--- /dev/null
+/*
+ * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+/*
+ * sslHandshake.c - SSL 3.0 handshake state machine.
+ */
+
+#include "sslContext.h"
+#include "sslHandshake.h"
+#include "sslMemory.h"
+#include "sslAlertMessage.h"
+#include "sslSession.h"
+#include "sslUtils.h"
+#include "sslDebug.h"
+#include "sslCrypto.h"
+
+#include "sslDigests.h"
+#include "cipherSpecs.h"
+
+#include <string.h>
+#include <assert.h>
+#include <inttypes.h>
+
+#define REQUEST_CERT_CORRECT 0
+
+#if __LP64__
+#define PRIstatus "d"
+#else
+#define PRIstatus "ld"
+#endif
+
+static OSStatus SSLProcessHandshakeMessage(SSLHandshakeMsg message, SSLContext *ctx);
+
+static OSStatus
+SSLUpdateHandshakeMacs(const SSLBuffer *messageData, SSLContext *ctx)
+{
+ OSStatus err = errSecParam;
+ bool do_md5 = false;
+ bool do_sha1 = false;
+ bool do_sha256 = false;
+ bool do_sha384 = false;
+
+ //TODO: We can stop updating the unecessary hashes once the CertVerify message is processed in case where we do Client Side Auth, or .
+
+ if(ctx->negProtocolVersion == SSL_Version_Undetermined)
+ {
+ // we dont know yet, so we might need MD5 & SHA1 - Server should always call in with known protocol version.
+ assert(ctx->protocolSide==kSSLClientSide);
+ do_md5 = do_sha1 = true;
+ if(ctx->isDTLS
+ ? ctx->maxProtocolVersion < DTLS_Version_1_0
+ : ctx->maxProtocolVersion >= TLS_Version_1_2)
+ {
+ // We wil need those too, unless we are sure we wont end up doing TLS 1.2
+ do_sha256 = do_sha384 = true;
+ }
+ } else {
+ // we know which version we use at this point
+ if(sslVersionIsLikeTls12(ctx)) {
+ do_sha1 = do_sha256 = do_sha384 = true;
+ } else {
+ do_md5 = do_sha1 = true;
+ }
+ }
+
+ if (do_md5 &&
+ (err = SSLHashMD5.update(&ctx->md5State, messageData)) != 0)
+ goto done;
+ if (do_sha1 &&
+ (err = SSLHashSHA1.update(&ctx->shaState, messageData)) != 0)
+ goto done;
+ if (do_sha256 &&
+ (err = SSLHashSHA256.update(&ctx->sha256State, messageData)) != 0)
+ goto done;
+ if (do_sha384 &&
+ (err = SSLHashSHA384.update(&ctx->sha512State, messageData)) != 0)
+ goto done;
+
+ sslLogNegotiateDebug("%s protocol: %02X max: %02X cipher: %02X%s%s",
+ ctx->protocolSide == kSSLClientSide ? "client" : "server",
+ ctx->negProtocolVersion,
+ ctx->maxProtocolVersion,
+ ctx->selectedCipher,
+ do_md5 ? " md5" : "",
+ do_sha1 ? " sha1" : "",
+ do_sha256 ? " sha256" : "",
+ do_sha384 ? " sha384" : "");
+done:
+ return err;
+}
+
+OSStatus
+SSLProcessHandshakeRecord(SSLRecord rec, SSLContext *ctx)
+{ OSStatus err;
+ size_t remaining;
+ UInt8 *p;
+ UInt8 *startingP; // top of record we're parsing
+ SSLHandshakeMsg message = {};
+ SSLBuffer messageData;
+
+ if (ctx->fragmentedMessageCache.data != 0)
+ {
+ size_t origLen = ctx->fragmentedMessageCache.length;
+ if ((err = SSLReallocBuffer(&ctx->fragmentedMessageCache,
+ ctx->fragmentedMessageCache.length + rec.contents.length,
+ ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ memcpy(ctx->fragmentedMessageCache.data + origLen,
+ rec.contents.data, rec.contents.length);
+ remaining = ctx->fragmentedMessageCache.length;
+ p = ctx->fragmentedMessageCache.data;
+ }
+ else
+ { remaining = rec.contents.length;
+ p = rec.contents.data;
+ }
+ startingP = p;
+
+ size_t head = 4;
+
+ while (remaining > 0)
+ {
+ if (remaining < head)
+ break; /* we must have at least a header */
+
+ messageData.data = p;
+ message.type = (SSLHandshakeType)*p++;
+ message.contents.length = SSLDecodeSize(p, 3);
+
+
+ p += 3;
+
+ if ((message.contents.length + head) > remaining)
+ break;
+
+ message.contents.data = p;
+ p += message.contents.length;
+ messageData.length = head + message.contents.length;
+ assert(p == messageData.data + messageData.length);
+
+ /* message fragmentation */
+ remaining -= messageData.length;
+ if ((err = SSLProcessHandshakeMessage(message, ctx)) != 0)
+ return err;
+
+ if (message.type != SSL_HdskHelloRequest)
+
+ { if ((err = SSLUpdateHandshakeMacs(&messageData, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+
+ if ((err = SSLAdvanceHandshake(message.type, ctx)) != 0)
+ return err;
+ }
+
+ if (remaining > 0) /* Fragmented handshake message */
+ { /* If there isn't a cache, allocate one */
+ if (ctx->fragmentedMessageCache.data == 0)
+ { if ((err = SSLAllocBuffer(&ctx->fragmentedMessageCache, remaining, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+ if (startingP != ctx->fragmentedMessageCache.data)
+ { memcpy(ctx->fragmentedMessageCache.data, startingP, remaining);
+ ctx->fragmentedMessageCache.length = remaining;
+ }
+ }
