdskStateOutOfBandError:
385 return errSSLClosedAbort;
386 case SSL_HdskStatePending:
387 return errSecBadReq;
388 default:
389 break;
390 }
391
392 /* If we are the client, we start the negotiation */
393 if(ctx->protocolSide == kSSLClientSide) {
394 return SSLHandshakeStart(ctx);
395 } else {
396 return tls_handshake_request_renegotiation(ctx->hdsk);
397 }
398 }
399
400 OSStatus
401 SSLHandshake(SSLContext *ctx)
402 {
403 OSStatus err;
404
405 if(ctx == NULL) {
406 return errSecParam;
407 }
408
409 switch (ctx->state) {
410 case SSL_HdskStateGracefulClose:
411 return errSSLClosedGraceful;
412 case SSL_HdskStateErrorClose:
413 return errSSLClosedAbort;
414 default:
415 break;
416 }
417
418 if(ctx->isDTLS && ctx->timeout_deadline) {
419 CFAbsoluteTime current = CFAbsoluteTimeGetCurrent();
420
421 if (ctx->timeout_deadline<current) {
422 sslDebugLog("%p, retransmition deadline expired\n", ctx);
423 err = tls_handshake_retransmit_timer_expired(ctx->hdsk);
424 if(err) {
425 return err;
426 }
427 }
428 }
429
430 /* Initial Client Hello */
431 if(ctx->state==SSL_HdskStateUninit) {
432 /* If we are the client, we start the negotiation */
433 if(ctx->protocolSide == kSSLClientSide) {
434 err = SSLHandshakeStart(ctx);
435 if(err) {
436 return err;
437 }
438 }
439 SSLChangeHdskState(ctx, SSL_HdskStatePending);
440 }
441
442 /* If an out-of-band error occurred, handle it here and then terminate
443 the connection as needed. */
444 if (ctx->state == SSL_HdskStateOutOfBandError) {
445 bool shouldClose = true;
446 switch (ctx->outOfBandError) {
447 case errSecCertificateExpired:
448 SSLSendAlert(ctx, tls_handshake_alert_level_fatal, tls_handshake_alert_CertExpired);
449 break;
450 case errSecCertificateRevoked:
451 SSLSendAlert(ctx, tls_handshake_alert_level_fatal, tls_handshake_alert_CertRevoked);
452 break;
453 default:
454 shouldClose = false;
455 break;
456 }
457
458 if (shouldClose) {
459 return SSLClose(ctx);
460 }
461 }
462
463 do {
464 err = SSLHandshakeProceed(ctx);
465 if((err != 0) && (err != errSSLUnexpectedRecord))
466 return err;
467 } while (ctx->readCipher_ready == 0 || ctx->writeCipher_ready == 0);
468
469 /* one more flush at completion of successful handshake */
470 if ((err = SSLServiceWriteQueue(ctx)) != 0) {
471 return err;
472 }
473
474 return errSecSuccess;
475 }
476
477 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
478
479 #include "SecADWrapper.h"
480
481 static void ad_log_SecureTransport_early_fail(long signature)
482 {
483 CFStringRef key = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("com.apple.SecureTransport.early_fail.%ld"), signature);
484
485 if (key) {
486 SecADAddValueForScalarKey(key, 1);
487 CFRelease(key);
488 }
489 }
490
491 #endif
492
493
494 #if (!TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
495
496 #include <msgtracer_client.h>
497
498 static void mt_log_SecureTransport_early_fail(long signature)
499 {
500 char signature_string[16];
501
502 snprintf(signature_string, sizeof(signature_string), "%ld", signature);
503
504 msgtracer_log_with_keys("com.apple.SecureTransport.early_fail", ASL_LEVEL_NOTICE,
505 "com.apple.message.signature", signature_string,
506 "com.apple.message.summarize", "YES",
