+++ /dev/null
-/*
- * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- File: sslContext.cpp
-
- Contains: SSLContext accessors
-
- Written by: Doug Mitchell
-
- Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
-
-*/
-
-#include "ssl.h"
-#include "sslContext.h"
-#include "sslMemory.h"
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include "sslDigests.h"
-#include "sslDebug.h"
-#include "appleCdsa.h"
-#include "sslKeychain.h"
-#include "sslUtils.h"
-#include "cipherSpecs.h"
-#include "appleSession.h"
-#include "sslBER.h"
-#include <string.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecTrust.h>
-
-static void sslFreeDnList(
- SSLContext *ctx)
-{
- DNListElem *dn, *nextDN;
-
- dn = ctx->acceptableDNList;
- while (dn)
- {
- SSLFreeBuffer(dn->derDN, ctx);
- nextDN = dn->next;
- sslFree(dn);
- dn = nextDN;
- }
- ctx->acceptableDNList = NULL;
-}
-
-static OSStatus sslFreeTrustedRoots(
- SSLContext *ctx)
-{
- unsigned i;
-
- assert(ctx != NULL);
- if((ctx->numTrustedCerts == 0) || (ctx->trustedCerts == NULL)) {
- /* they really should both be zero, right? */
- assert((ctx->numTrustedCerts == 0) && (ctx->trustedCerts == NULL));
- }
- else {
- for(i=0; i<ctx->numTrustedCerts; i++) {
- stFreeCssmData(&ctx->trustedCerts[i], CSSM_FALSE);
- }
- sslFree(ctx->trustedCerts);
- }
- ctx->numTrustedCerts = 0;
- ctx->trustedCerts = NULL;
- sslFreeDnList(ctx);
- return noErr;
-}
-
-/*
- * Default version enables.
- */
-#define DEFAULT_SSL2_ENABLE true
-#define DEFAULT_SSL3_ENABLE true
-#define DEFAULT_TLS1_ENABLE true
-
-OSStatus
-SSLNewContext (Boolean isServer,
- SSLContextRef *contextPtr) /* RETURNED */
-{
- SSLContext *ctx;
- OSStatus serr;
-
- if(contextPtr == NULL) {
- return paramErr;
- }
- *contextPtr = NULL;
- ctx = (SSLContext *)sslMalloc(sizeof(SSLContext));
- if(ctx == NULL) {
- return memFullErr;
- }
- /* subsequent errors to errOut: */
-
- memset(ctx, 0, sizeof(SSLContext));
- ctx->state = SSL_HdskStateUninit;
- ctx->clientCertState = kSSLClientCertNone;
-
- ctx->versionSsl2Enable = DEFAULT_SSL2_ENABLE;
- ctx->versionSsl3Enable = DEFAULT_SSL3_ENABLE;
- ctx->versionTls1Enable = DEFAULT_TLS1_ENABLE;
- ctx->negProtocolVersion = SSL_Version_Undetermined;
-
- if(isServer) {
- ctx->protocolSide = SSL_ServerSide;
- }
- else {
- ctx->protocolSide = SSL_ClientSide;
- }
-
- /* Default value so we can send and receive hello msgs */
- ctx->sslTslCalls = &Ssl3Callouts;
-
- /* Initialize the cipher state to NULL_WITH_NULL_NULL */
- ctx->selectedCipherSpec = &SSL_NULL_WITH_NULL_NULL_CipherSpec;
- ctx->selectedCipher = ctx->selectedCipherSpec->cipherSpec;
- ctx->writeCipher.macRef = ctx->selectedCipherSpec->macAlgorithm;
- ctx->readCipher.macRef = ctx->selectedCipherSpec->macAlgorithm;
- ctx->readCipher.symCipher = ctx->selectedCipherSpec->cipher;
- ctx->writeCipher.symCipher = ctx->selectedCipherSpec->cipher;
-
- /* these two are invariant */
- ctx->writeCipher.encrypting = 1;
- ctx->writePending.encrypting = 1;
-
- /* this gets init'd on first call to SSLHandshake() */
- ctx->validCipherSpecs = NULL;
- ctx->numValidCipherSpecs = 0;
-
- ctx->peerDomainName = NULL;
- ctx->peerDomainNameLen = 0;
-
- /* attach to CSP, CL, TP */
- serr = attachToAll(ctx);
- if(serr) {
- goto errOut;
- }
-
- /* Initial cert verify state: verify with default system roots */
- ctx->enableCertVerify = true;
-
- /* Default for RSA blinding is ENABLED */
- ctx->rsaBlindingEnable = true;
-
- *contextPtr = ctx;
- return noErr;
-
-errOut:
- sslFree(ctx);
- return serr;
-}
-
-
-/*
- * Dispose of an SSLContext.