+ else if (ctx->fragmentedMessageCache.data != 0)
+ { if ((err = SSLFreeBuffer(&ctx->fragmentedMessageCache, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+
+ return noErr;
+}
+
+OSStatus
+DTLSProcessHandshakeRecord(SSLRecord rec, SSLContext *ctx)
+{ OSStatus err = errSecParam;
+ size_t remaining;
+ UInt8 *p;
+ UInt8 *startingP; // top of record we're parsing
+
+ const UInt32 head = 12;
+
+ assert(ctx->isDTLS);
+
+ remaining = rec.contents.length;
+ p = rec.contents.data;
+ startingP = p;
+
+ while (remaining > 0)
+ {
+ UInt8 msgtype;
+ UInt32 msglen;
+ UInt32 msgseq;
+ UInt32 fraglen;
+ UInt32 fragofs;
+
+ if (remaining < head) {
+ /* flush it - record is too small */
+ sslErrorLog("DTLSProcessHandshakeRecord: remaining too small (%lu out of %lu)\n", remaining, rec.contents.length);
+ assert(0); // keep this assert until we find a test case that triggers it
+ goto flushit;
+ }
+
+ /* Thats the 12 bytes of header : */
+ msgtype = (SSLHandshakeType)*p++;
+ msglen = SSLDecodeInt(p, 3); p+=3;
+ msgseq = SSLDecodeInt(p, 2); p+=2;
+ fragofs = SSLDecodeInt(p, 3); p+=3;
+ fraglen = SSLDecodeInt(p, 3); p+=3;
+
+ remaining -= head;
+
+ SSLLogHdskMsg(msgtype, 0);
+ sslHdskMsgDebug("DTLS Hdsk Record: type=%lu, len=%lu, seq=%lu (%lu), f_ofs=%lu, f_len=%lu, remaining=%lu",
+ msgtype, msglen, msgseq, ctx->hdskMessageSeqNext, fragofs, fraglen, remaining);
+
+ if(
+ ((fraglen+fragofs) > msglen)
+ || (fraglen > remaining)
+ || (msgseq!=ctx->hdskMessageSeqNext)
+ || (fragofs!=ctx->hdskMessageCurrentOfs)
+ || (fragofs && (msgtype!=ctx->hdskMessageCurrent.type))
+ || (fragofs && (msglen != ctx->hdskMessageCurrent.contents.length))
+ )
+ {
+ sslErrorLog("DTLSProcessHandshakeRecord: wrong fragment\n");
+ // assert(0); // keep this assert until we find a test case that triggers it
+ // This is a recoverable error, we just drop this fragment.
+ // TODO: this should probably trigger a retransmit
+ err = noErr;
+ goto flushit;
+ }
+
+ /* First fragment - allocate */
+ if(fragofs==0) {
+ sslHdskMsgDebug("Allocating hdsk buf for msg type %d", msgtype);
+ assert(ctx->hdskMessageCurrent.contents.data==NULL);
+ assert(ctx->hdskMessageCurrent.contents.length==0);
+ if((err=SSLAllocBuffer(&(ctx->hdskMessageCurrent.contents), msglen, ctx))!=0) {
+ SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ ctx->hdskMessageCurrent.type = msgtype;
+ }
+
+ /* We have the next fragment, lets save it */
+ memcpy(ctx->hdskMessageCurrent.contents.data + ctx->hdskMessageCurrentOfs, p, fraglen);
+ ctx->hdskMessageCurrentOfs+=fraglen;
+ p+=fraglen;
+ remaining-=fraglen;
+
+ /* This was the last fragment, lets process the message */
+ if(ctx->hdskMessageCurrentOfs == ctx->hdskMessageCurrent.contents.length) {
+ err = SSLProcessHandshakeMessage(ctx->hdskMessageCurrent, ctx);
+ if(err)
+ goto flushit;
+
+ if ((msgtype != SSL_HdskHelloRequest) && (msgtype != SSL_HdskHelloVerifyRequest))
+ {
+ /* We need to hash a fake header as if no fragmentation */
+ uint8_t pseudo_header[head];
+ SSLBuffer header;
+ header.data=pseudo_header;
+ header.length=head;
+
+ pseudo_header[0]=msgtype;
+ SSLEncodeInt(pseudo_header+1, msglen, 3);
+ SSLEncodeInt(pseudo_header+4, msgseq, 2);
+ SSLEncodeInt(pseudo_header+6, 0, 3);
+ SSLEncodeInt(pseudo_header+9, msglen, 3);
+
+ if ((err = SSLHashSHA1.update(&ctx->shaState, &header)) != 0 ||
+ (err = SSLHashMD5.update(&ctx->md5State, &header)) != 0)
+ {
+ SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ goto flushit;
+ }
+
+ SSLBuffer *messageData=&ctx->hdskMessageCurrent.contents;
+ if ((err = SSLHashSHA1.update(&ctx->shaState, messageData)) != 0 ||
+ (err = SSLHashMD5.update(&ctx->md5State, messageData)) != 0)
+ {
+ SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ goto flushit;
+ }
+
+ sslHdskMsgDebug("Hashing %d bytes of msg seq %ld\n", messageData->length, msgseq);
+ }
+
+ sslHdskMsgDebug("processed message of type %d", msgtype);
+
+ if ((err = SSLAdvanceHandshake(msgtype, ctx)) != 0)
+ {
+ sslErrorLog("AdvanceHandshake error: %"PRIstatus"\n", err);
+ goto flushit;
+ }
+
+ /* Free the buffer for current message, and reset offset */
+ SSLFreeBuffer(&(ctx->hdskMessageCurrent.contents), ctx);
+ ctx->hdskMessageCurrentOfs=0;
+
+ /* If we successfully processed a message, we wait for the next one */
+ ctx->hdskMessageSeqNext++;
+
+ }
+
+ sslHdskMsgDebug("remaining = %ld", remaining);
+ }
+
+ return noErr;
+
+flushit:
+ sslErrorLog("DTLSProcessHandshakeRecord: flusing record (err=%"PRIstatus")\n", err);
+
+ /* This will flush the current handshake message */