507 NULL);
508 }
509
510 #endif
511
512
513 static void log_SecureTransport_early_fail(long signature)
514 {
515 #if (!TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
516 mt_log_SecureTransport_early_fail(signature);
517 #endif
518
519 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
520 ad_log_SecureTransport_early_fail(signature);
521 #endif
522 }
523
524
525 static OSStatus
526 SSLHandshakeProceed(SSLContext *ctx)
527 {
528 OSStatus err;
529
530 if ((err = tls_handshake_continue(ctx->hdsk)) != 0)
531 return err;
532
533 if ((err = SSLServiceWriteQueue(ctx)) != 0)
534 return err;
535
536 SSLRecord rec;
537
538 err = SSLReadRecord(&rec, ctx);
539
540 if(!err) {
541 sslDebugLog("%p going to process a record (rec.len=%zd, ct=%d)\n", ctx, rec.contents.length, rec.contentType);
542 err = tls_handshake_process(ctx->hdsk, rec.contents, rec.contentType);
543 sslDebugLog("%p processed a record (rec.len=%zd, ct=%d, err=%d)\n", ctx, rec.contents.length, rec.contentType, (int)err);
544 SSLFreeRecord(rec, ctx);
545 } else if(err!=errSSLWouldBlock) {
546 sslDebugLog("%p Read error err=%d\n\n", ctx, (int)err);
547 }
548
549 if(ctx->protocolSide == kSSLClientSide &&
550 ctx->dheEnabled == false &&
551 !ctx->serverHelloReceived &&
552 err && err != errSSLWouldBlock)
553 {
554 log_SecureTransport_early_fail(err);
555 }
556
557 return err;
558 }
559
560 static OSStatus
561 SSLProcessProtocolMessage(SSLRecord *rec, SSLContext *ctx)
562 {
563 return tls_handshake_process(ctx->hdsk, rec->contents, rec->contentType);
564 }
565
566 OSStatus
567 SSLClose(SSLContext *ctx)
568 {
569 OSStatus err = errSecSuccess;
570
571 sslHdskStateDebug("SSLClose");
572 if(ctx == NULL) {
573 return errSecParam;
574 }
575
576 err = tls_handshake_close(ctx->hdsk);
577
578 if (err == 0)
579 err = SSLServiceWriteQueue(ctx);
580
581 SSLChangeHdskState(ctx, SSL_HdskStateGracefulClose);
582 if (err == errSecIO)
583 err = errSecSuccess; /* Ignore errors related to closed streams */
584 return err;
585 }
586
587 static OSStatus
588 SSLSendAlert(SSLContext *ctx, tls_alert_level_t alertLevel, tls_alert_t alert)
589 {
590 sslHdskStateDebug("SSLSendAlert");
591 if (ctx == NULL) {
592 return errSecParam;
593 }
594
595 return tls_handshake_send_alert(ctx->hdsk, alertLevel, alert);
596 }
597
598 OSStatus
599 SSLSetError(SSLContext *ctx, OSStatus error)
600 {
601 ctx->state = SSL_HdskStateOutOfBandError;
602 ctx->outOfBandError = error;
603 return errSecSuccess;
604 }
605
606 /*
607 * Determine how much data the client can be guaranteed to
608 * obtain via SSLRead() without blocking or causing any low-level
609 * read operations to occur.
610 *
611 * Implemented here because the relevant info in SSLContext (receivedDataBuffer
612 * and receivedDataPos) are only used in this file.
613 */
614 OSStatus
615 SSLGetBufferedReadSize(SSLContextRef ctx,
616 size_t *bufSize) /* RETURNED */
617 {
618 if(ctx == NULL) {
619 return errSecParam;
620 }
621 if(ctx->receivedDataBuffer.data == NULL) {
622 *bufSize = 0;
623 }
624 else {
625 assert(ctx->receivedDataBuffer.length >= ctx->receivedDataPos);
626 *bufSize = ctx->receivedDataBuffer.length - ctx->receivedDataPos;
627 }
628 return errSecSuccess;
629 }