- */
-OSStatus
-SSLDisposeContext (SSLContext *ctx)
-{
- WaitingRecord *wait, *next;
- SSLBuffer buf;
-
- if(ctx == NULL) {
- return paramErr;
- }
- sslDeleteCertificateChain(ctx->localCert, ctx);
- sslDeleteCertificateChain(ctx->encryptCert, ctx);
- sslDeleteCertificateChain(ctx->peerCert, ctx);
- ctx->localCert = ctx->encryptCert = ctx->peerCert = NULL;
- SSLFreeBuffer(ctx->partialReadBuffer, ctx);
- if(ctx->peerSecTrust) {
- CFRelease(ctx->peerSecTrust);
- ctx->peerSecTrust = NULL;
- }
- wait = ctx->recordWriteQueue;
- while (wait)
- { SSLFreeBuffer(wait->data, ctx);
- next = wait->next;
- buf.data = (uint8*)wait;
- buf.length = sizeof(WaitingRecord);
- SSLFreeBuffer(buf, ctx);
- wait = next;
- }
-
- #if APPLE_DH
- SSLFreeBuffer(ctx->dhParamsPrime, ctx);
- SSLFreeBuffer(ctx->dhParamsGenerator, ctx);
- SSLFreeBuffer(ctx->dhParamsEncoded, ctx);
- SSLFreeBuffer(ctx->dhPeerPublic, ctx);
- SSLFreeBuffer(ctx->dhExchangePublic, ctx);
- sslFreeKey(ctx->cspHand, &ctx->dhPrivate, NULL);
- #endif /* APPLE_DH */
-
- CloseHash(SSLHashSHA1, ctx->shaState, ctx);
- CloseHash(SSLHashMD5, ctx->md5State, ctx);
-
- SSLFreeBuffer(ctx->sessionID, ctx);
- SSLFreeBuffer(ctx->peerID, ctx);
- SSLFreeBuffer(ctx->resumableSession, ctx);
- SSLFreeBuffer(ctx->preMasterSecret, ctx);
- SSLFreeBuffer(ctx->partialReadBuffer, ctx);
- SSLFreeBuffer(ctx->fragmentedMessageCache, ctx);
- SSLFreeBuffer(ctx->receivedDataBuffer, ctx);
-
- if(ctx->peerDomainName) {
- sslFree(ctx->peerDomainName);
- ctx->peerDomainName = NULL;
- ctx->peerDomainNameLen = 0;
- }
- SSLDisposeCipherSuite(&ctx->readCipher, ctx);
- SSLDisposeCipherSuite(&ctx->writeCipher, ctx);
- SSLDisposeCipherSuite(&ctx->readPending, ctx);
- SSLDisposeCipherSuite(&ctx->writePending, ctx);
-
- sslFree(ctx->validCipherSpecs);
- ctx->validCipherSpecs = NULL;
- ctx->numValidCipherSpecs = 0;
-
- /*
- * NOTE: currently, all public keys come from the CL via CSSM_CL_CertGetKeyInfo.
- * We really don't know what CSP the CL used to generate a public key (in fact,
- * it uses the raw CSP only to get LogicalKeySizeInBits, but we can't know
- * that). Thus using e.g. signingKeyCsp (or any other CSP) to free
- * signingPubKey is not tecnically accurate. However, our public keys
- * are all raw keys, and all Apple CSPs dispose of raw keys in the same
- * way.
- */
- sslFreeKey(ctx->cspHand, &ctx->signingPubKey, NULL);
- sslFreeKey(ctx->cspHand, &ctx->encryptPubKey, NULL);
- sslFreeKey(ctx->peerPubKeyCsp, &ctx->peerPubKey, NULL);
-
- if(ctx->signingPrivKeyRef) {
- CFRelease(ctx->signingPrivKeyRef);
- }
- if(ctx->encryptPrivKeyRef) {
- CFRelease(ctx->encryptPrivKeyRef);
- }
- sslFreeTrustedRoots(ctx);
-
- detachFromAll(ctx);
-
- memset(ctx, 0, sizeof(SSLContext));
- sslFree(ctx);
- sslCleanupSession();
- return noErr;
-}
-
-/*
- * Determine the state of an SSL session.