+ SSLFreeBuffer(&(ctx->hdskMessageCurrent.contents), ctx);
+ ctx->hdskMessageCurrentOfs=0;
+
+ return err;
+}
+
+OSStatus
+DTLSRetransmit(SSLContext *ctx)
+{
+ sslHdskMsgDebug("DTLSRetransmit in state %s. Last Sent = %d, Last Recv=%d, timeout=%f\n",
+ hdskStateToStr(ctx->state), ctx->hdskMessageSeq, ctx->hdskMessageSeqNext, ctx->timeout_duration);
+
+ /* Too many retransmits, just give up!! */
+ if(ctx->hdskMessageRetryCount>10)
+ return errSSLConnectionRefused;
+
+ /* go back to previous cipher if retransmitting a flight including changecipherspec */
+ if(ctx->messageQueueContainsChangeCipherSpec) {
+ ctx->writePending = ctx->writeCipher;
+ ctx->writeCipher = ctx->prevCipher;
+ }
+
+ /* set timeout deadline */
+ ctx->hdskMessageRetryCount++;
+ ctx->timeout_deadline = CFAbsoluteTimeGetCurrent()+((1<<ctx->hdskMessageRetryCount)*ctx->timeout_duration);
+
+ /* Lets resend the last flight */
+ return SSLSendFlight(ctx);
+}
+
+static OSStatus
+SSLProcessHandshakeMessage(SSLHandshakeMsg message, SSLContext *ctx)
+{ OSStatus err;
+
+ err = noErr;
+ SSLLogHdskMsg(message.type, 0);
+ switch (message.type)
+ { case SSL_HdskHelloRequest:
+ if (ctx->protocolSide != kSSLClientSide)
+ goto wrongMessage;
+ if (message.contents.length > 0)
+ err = errSSLProtocol;
+ break;
+ case SSL_HdskClientHello:
+ if (ctx->state != SSL_HdskStateServerUninit)
+ goto wrongMessage;
+ err = SSLProcessClientHello(message.contents, ctx);
+ break;
+ case SSL_HdskServerHello:
+ if (ctx->state != SSL_HdskStateServerHello &&
+ ctx->state != SSL_HdskStateServerHelloUnknownVersion)
+ goto wrongMessage;
+ err = SSLProcessServerHello(message.contents, ctx);
+ break;
+#if ENABLE_DTLS
+ case SSL_HdskHelloVerifyRequest:
+ if (ctx->protocolSide != kSSLClientSide)
+ goto wrongMessage;
+ if(ctx->state != SSL_HdskStateServerHello)
+ goto wrongMessage;
+ /* TODO: Do we need to check the client state here ? */
+ err = SSLProcessServerHelloVerifyRequest(message.contents, ctx);
+ break;
+#endif
+ case SSL_HdskCert:
+ if (ctx->state != SSL_HdskStateCert &&
+ ctx->state != SSL_HdskStateClientCert)
+ goto wrongMessage;
+ err = SSLProcessCertificate(message.contents, ctx);
+ /*
+ * Note that cert evaluation can now be performed asynchronously,
+ * so SSLProcessCertificate may return errSSLWouldBlock here.
+ */
+ break;
+ case SSL_HdskCertRequest:
+ if (((ctx->state != SSL_HdskStateHelloDone) &&
+ (ctx->state != SSL_HdskStateKeyExchange))
+ || ctx->certRequested)
+ goto wrongMessage;
+ err = SSLProcessCertificateRequest(message.contents, ctx);
+ if (ctx->breakOnCertRequest)
+ ctx->signalCertRequest = true;
+ break;
+ case SSL_HdskServerKeyExchange:
+ /*
+ * Since this message is optional for some key exchange
+ * mechanisms, and completely at the server's discretion,
+ * we need to be able to handle this in one of two states...
+ */
+ switch(ctx->state) {
+ case SSL_HdskStateKeyExchange: /* explicitly waiting for this */
+ case SSL_HdskStateHelloDone:
+ break;
+ default:
+ goto wrongMessage;
+ }
+ err = SSLProcessServerKeyExchange(message.contents, ctx);
+ break;
+ case SSL_HdskServerHelloDone:
+ if (ctx->state != SSL_HdskStateHelloDone)
+ goto wrongMessage;
+ err = SSLProcessServerHelloDone(message.contents, ctx);
+ break;
+ case SSL_HdskCertVerify:
+ if (ctx->state != SSL_HdskStateClientCertVerify)
+ goto wrongMessage;
+ err = SSLProcessCertificateVerify(message.contents, ctx);
+ assert(ctx->protocolSide == kSSLServerSide);
+ if(err) {
+ ctx->clientCertState = kSSLClientCertRejected;
+ }
+ break;
+ case SSL_HdskClientKeyExchange:
+ if (ctx->state != SSL_HdskStateClientKeyExchange)
+ goto wrongMessage;
+ err = SSLProcessKeyExchange(message.contents, ctx);
+ break;
+ case SSL_HdskFinished:
+ if (ctx->state != SSL_HdskStateFinished)
+ goto wrongMessage;
+ err = SSLProcessFinished(message.contents, ctx);
+ break;
+ default:
+ goto wrongMessage;
+ break;
+ }
+
+ if (err && !ctx->sentFatalAlert)
+ { if (err == errSSLProtocol)
+ SSLFatalSessionAlert(SSL_AlertIllegalParam, ctx);
+ else if (err == errSSLNegotiation)
+ SSLFatalSessionAlert(SSL_AlertHandshakeFail, ctx);
+ else if (err != errSSLWouldBlock &&
+ err != errSSLServerAuthCompleted /* == errSSLClientAuthCompleted */ &&
+ err != errSSLClientCertRequested)
+ SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
+ }
+ return err;
+
+wrongMessage:
+ SSLFatalSessionAlert(SSL_AlertUnexpectedMsg, ctx);
+ return errSSLProtocol;
+}
+
+/*
+ * Given a server-side SSLContext that's fully restored for a resumed session,
+ * queue up the remaining outgoing messages to finish the handshake.
