]> git.saurik.com Git - apple/security.git/blob - SecureTransport/sslalert.c
projects / apple / security.git / blob
? search:


ba555186efb81cb3d1078b8da4193e516ff76814
[apple/security.git] / SecureTransport / sslalert.c
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /* *********************************************************************
20 File: sslalert.c
21
22 SSLRef 3.0 Final -- 11/19/96
23
24 Copyright (c)1996 by Netscape Communications Corp.
25
26 By retrieving this software you are bound by the licensing terms
27 disclosed in the file "LICENSE.txt". Please read it, and if you don't
28 accept the terms, delete this software.
29
30 SSLRef 3.0 was developed by Netscape Communications Corp. of Mountain
31 View, California <http://home.netscape.com/> and Consensus Development
32 Corporation of Berkeley, California <http://www.consensus.com/>.
33
34 *********************************************************************
35
36 File: sslalert.c Support for alert protocol in SSL 3
37
38 Encoding, decoding and processing for the SSL alert protocol. Also,
39 support for sending fatal alerts, which also closes down our
40 connection, including invalidating our cached session.
41
42 ****************************************************************** */
43
44 #include "ssl.h"
45
46 #ifndef _SSLALERT_H_
47 #include "sslalert.h"
48 #endif
49
50 #ifndef _SSLALLOC_H_
51 #include "sslalloc.h"
52 #endif
53
54 #ifndef _SSLCTX_H_
55 #include "sslctx.h"
56 #endif
57
58 #ifndef _SSLSESS_H_
59 #include "sslsess.h"
60 #endif
61
62 #ifndef _SSL_DEBUG_H_
63 #include "sslDebug.h"
64 #endif
65
66 #include <assert.h>
67
68 SSLErr
69 SSLProcessAlert(SSLRecord rec, SSLContext *ctx)
70 { SSLErr err = SSLNoErr;
71 AlertLevel level;
72 AlertDescription desc;
73 uint8 *progress;
74 uint32 remaining;
75
76 if (rec.contents.length % 2 != 0)
77 { ERR(err = SSLFatalSessionAlert(alert_illegal_parameter, ctx));
78 if (!err)
79 ERR(err = SSLProtocolErr);
80 return err;
81 }
82
83 progress = rec.contents.data;
84 remaining = rec.contents.length;
85 while (remaining > 0)
86 { level = (AlertLevel)*progress++;
87 desc = (AlertDescription)*progress++;
88 remaining -= 2;
89
90 /*
91 * APPLE_CDSA changes: ignore sessionID-related failures here;
92 * the important thing is the alert.
93 */
94 if (level == alert_fatal)
95 {
96 SSLDeleteSessionData(ctx);
97 dprintf1("***Fatal alert %d received", desc);
98 return SSLFatalAlert;
99 }
100
101 switch (desc)
102 { case alert_unexpected_message:
103 case alert_bad_record_mac:
104 case alert_decompression_failure:
105 case alert_handshake_failure:
106 case alert_illegal_parameter:
107 /* These must always be fatal; if we got here, the level is warning;
108 * die anyway
109 */
110 SSLDeleteSessionData(ctx);
111 err = SSLFatalAlert;
112 break;
113 case alert_close_notify:
114 ERR(SSLClose(ctx));
115 err = SSLNoErr;
116 break;
117 case alert_no_certificate:
118 if (ctx->state == HandshakeClientCertificate)
119 if (ERR(err = SSLAdvanceHandshake(SSL_certificate, ctx)) != 0)
120 return err;
121 break;
122 case alert_bad_certificate:
123 case alert_unsupported_certificate:
124 case alert_certificate_revoked:
125 case alert_certificate_expired:
126 case alert_certificate_unknown:
127 err = SSLNoErr;
128 break;
129 default:
130 /* Unknown alert, but not fatal; ignore it */
131 break;
132 }
133 }
134
135 return err;
136 }
137
138 SSLErr
139 SSLSendAlert(AlertLevel level, AlertDescription desc, SSLContext *ctx)
140 { SSLRecord rec;
141 SSLErr err;
142
143 CASSERT((ctx->negProtocolVersion != SSL_Version_2_0));
144
145 if ((err = SSLEncodeAlert(&rec, level, desc, ctx)) != 0)
146 return err;
147 assert(ctx->sslTslCalls != NULL);
148 if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
149 return err;
150 if ((err = SSLFreeBuffer(&rec.contents, &ctx->sysCtx)) != 0)
151 return err;
152
153 return SSLNoErr;
154 }
155
156 SSLErr
157 SSLEncodeAlert(SSLRecord *rec, AlertLevel level, AlertDescription desc, SSLContext *ctx)
158 { SSLErr err;
159
160 rec->contentType = SSL_alert;
161 CASSERT((ctx->negProtocolVersion != SSL_Version_2_0));
162 if(ctx->negProtocolVersion == SSL_Version_Undetermined) {
163 /* error while negotiating */
164 rec->protocolVersion = ctx->maxProtocolVersion;
165 }
166 else {
167 rec->protocolVersion = ctx->negProtocolVersion;
168 }
169 rec->contents.length = 2;
170 if ((err = SSLAllocBuffer(&rec->contents, 2, &ctx->sysCtx)) != 0)
171 return err;
172 rec->contents.data[0] = level;
173 rec->contents.data[1] = desc;
174
175 return SSLNoErr;
176 }
177
178 SSLErr
179 SSLFatalSessionAlert(AlertDescription desc, SSLContext *ctx)
180 { SSLErr err1, err2;
181
182 if(desc != alert_close_notify) {
183 errorLog1("SSLFatalSessionAlert: desc %d\n", desc);
184 }
185 //dprintf0("SSLFatalSessionAlert: going to state ErrorClose\n");
186 SSLChangeHdskState(ctx, SSLErrorClose);
187
188 /* Make session unresumable; I'm not stopping if I get an error,
189 because I'd like to attempt to send the alert anyway */
190 err1 = SSLDeleteSessionData(ctx);
191
192 /* Second, send the alert */
193 err2 = SSLSendAlert(alert_fatal, desc, ctx);
194
195 /* If they both returned errors, arbitrarily return the first */
196 return err1 != 0 ? err1 : err2;
197 }
mirror of Security