+/*
+ * Copyright (c) 1999-2001,2005-2008,2010-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * sslUtils.c - Misc. SSL utility functions
+ */
+
+#include "sslContext.h"
+#include "sslUtils.h"
+#include "sslMemory.h"
+#include "sslDebug.h"
+
+#include <sys/time.h>
+
+#include <fcntl.h> // for open
+#include <unistd.h> // for read
+#include <errno.h> // for errno
+#include <Security/SecFramework.h>
+#include <Security/SecRandom.h>
+
+#ifndef NDEBUG
+void SSLDump(const unsigned char *data, unsigned long len)
+{
+ unsigned long i;
+ for(i=0;i<len;i++)
+ {
+ if((i&0xf)==0) printf("%04lx :",i);
+ printf(" %02x", data[i]);
+ if((i&0xf)==0xf) printf("\n");
+ }
+ printf("\n");
+}
+#endif
+
+unsigned int
+SSLDecodeInt(const uint8_t *p, size_t length)
+{
+ unsigned int val = 0;
+ assert(length > 0 && length <= 4); //anything else would be an internal error.
+ while (length--)
+ val = (val << 8) | *p++;
+ return val;
+}
+
+uint8_t *
+SSLEncodeInt(uint8_t *p, unsigned int value, size_t length)
+{
+ unsigned char *retVal = p + length; /* Return pointer to char after int */
+ assert(length > 0 && length <= 4); //anything else would be an internal error.
+ while (length--) /* Assemble backwards */
+ { p[length] = (uint8_t)value; /* Implicit masking to low byte */
+ value >>= 8;
+ }
+ return retVal;
+}
+
+size_t
+SSLDecodeSize(const uint8_t *p, size_t length)
+{
+ unsigned int val = 0;
+ assert(length > 0 && length <= 4); //anything else would be an internal error.
+ while (length--)
+ val = (val << 8) | *p++;
+ return val;
+}
+
+uint8_t *
+SSLEncodeSize(uint8_t *p, size_t value, size_t length)
+{
+ unsigned char *retVal = p + length; /* Return pointer to char after int */
+ assert(length > 0 && length <= 4); //anything else would be an internal error.
+ while (length--) /* Assemble backwards */
+ { p[length] = (uint8_t)value; /* Implicit masking to low byte */
+ value >>= 8;
+ }
+ return retVal;
+}
+
+
+uint8_t *
+SSLEncodeUInt64(uint8_t *p, sslUint64 value)
+{
+ p = SSLEncodeInt(p, value.high, 4);
+ return SSLEncodeInt(p, value.low, 4);
+}
+
+
+uint8_t *
+SSLEncodeHandshakeHeader(SSLContext *ctx, SSLRecord *rec, SSLHandshakeType type, size_t msglen)
+{
+ uint8_t *charPtr;
+
+ charPtr = rec->contents.data;
+ *charPtr++ = type;
+ charPtr = SSLEncodeSize(charPtr, msglen, 3);
+
+ if(rec->protocolVersion == DTLS_Version_1_0) {
+ charPtr = SSLEncodeInt(charPtr, ctx->hdskMessageSeq, 2);
+ /* fragmentation -- we encode header as if unfragmented,
+ actual fragmentation happens at lower layer. */
+ charPtr = SSLEncodeInt(charPtr, 0, 3);
+ charPtr = SSLEncodeSize(charPtr, msglen, 3);
+ }
+
+ return charPtr;
+}
+
+
+void
+IncrementUInt64(sslUint64 *v)
+{ if (++v->low == 0) /* Must have just rolled over */
+ ++v->high;
+}
+
+#if ENABLE_DTLS
+void
+SSLDecodeUInt64(const uint8_t *p, size_t length, sslUint64 *v)
+{
+ assert(length > 0 && length <= 8);
+ if(length<=4) {
+ v->low=SSLDecodeInt(p, length);
+ v->high=0;
+ } else {
+ v->high=SSLDecodeInt(p, length-4);
+ v->low=SSLDecodeInt(p+length-4, 4);
+ }
+}
+#endif
+
+#ifdef USE_SSLCERTIFICATE
+size_t
+SSLGetCertificateChainLength(const SSLCertificate *c)
+{
+ size_t rtn = 0;
+
+ while (c)
+ {
+ rtn++;
+ c = c->next;
+ }
+ return rtn;
+}
+
+OSStatus sslDeleteCertificateChain(
+ SSLCertificate *certs,
+ SSLContext *ctx)
+{
+ SSLCertificate *cert;
+ SSLCertificate *nextCert;
+
+ assert(ctx != NULL);
+ cert=certs;
+ while(cert != NULL) {
+ nextCert = cert->next;