+ */
+static OSStatus
+SSLResumeServerSide(
+ SSLContext *ctx)
+{
+ OSStatus err;
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeServerHello, ctx)) != 0)
+ return err;
+ if ((err = SSLInitPendingCiphers(ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeChangeCipherSpec,
+ ctx)) != 0)
+ return err;
+
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeFinishedMessage,
+ ctx)) != 0)
+ return err;
+
+ SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
+
+ return noErr;
+
+}
+
+OSStatus
+SSLAdvanceHandshake(SSLHandshakeType processed, SSLContext *ctx)
+{ OSStatus err;
+ SSLBuffer sessionIdentifier;
+
+ SSLResetFlight(ctx);
+
+ switch (processed)
+ {
+#if ENABLE_DTLS
+ case SSL_HdskHelloVerifyRequest:
+ /* Just fall through */
+#endif
+ case SSL_HdskHelloRequest:
+ /*
+ * Reset the client auth state machine in case this is
+ * a renegotiation.
+ */
+ ctx->certRequested = 0;
+ ctx->certSent = 0;
+ ctx->certReceived = 0;
+ ctx->x509Requested = 0;
+ ctx->clientCertState = kSSLClientCertNone;
+ ctx->readCipher.ready = 0;
+ ctx->writeCipher.ready = 0;
+ ctx->wroteAppData = 0;
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeClientHello, ctx)) != 0)
+ return err;
+ SSLChangeHdskState(ctx, SSL_HdskStateServerHello);
+ break;
+ case SSL_HdskClientHello:
+ assert(ctx->protocolSide == kSSLServerSide);
+ ctx->sessionMatch = 0;
+
+ if((ctx->negProtocolVersion==DTLS_Version_1_0) && (ctx->cookieVerified==false))
+ { /* Send Hello Verify Request */
+ if((err=SSLPrepareAndQueueMessage(SSLEncodeServerHelloVerifyRequest, ctx)) !=0 )
+ return err;
+ break;
+ }
+
+ #if SSL_PAC_SERVER_ENABLE
+ if((ctx->sessionTicket.data != NULL) &&
+ (ctx->masterSecretCallback != NULL)) {
+ /*
+ * Client sent us a session ticket and we know how to ask
+ * the app for master secret. Go for it.
+ */
+ size_t secretLen = SSL_MASTER_SECRET_SIZE;
+ sslEapDebug("Server side resuming based on masterSecretCallback");
+
+ /* the master secret callback requires serverRandom, now... */
+ if ((err = SSLEncodeRandom(ctx->serverRandom, ctx)) != 0)
+ return err;
+ ctx->serverRandomValid = 1;
+
+ ctx->masterSecretCallback(ctx, ctx->masterSecretArg,
+ ctx->masterSecret, &secretLen);
+ ctx->sessionMatch = 1;
+ /* set up selectedCipherSpec */
+ if ((err = FindCipherSpec(ctx)) != 0) {
+ return err;
+ }
+ /* queue up remaining messages to finish handshake */
+ if((err = SSLResumeServerSide(ctx)) != 0)
+ return err;
+ break;
+ }
+ #endif /* SSL_PAC_SERVER_ENABLE */
+ if (ctx->sessionID.data != 0)
+ /* If session ID != 0, client is trying to resume */
+ { if (ctx->resumableSession.data != 0)
+ {
+ SSLProtocolVersion sessionProt;
+ if ((err = SSLRetrieveSessionID(ctx->resumableSession,
+ &sessionIdentifier, ctx)) != 0)
+ return err;
+ if ((err = SSLRetrieveSessionProtocolVersion(ctx->resumableSession,
+ &sessionProt, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ if ((sessionIdentifier.length == ctx->sessionID.length) &&
+ (memcmp(sessionIdentifier.data, ctx->sessionID.data,
+ ctx->sessionID.length) == 0) &&
+ (sessionProt == ctx->negProtocolVersion))
+ { /* Everything matches; resume the session */
+ sslLogResumSessDebug("===RESUMING SSL3 server-side session");
+ if ((err = SSLInstallSessionFromData(ctx->resumableSession,
+ ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ ctx->sessionMatch = 1;
+ SSLFreeBuffer(&sessionIdentifier, ctx);
+
+ /* queue up remaining messages to finish handshake */
+ if((err = SSLResumeServerSide(ctx)) != 0)
+ return err;
+ break;
+ }
+ else {
+ sslLogResumSessDebug(
+ "===FAILED TO RESUME SSL3 server-side session");
+ }
+ if ((err = SSLFreeBuffer(&sessionIdentifier, ctx)) != 0 ||
+ (err = SSLDeleteSessionData(ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+ if ((err = SSLFreeBuffer(&ctx->sessionID, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+
+ /*
+ * If we get here, we're not resuming; generate a new session ID
+ * if we know our peer
+ */
+ if (ctx->peerID.data != 0)
+ { /* Ignore errors; just treat as uncached session */
+ assert(ctx->sessionID.data == 0);
+ err = SSLAllocBuffer(&ctx->sessionID, SSL_SESSION_ID_LEN, ctx);
+ if (err == 0)
+ {
+ if((err = sslRand(ctx, &ctx->sessionID)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+ }
+
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeServerHello, ctx)) != 0)
+ return err;
+ switch (ctx->selectedCipherSpec.keyExchangeMethod)
+ { case SSL_NULL_auth:
+ #if APPLE_DH
+ case SSL_DH_anon:
+ case SSL_DH_anon_EXPORT:
+ if(ctx->clientAuth == kAlwaysAuthenticate) {
+ /* app requires this; abort */
+ SSLFatalSessionAlert(SSL_AlertHandshakeFail, ctx);
+ return errSSLNegotiation;
+ }
+ ctx->tryClientAuth = false;
+ /* DH server side needs work */
+ break;
+ #endif /* APPLE_DH */
+ default: /* everything else */
+ if(ctx->localCert == NULL) {
+ /* no cert but configured for, and negotiated, a
+ * ciphersuite which requires one */
+ sslErrorLog("SSLAdvanceHandshake: No server key!\n");
+ return errSSLBadConfiguration;
+ }
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificate,
+ ctx)) != 0)
+ return err;
+ break;
+ }
+ /*
+ * At this point we decide whether to send a server key exchange
+ * method. For Apple servers, I think we'll ALWAYS do this, because
+ * of key usage restrictions (can't decrypt and sign with the same
+ * private key), but conceptually in this code, we do it if
+ * enabled by the presence of encryptPrivKey.