- */
-OSStatus
-SSLGetSessionState (SSLContextRef context,
- SSLSessionState *state) /* RETURNED */
-{
- SSLSessionState rtnState = kSSLIdle;
-
- if(context == NULL) {
- return paramErr;
- }
- *state = rtnState;
- switch(context->state) {
- case SSL_HdskStateUninit:
- case SSL_HdskStateServerUninit:
- case SSL_HdskStateClientUninit:
- rtnState = kSSLIdle;
- break;
- case SSL_HdskStateGracefulClose:
- rtnState = kSSLClosed;
- break;
- case SSL_HdskStateErrorClose:
- case SSL_HdskStateNoNotifyClose:
- rtnState = kSSLAborted;
- break;
- case SSL_HdskStateServerReady:
- case SSL_HdskStateClientReady:
- rtnState = kSSLConnected;
- break;
- default:
- assert((context->state >= SSL_HdskStateServerHello) &&
- (context->state <= SSL2_HdskStateServerFinished));
- rtnState = kSSLHandshake;
- break;
-
- }
- *state = rtnState;
- return noErr;
-}
-
-OSStatus
-SSLSetIOFuncs (SSLContextRef ctx,
- SSLReadFunc read,
- SSLWriteFunc write)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- ctx->ioCtx.read = read;
- ctx->ioCtx.write = write;
- return noErr;
-}
-
-OSStatus
-SSLSetConnection (SSLContextRef ctx,
- SSLConnectionRef connection)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- ctx->ioCtx.ioRef = connection;
- return noErr;
-}
-
-OSStatus
-SSLGetConnection (SSLContextRef ctx,
- SSLConnectionRef *connection)
-{
- if((ctx == NULL) || (connection == NULL)) {
- return paramErr;
- }
- *connection = ctx->ioCtx.ioRef;
- return noErr;
-}
-
-OSStatus
-SSLSetPeerDomainName (SSLContextRef ctx,
- const char *peerName,
- size_t peerNameLen)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
-
- /* free possible existing name */
- if(ctx->peerDomainName) {
- sslFree(ctx->peerDomainName);
- }
-
- /* copy in */
- ctx->peerDomainName = (char *)sslMalloc(peerNameLen);
- if(ctx->peerDomainName == NULL) {
- return memFullErr;
- }
- memmove(ctx->peerDomainName, peerName, peerNameLen);
- ctx->peerDomainNameLen = peerNameLen;
- return noErr;
-}
-
-/*
- * Determine the buffer size needed for SSLGetPeerDomainName().
- */
-OSStatus
-SSLGetPeerDomainNameLength (SSLContextRef ctx,
- size_t *peerNameLen) // RETURNED
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *peerNameLen = ctx->peerDomainNameLen;
- return noErr;
-}
-
-OSStatus
-SSLGetPeerDomainName (SSLContextRef ctx,
- char *peerName, // returned here
- size_t *peerNameLen) // IN/OUT
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(*peerNameLen < ctx->peerDomainNameLen) {
- return errSSLBufferOverflow;
- }
- memmove(peerName, ctx->peerDomainName, ctx->peerDomainNameLen);
- *peerNameLen = ctx->peerDomainNameLen;
- return noErr;
-}
-
-/* concert between private SSLProtocolVersion and public SSLProtocol */
-static SSLProtocol convertProtToExtern(SSLProtocolVersion prot)
-{
- switch(prot) {
- case SSL_Version_Undetermined:
- return kSSLProtocolUnknown;
- case SSL_Version_2_0:
- return kSSLProtocol2;
- case SSL_Version_3_0:
- return kSSLProtocol3;
- case TLS_Version_1_0:
- return kTLSProtocol1;
- default:
- sslErrorLog("convertProtToExtern: bad prot\n");
- return kSSLProtocolUnknown;
- }
- /* not reached but make compiler happy */
- return kSSLProtocolUnknown;
-}
-
-OSStatus
-SSLSetProtocolVersionEnabled(SSLContextRef ctx,
- SSLProtocol protocol,
- Boolean enable) /* RETURNED */
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- switch(protocol) {
- case kSSLProtocol2:
- ctx->versionSsl2Enable = enable;
- break;
- case kSSLProtocol3:
- ctx->versionSsl3Enable = enable;
- break;
- case kTLSProtocol1:
- ctx->versionTls1Enable = enable;
- break;
- case kSSLProtocolAll:
- ctx->versionTls1Enable = ctx->versionSsl3Enable =
- ctx->versionSsl2Enable = enable;
- break;
- default:
- return paramErr;
- }
- return noErr;
-}
-
-OSStatus