+ SSLFreeBuffer(&cert->derCert, ctx);
+ sslFree(cert);
+ cert = nextCert;
+ }
+ return noErr;
+}
+#endif /* USE_SSLCERTIFICATE */
+
+Boolean sslIsSessionActive(const SSLContext *ctx)
+{
+ assert(ctx != NULL);
+ switch(ctx->state) {
+ case SSL_HdskStateUninit:
+ case SSL_HdskStateServerUninit:
+ case SSL_HdskStateClientUninit:
+ case SSL_HdskStateGracefulClose:
+ case SSL_HdskStateErrorClose:
+ return false;
+ default:
+ return true;
+ }
+}
+
+#if SSL_DEBUG
+
+const char *protocolVersStr(SSLProtocolVersion prot)
+{
+ switch(prot) {
+ case SSL_Version_Undetermined: return "SSL_Version_Undetermined";
+ case SSL_Version_2_0: return "SSL_Version_2_0";
+ case SSL_Version_3_0: return "SSL_Version_3_0";
+ case TLS_Version_1_0: return "TLS_Version_1_0";
+ case TLS_Version_1_1: return "TLS_Version_1_1";
+ case TLS_Version_1_2: return "TLS_Version_1_2";
+ default: sslErrorLog("protocolVersStr: bad prot\n"); return "BAD PROTOCOL";
+ }
+ return NULL; /* NOT REACHED */
+}
+
+#endif /* SSL_DEBUG */
+
+/*
+ * Redirect SSLBuffer-based I/O call to user-supplied I/O.
+ */
+OSStatus sslIoRead(
+ SSLBuffer buf,
+ size_t *actualLength,
+ SSLContext *ctx)
+{
+ size_t dataLength = buf.length;
+ OSStatus ortn;
+
+ *actualLength = 0;
+ ortn = (ctx->ioCtx.read)(ctx->ioCtx.ioRef,
+ buf.data,
+ &dataLength);
+ *actualLength = dataLength;
+ return ortn;
+}
+
+OSStatus sslIoWrite(
+ SSLBuffer buf,
+ size_t *actualLength,
+ SSLContext *ctx)
+{
+ size_t dataLength = buf.length;
+ OSStatus ortn;
+
+ *actualLength = 0;
+ ortn = (ctx->ioCtx.write)(ctx->ioCtx.ioRef,
+ buf.data,
+ &dataLength);
+ *actualLength = dataLength;
+ return ortn;
+}
+
+OSStatus sslTime(uint32_t *tim)
+{
+ time_t t;
+ time(&t);
+ *tim = (uint32_t)t;
+ return noErr;
+}
+
+/*
+ * Common RNG function.
+ */
+OSStatus sslRand(SSLContext *ctx, SSLBuffer *buf)
+{
+ assert(buf != NULL);
+ assert(buf->data != NULL);
+
+ if(buf->length == 0) {
+ sslErrorLog("sslRand: zero buf->length\n");
+ return noErr;
+ }
+
+ return SecRandomCopyBytes(kSecRandomDefault, buf->length, buf->data) ? errSSLCrypto : noErr;
+}
+
+/*
+ * Given a protocol version sent by peer, determine if we accept that version
+ * and downgrade if appropriate (which can not be done for the client side).
+ */
+OSStatus sslVerifyProtVersion(
+ SSLContext *ctx,
+ SSLProtocolVersion peerVersion, // sent by peer
+ SSLProtocolVersion *negVersion) // final negotiated version if return success
+{
+ if ((ctx->isDTLS)
+ ? peerVersion > ctx->minProtocolVersion
+ : peerVersion < ctx->minProtocolVersion) {
+ return errSSLNegotiation;
+ }
+ if ((ctx->isDTLS)
+ ? peerVersion < ctx->maxProtocolVersion
+ : peerVersion > ctx->maxProtocolVersion) {
+ if (ctx->protocolSide == kSSLClientSide) {
+ return errSSLNegotiation;
+ }
+ *negVersion = ctx->maxProtocolVersion;
+ } else {
+ *negVersion = peerVersion;
+ }
+
+ return noErr;
+}
+
+/*
+ * Determine max enabled protocol, i.e., the one we try to negotiate for.
+ * Only returns an error (paramErr) if NO protocols are enabled, which can
+ * in fact happen by malicious or ignorant use of SSLSetProtocolVersionEnabled().
+ */
+OSStatus sslGetMaxProtVersion(
+ SSLContext *ctx,
+ SSLProtocolVersion *version) // RETURNED
+{
+ /* This check is here until SSLSetProtocolVersionEnabled() is gone .*/
+ if (ctx->maxProtocolVersion == SSL_Version_Undetermined)
+ return badReqErr;
+
+ *version = ctx->maxProtocolVersion;
+ return noErr;
+}
projects / apple / security.git / blobdiff