+ */
+ {
+ bool doServerKeyExch = false;
+ switch(ctx->selectedCipherSpec.keyExchangeMethod) {
+ case SSL_RSA_EXPORT:
+ #if !SSL_SERVER_KEYEXCH_HACK
+ /* the "proper" way - app decides. */
+ case SSL_RSA:
+ #endif
+ if(ctx->encryptPrivKeyRef != NULL) {
+ doServerKeyExch = true;
+ }
+ break;
+ case SSL_DH_anon:
+ case SSL_DH_anon_EXPORT:
+ case SSL_DHE_RSA:
+ case SSL_DHE_RSA_EXPORT:
+ case SSL_DHE_DSS:
+ case SSL_DHE_DSS_EXPORT:
+ doServerKeyExch = true;
+ break;
+ default:
+ break;
+ }
+ if(doServerKeyExch) {
+ err = SSLPrepareAndQueueMessage(SSLEncodeServerKeyExchange, ctx);
+ if(err) {
+ return err;
+ }
+ }
+ }
+ if (ctx->tryClientAuth)
+ { if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificateRequest,
+ ctx)) != 0)
+ return err;
+ ctx->certRequested = 1;
+ ctx->clientCertState = kSSLClientCertRequested;
+ }
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeServerHelloDone, ctx)) != 0)
+ return err;
+ if (ctx->certRequested) {
+ SSLChangeHdskState(ctx, SSL_HdskStateClientCert);
+ }
+ else {
+ SSLChangeHdskState(ctx, SSL_HdskStateClientKeyExchange);
+ }
+ break;
+ case SSL_HdskServerHello:
+ ctx->sessionMatch = 0;
+ if (ctx->resumableSession.data != 0 && ctx->sessionID.data != 0)
+ {
+ SSLProtocolVersion sessionProt;
+ if ((err = SSLRetrieveSessionID(ctx->resumableSession,
+ &sessionIdentifier, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ if ((err = SSLRetrieveSessionProtocolVersion(ctx->resumableSession,
+ &sessionProt, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ if ((sessionIdentifier.length == ctx->sessionID.length) &&
+ (memcmp(sessionIdentifier.data, ctx->sessionID.data,
+ ctx->sessionID.length) == 0) &&
+ (sessionProt == ctx->negProtocolVersion))
+ { /* Everything matches; resume the session */
+ sslLogResumSessDebug("===RESUMING SSL3 client-side session");
+ if ((err = SSLInstallSessionFromData(ctx->resumableSession,
+ ctx)) != 0 ||
+ (err = SSLInitPendingCiphers(ctx)) != 0 ||
+ (err = SSLFreeBuffer(&sessionIdentifier, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ ctx->sessionMatch = 1;
+ SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
+ break;
+ }
+ else {
+ sslLogResumSessDebug("===FAILED TO RESUME SSL3 client-side "
+ "session");
+ }
+ if ((err = SSLFreeBuffer(&sessionIdentifier, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ }
+ switch (ctx->selectedCipherSpec.keyExchangeMethod)
+ {
+ /* these require a key exchange message */
+ case SSL_NULL_auth:
+ case SSL_DH_anon:
+ case SSL_DH_anon_EXPORT:
+ SSLChangeHdskState(ctx, SSL_HdskStateKeyExchange);
+ break;
+ case SSL_RSA:
+ case SSL_DH_DSS:
+ case SSL_DH_DSS_EXPORT:
+ case SSL_DH_RSA:
+ case SSL_DH_RSA_EXPORT:
+ case SSL_RSA_EXPORT:
+ case SSL_DHE_DSS:
+ case SSL_DHE_DSS_EXPORT:
+ case SSL_DHE_RSA:
+ case SSL_DHE_RSA_EXPORT:
+ case SSL_Fortezza:
+ case SSL_ECDH_ECDSA:
+ case SSL_ECDHE_ECDSA:
+ case SSL_ECDH_RSA:
+ case SSL_ECDHE_RSA:
+ SSLChangeHdskState(ctx, SSL_HdskStateCert);
+ break;
+ default:
+ assert("Unknown key exchange method");
+ break;
+ }
+ break;
+ case SSL_HdskCert:
+ if (ctx->state == SSL_HdskStateCert)
+ switch (ctx->selectedCipherSpec.keyExchangeMethod)
+ { case SSL_RSA:
+ /*
+ * I really think the two RSA cases should be
+ * handled the same here - the server key exchange is
+ * optional, and is up to the server.
+ * Note this isn't the same as SSL_SERVER_KEYEXCH_HACK;
+ * we're a client here.
+ */
+ case SSL_RSA_EXPORT:
+ case SSL_DH_DSS:
+ case SSL_DH_DSS_EXPORT:
+ case SSL_DH_RSA:
+ case SSL_DH_RSA_EXPORT:
+ case SSL_ECDH_ECDSA:
+ case SSL_ECDH_RSA:
+ SSLChangeHdskState(ctx, SSL_HdskStateHelloDone);
+ break;
+ case SSL_DHE_DSS:
+ case SSL_DHE_DSS_EXPORT:
+ case SSL_DHE_RSA:
+ case SSL_DHE_RSA_EXPORT:
+ case SSL_Fortezza:
+ case SSL_ECDHE_ECDSA:
+ case SSL_ECDHE_RSA:
+ SSLChangeHdskState(ctx, SSL_HdskStateKeyExchange);
+ break;
+ default:
+ assert("Unknown or unexpected key exchange method");
+ break;
+ }
+ else if (ctx->state == SSL_HdskStateClientCert)
+ { SSLChangeHdskState(ctx, SSL_HdskStateClientKeyExchange);
+ if (ctx->peerCert != 0)
+ ctx->certReceived = 1;
+ }
+ break;
+ case SSL_HdskCertRequest:
+ /* state stays in SSL_HdskStateHelloDone; distinction is in
+ * ctx->certRequested */
+ if (ctx->peerCert == 0)
+ { SSLFatalSessionAlert(SSL_AlertHandshakeFail, ctx);
+ return errSSLProtocol;
+ }
+ assert(ctx->protocolSide == kSSLClientSide);
+ ctx->certRequested = 1;
+ ctx->clientCertState = kSSLClientCertRequested;
+ break;
+ case SSL_HdskServerKeyExchange:
+ SSLChangeHdskState(ctx, SSL_HdskStateHelloDone);
+ break;
+ case SSL_HdskServerHelloDone:
+ /*
+ * Waiting until server has sent hello done to interrupt and allow
+ * setting client cert, so we can send certificate, keyexchange and
+ * cert verify message together
+ */
+ if (ctx->state != SSL_HdskStateClientCert) {
+ if (ctx->signalServerAuth) {
+ ctx->signalServerAuth = false;
+ SSLChangeHdskState(ctx, SSL_HdskStateClientCert);
+ return errSSLServerAuthCompleted;
+ } else if (ctx->signalCertRequest) {
+ ctx->signalCertRequest = false;
+ SSLChangeHdskState(ctx, SSL_HdskStateClientCert);
+ return errSSLClientCertRequested;
+ } else if (ctx->signalClientAuth) {
+ ctx->signalClientAuth = false;
+ return errSSLClientAuthCompleted;
+ }
+ }
+
+ if (ctx->clientCertState == kSSLClientCertRequested) {
+ /*
+ * Server wants a client authentication cert - do
+ * we have one?
+ */
+ if (ctx->localCert != 0 && ctx->x509Requested) {
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificate,
+ ctx)) != 0) {
+ return err;
+ }
+ }
+ else {
+ /* response for no cert depends on protocol version */
+ if(ctx->negProtocolVersion >= TLS_Version_1_0) {
+ /* TLS: send empty cert msg */
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificate,
+ ctx)) != 0) {
+ return err;
+ }
+ }
+ else {
+ /* SSL3: "no cert" alert */
+ if ((err = SSLSendAlert(SSL_AlertLevelWarning, SSL_AlertNoCert_RESERVED,
+ ctx)) != 0) {
+ return err;
+ }
+ }
+ } /* no cert to send */
+ } /* server requested a cert */
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeKeyExchange, ctx)) != 0)
+ return err;
+ assert(ctx->sslTslCalls != NULL);
+ if ((err = ctx->sslTslCalls->generateMasterSecret(ctx)) != 0 ||
+ (err = SSLInitPendingCiphers(ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ memset(ctx->preMasterSecret.data, 0, ctx->preMasterSecret.length);
+ if ((err = SSLFreeBuffer(&ctx->preMasterSecret, ctx)) != 0) {
+ return err;
+ }
+ if (ctx->certSent) {
+ /* Not all client auth mechanisms require a cert verify message */
+ switch(ctx->negAuthType) {
+ case SSLClientAuth_RSASign:
+ case SSLClientAuth_ECDSASign:
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeCertificateVerify,
+ ctx)) != 0) {
+ return err;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeChangeCipherSpec,
+ ctx)) != 0) {
+ return err;
+ }
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeFinishedMessage, ctx)) != 0)
+ return err;
+ SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
+ break;
+ case SSL_HdskCertVerify:
+ SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
+ break;
+ case SSL_HdskClientKeyExchange:
+ assert(ctx->sslTslCalls != NULL);
+ if ((err = ctx->sslTslCalls->generateMasterSecret(ctx)) != 0 ||
+ (err = SSLInitPendingCiphers(ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ memset(ctx->preMasterSecret.data, 0, ctx->preMasterSecret.length);
+ if ((err = SSLFreeBuffer(&ctx->preMasterSecret, ctx)) != 0)
+ return err;
+ if (ctx->certReceived) {
+ SSLChangeHdskState(ctx, SSL_HdskStateClientCertVerify);
+ }
+ else {
+ SSLChangeHdskState(ctx, SSL_HdskStateChangeCipherSpec);
+ }
+ break;
+ case SSL_HdskFinished:
+ /* Handshake is over; enable data transfer on read channel */
+ ctx->readCipher.ready = 1;
+ /* If writePending is set, we haven't yet sent a finished message;
+ * send it */
+ if (ctx->writePending.ready != 0)
+ { if ((err = SSLPrepareAndQueueMessage(SSLEncodeChangeCipherSpec,
+ ctx)) != 0)
+ return err;
+ if ((err = SSLPrepareAndQueueMessage(SSLEncodeFinishedMessage,
+ ctx)) != 0)
+ return err;
+ }
+ if (ctx->protocolSide == kSSLServerSide) {
+ SSLChangeHdskState(ctx, SSL_HdskStateServerReady);
+ }
+ else {
+ SSLChangeHdskState(ctx, SSL_HdskStateClientReady);
+ }
+ if ((ctx->peerID.data != 0) && (ctx->sessionTicket.data == NULL)) {
+ /* note we avoid caching session data for PAC-style resumption */
+ SSLAddSessionData(ctx);
+ }
+ break;
+ default:
+ assert(0);
+ break;
+ }
+
+ /* We should have a full flight when we reach here, sending it for the first time */
+ ctx->hdskMessageRetryCount = 0;
+ ctx->timeout_deadline = CFAbsoluteTimeGetCurrent() + ctx->timeout_duration;
+ return SSLSendFlight(ctx);
+}
+
+OSStatus
+SSLPrepareAndQueueMessage(EncodeMessageFunc msgFunc, SSLContext *ctx)
+{ OSStatus err;
+ SSLRecord rec = {0, 0, {0, NULL}};
+ WaitingMessage *out;
+ WaitingMessage *queue;
+
+ if ((err = msgFunc(&rec, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
+ goto fail;
+ }
+
+ if (rec.contentType == SSL_RecordTypeHandshake)
+ {
+ if ((err = SSLUpdateHandshakeMacs(&rec.contents, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ goto fail;
+ }
+ SSLLogHdskMsg((SSLHandshakeType)rec.contents.data[0], 1);
+ ctx->hdskMessageSeq++;
+ }
+
+ err=errSSLInternal;
+ out = (WaitingMessage *)sslMalloc(sizeof(WaitingMessage));
+ if(out==NULL) goto fail;
+
+ out->next = NULL;
+ out->rec = rec;
+
+ queue=ctx->messageWriteQueue;
+ if (queue == NULL) {
+ sslHdskMsgDebug("Queuing first message in flight\n");
+ ctx->messageWriteQueue = out;
+ } else {
+ int n=1;
+ while (queue->next != 0) {
+ queue = queue->next;
+ n++;
+ }
+ sslHdskMsgDebug("Queuing message %d in flight\n", n);
+ queue->next = out;
+ }
+
+ return noErr;
+fail:
+ SSLFreeBuffer(&rec.contents, ctx);
+ return err;
+}
+
+static
+OSStatus SSLSendMessage(SSLRecord rec, SSLContext *ctx)
+{
+ OSStatus err;
+
+ assert(ctx->sslTslCalls != NULL);
+
+ if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
+ return err;
+ if(rec.contentType == SSL_RecordTypeChangeCipher) {
+ /* Install new cipher spec on write side */
+ if ((err = SSLDisposeCipherSuite(&ctx->writeCipher, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ ctx->prevCipher = ctx->writeCipher;
+ ctx->writeCipher = ctx->writePending;
+ /* Can't send data until Finished is sent */
+ ctx->writeCipher.ready = 0;
+ ctx->wroteAppData = 0;
+
+ /* Zero out old data */
+ memset(&ctx->writePending, 0, sizeof(CipherContext));
+ ctx->writePending.encrypting = 1;
+
+ /* TODO: that should only happen after Finished message is sent. <rdar://problem/9682471> */
+ ctx->writeCipher.ready = 1;
+ }
+
+ return noErr;
+}
+
+static
+OSStatus DTLSSendMessage(SSLRecord rec, SSLContext *ctx)
+{
+ OSStatus err=noErr;
+
+ assert(ctx->sslTslCalls != NULL);
+
+ if(rec.contentType != SSL_RecordTypeHandshake) {
+ sslHdskMsgDebug("Not fragmenting message type=%d len=%d\n", rec.contentType, rec.contents.length);
+ if ((err = ctx->sslTslCalls->writeRecord(rec, ctx)) != 0)
+ return err;
+ if(rec.contentType == SSL_RecordTypeChangeCipher) {
+ /* Install new cipher spec on write side */
+ if ((err = SSLDisposeCipherSuite(&ctx->writeCipher, ctx)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+ ctx->prevCipher = ctx->writeCipher;
+ ctx->writeCipher = ctx->writePending;
+ /* Can't send data until Finished is sent */
+ ctx->writeCipher.ready = 0;
+ ctx->wroteAppData = 0;
+
+ /* Zero out old data */
+ memset(&ctx->writePending, 0, sizeof(CipherContext));
+ ctx->writePending.encrypting = 1;
+
+ /* TODO: that should only happen after Finished message is sent. See <rdar://problem/9682471> */
+ ctx->writeCipher.ready = 1;
+
+ }
+ } else {
+ /* fragmenting */
+ SSLRecord fragrec;
+
+ int msghead = 12; /* size of message header in DTLS */
+ size_t fraglen;
+ size_t len = rec.contents.length-msghead;
+ UInt32 seq = SSLDecodeInt(rec.contents.data+4, 2);
+ (void) seq; // Suppress warnings
+ size_t ofs = 0;
+
+ sslHdskMsgDebug("Fragmenting msg seq %ld (rl=%d, ml=%d)", seq, rec.contents.length,
+ SSLDecodeInt(rec.contents.data+1, 3));
+
+
+ SSLGetDatagramWriteSize(ctx, &fraglen);
+ fraglen -= msghead;
+
+ fragrec.contentType = rec.contentType;
+ fragrec.protocolVersion = rec.protocolVersion;
+ if((err=SSLAllocBuffer(&fragrec.contents, fraglen + msghead, ctx))!=0)
+ return err;
+
+ /* copy the constant part of the header */
+ memcpy(fragrec.contents.data,rec.contents.data, 6);
+
+ while(len>fraglen) {
+
+ sslHdskMsgDebug("Fragmenting msg seq %ld (o=%d,l=%d)", seq, ofs, fraglen);
+
+ /* fragment offset and fragment length */
+ SSLEncodeSize(fragrec.contents.data+6, ofs, 3);
+ SSLEncodeSize(fragrec.contents.data+9, fraglen, 3);
+ /* copy the payload */
+ memcpy(fragrec.contents.data+msghead, rec.contents.data+msghead+ofs, fraglen);
+ if ((err = ctx->sslTslCalls->writeRecord(fragrec, ctx)) != 0)
+ goto cleanup;
+ len-=fraglen;
+ ofs+=fraglen;
+ }
+
+ sslHdskMsgDebug("Fragmenting msg seq %ld - Last Fragment (o=%d,l=%d)", seq, ofs, len);
+
+ /* last fragment */
+ /* fragment offset and fragment length */
+ SSLEncodeSize(fragrec.contents.data+6, ofs, 3);
+ SSLEncodeSize(fragrec.contents.data+9, len, 3);
+ /* copy the payload */
+ memcpy(fragrec.contents.data+msghead, rec.contents.data+msghead+ofs, len);
+ fragrec.contents.length=len+msghead;
+ err = ctx->sslTslCalls->writeRecord(fragrec, ctx);
+
+ cleanup:
+ /* Free the allocated fragment buffer */
+ SSLFreeBuffer(&fragrec.contents, ctx);
+
+ }
+
+ return err;
+}
+
+
+OSStatus SSLResetFlight(SSLContext *ctx)
+{
+ OSStatus err;
+ WaitingMessage *queue;
+ WaitingMessage *next;
+ int n=0;
+
+ assert(ctx->sslTslCalls != NULL);
+
+ queue=ctx->messageWriteQueue;
+ ctx->messageQueueContainsChangeCipherSpec=false;
+
+ while(queue) {
+ n++;
+ err = SSLFreeBuffer(&queue->rec.contents, ctx);
+ if (err != 0)
+ goto fail;
+ next=queue->next;
+ sslFree(queue);
+ queue=next;
+ }
+
+ ctx->messageWriteQueue=NULL;
+
+ return noErr;
+fail:
+ assert(0);
+ return err;
+}
+
+
+OSStatus SSLSendFlight(SSLContext *ctx)
+{
+ OSStatus err;
+ WaitingMessage *queue;
+ int n=0;
+
+ assert(ctx->sslTslCalls != NULL);
+
+ queue=ctx->messageWriteQueue;
+
+ while(queue) {
+ if (ctx->isDTLS) {
+ err=DTLSSendMessage(queue->rec, ctx);
+ } else {
+ err=SSLSendMessage(queue->rec, ctx);
+ }
+ if (err != 0)
+ goto fail;
+ queue=queue->next;
+ n++;
+ }
+
+ return noErr;
+fail:
+ assert(0);
+ return err;
+}
+
+OSStatus
+SSL3ReceiveSSL2ClientHello(SSLRecord rec, SSLContext *ctx)
+{ OSStatus err;
+
+ if ((err = SSLInitMessageHashes(ctx)) != 0)
+ return err;
+
+ if ((err = SSLHashSHA1.update(&ctx->shaState, &rec.contents)) != 0 ||
+ (err = SSLHashMD5.update(&ctx->md5State, &rec.contents)) != 0)
+ { SSLFatalSessionAlert(SSL_AlertInternalError, ctx);
+ return err;
+ }
+
+ if ((err = SSLAdvanceHandshake(SSL_HdskClientHello, ctx)) != 0)
+ return err;
+
+ return noErr;
+}
+
+/* log changes in handshake state */
+#ifndef NDEBUG
+#include <stdio.h>
+
+char *hdskStateToStr(SSLHandshakeState state)
+{
+ static char badStr[100];
+
+ switch(state) {
+ case SSL_HdskStateUninit:
+ return "Uninit";
+ case SSL_HdskStateServerUninit:
+ return "ServerUninit";
+ case SSL_HdskStateClientUninit:
+ return "ClientUninit";
+ case SSL_HdskStateGracefulClose:
+ return "GracefulClose";
+ case SSL_HdskStateErrorClose:
+ return "ErrorClose";
+ case SSL_HdskStateNoNotifyClose:
+ return "NoNotifyClose";
+ case SSL_HdskStateServerHello:
+ return "ServerHello";
+ case SSL_HdskStateServerHelloUnknownVersion:
+ return "ServerHelloUnknownVersion";
+ case SSL_HdskStateKeyExchange:
+ return "KeyExchange";
+ case SSL_HdskStateCert:
+ return "Cert";
+ case SSL_HdskStateHelloDone:
+ return "HelloDone";
+ case SSL_HdskStateClientCert:
+ return "ClientCert";
+ case SSL_HdskStateClientKeyExchange:
+ return "ClientKeyExchange";
+ case SSL_HdskStateClientCertVerify:
+ return "ClientCertVerify";
+ case SSL_HdskStateChangeCipherSpec:
+ return "ChangeCipherSpec";
+ case SSL_HdskStateFinished:
+ return "Finished";
+ case SSL2_HdskStateClientMasterKey:
+ return "SSL2_ClientMasterKey";
+ case SSL2_HdskStateClientFinished:
+ return "SSL2_ClientFinished";
+ case SSL2_HdskStateServerHello:
+ return "SSL2_ServerHello";
+ case SSL2_HdskStateServerVerify:
+ return "SSL2_ServerVerify";
+ case SSL2_HdskStateServerFinished:
+ return "SSL2_ServerFinished";
+ case SSL_HdskStateServerReady:
+ return "SSL_ServerReady";
+ case SSL_HdskStateClientReady:
+ return "SSL_ClientReady";
+ default:
+ sprintf(badStr, "Unknown state (%d(d)", state);
+ return badStr;
+ }
+}
+
+void SSLChangeHdskState(SSLContext *ctx, SSLHandshakeState newState)
+{
+ /* FIXME - this ifndef should not be necessary */
+ #ifndef NDEBUG
+ sslHdskStateDebug("...hdskState = %s", hdskStateToStr(newState));
+ #endif
+ ctx->state = newState;
+}
+
+
+/* log handshake messages */
+
+static char *hdskMsgToStr(SSLHandshakeType msg)
+{
+ static char badStr[100];
+
+ switch(msg) {
+ case SSL_HdskHelloRequest:
+ return "SSL_HdskHelloRequest";
+ case SSL_HdskClientHello:
+ return "SSL_HdskClientHello";
+ case SSL_HdskServerHello:
+ return "SSL_HdskServerHello";
+ case SSL_HdskHelloVerifyRequest:
+ return "SSL_HdskHelloVerifyRequest";
+ case SSL_HdskCert:
+ return "SSL_HdskCert";
+ case SSL_HdskServerKeyExchange:
+ return "SSL_HdskServerKeyExchange";
+ case SSL_HdskCertRequest:
+ return "SSL_HdskCertRequest";
+ case SSL_HdskServerHelloDone:
+ return "SSL_HdskServerHelloDone";
+ case SSL_HdskCertVerify:
+ return "SSL_HdskCertVerify";
+ case SSL_HdskClientKeyExchange:
+ return "SSL_HdskClientKeyExchange";
+ case SSL_HdskFinished:
+ return "SSL_HdskFinished";
+ default:
+ sprintf(badStr, "Unknown msg (%d(d))", msg);
+ return badStr;
+ }
+}
+
+void SSLLogHdskMsg(SSLHandshakeType msg, char sent)
+{
+ sslHdskMsgDebug("---%s handshake msg %s",
+ hdskMsgToStr(msg), (sent ? "sent" : "recv"));
+}
+
+#endif /* NDEBUG */
+
projects / apple / security.git / blobdiff