-SSLGetProtocolVersionEnabled(SSLContextRef ctx,
- SSLProtocol protocol,
- Boolean *enable) /* RETURNED */
-{
- if(ctx == NULL) {
- return paramErr;
- }
- switch(protocol) {
- case kSSLProtocol2:
- *enable = ctx->versionSsl2Enable;
- break;
- case kSSLProtocol3:
- *enable = ctx->versionSsl3Enable;
- break;
- case kTLSProtocol1:
- *enable = ctx->versionTls1Enable;
- break;
- case kSSLProtocolAll:
- if(ctx->versionTls1Enable && ctx->versionSsl3Enable &&
- ctx->versionSsl2Enable) {
- *enable = true;
- }
- else {
- *enable = false;
- }
- break;
- default:
- return paramErr;
- }
- return noErr;
-}
-
-/* deprecated */
-OSStatus
-SSLSetProtocolVersion (SSLContextRef ctx,
- SSLProtocol version)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
-
- /* convert external representation to three booleans */
- switch(version) {
- case kSSLProtocolUnknown:
- ctx->versionSsl2Enable = DEFAULT_SSL2_ENABLE;
- ctx->versionSsl3Enable = DEFAULT_SSL3_ENABLE;
- ctx->versionTls1Enable = DEFAULT_TLS1_ENABLE;
- break;
- case kSSLProtocol2:
- ctx->versionSsl2Enable = true;
- ctx->versionSsl3Enable = false;
- ctx->versionTls1Enable = false;
- break;
- case kSSLProtocol3:
- /* this tells us to do our best, up to 3.0, but allows 2.0 */
- ctx->versionSsl2Enable = true;
- ctx->versionSsl3Enable = true;
- ctx->versionTls1Enable = false;
- break;
- case kSSLProtocol3Only:
- ctx->versionSsl2Enable = false;
- ctx->versionSsl3Enable = true;
- ctx->versionTls1Enable = false;
- break;
- case kTLSProtocol1:
- case kSSLProtocolAll:
- /* this tells us to do our best, up to TLS, but allows 2.0 or 3.0 */
- ctx->versionSsl2Enable = true;
- ctx->versionSsl3Enable = true;
- ctx->versionTls1Enable = true;
- break;
- case kTLSProtocol1Only:
- ctx->versionSsl2Enable = false;
- ctx->versionSsl3Enable = false;
- ctx->versionTls1Enable = true;
- break;
- default:
- return paramErr;
- }
- return noErr;
-}
-
-/* deprecated */
-OSStatus
-SSLGetProtocolVersion (SSLContextRef ctx,
- SSLProtocol *protocol) /* RETURNED */
-{
- if(ctx == NULL) {
- return paramErr;
- }
-
- /* translate array of booleans to public value; not all combinations
- * are legal (i.e., meaningful) for this call */
- if(ctx->versionTls1Enable) {
- if(ctx->versionSsl2Enable) {
- if(ctx->versionSsl3Enable) {
- /* traditional 'all enabled' */
- *protocol = kTLSProtocol1;
- return noErr;
- }
- else {
- /* SSL2 true, SSL3 false, TLS1 true - invalid here */
- return paramErr;
- }
- }
- else if(ctx->versionSsl3Enable) {
- /* SSL2 false, SSL3 true, TLS1 true - invalid here */
- return paramErr;
- }
- else {
- *protocol = kTLSProtocol1Only;
- return noErr;
- }
- }
- else {
- /* TLS1 false */
- if(ctx->versionSsl3Enable) {
- *protocol = ctx->versionSsl2Enable ?
- kSSLProtocol3 : kSSLProtocol3Only;
- return noErr;
- }
- else if(ctx->versionSsl2Enable) {
- *protocol = kSSLProtocol2;
- return noErr;
- }
- else {
- /*
- * Bogus state - no enables - the API does provide a way
- * to get into this state. Other than this path, the app
- * will discover this bogon when attempting to do the
- * handshake; sslGetMaxProtVersion will detect this.
- */
- return paramErr;
- }
- }
- /* NOT REACHED */
-}
-
-OSStatus
-SSLGetNegotiatedProtocolVersion (SSLContextRef ctx,
- SSLProtocol *protocol) /* RETURNED */
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *protocol = convertProtToExtern(ctx->negProtocolVersion);
- return noErr;
-}
-
-OSStatus
-SSLSetEnableCertVerify (SSLContextRef ctx,
- Boolean enableVerify)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- sslCertDebug("SSLSetEnableCertVerify %s",
- enableVerify ? "true" : "false");
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- ctx->enableCertVerify = enableVerify;
- return noErr;
-}
-
-OSStatus
-SSLGetEnableCertVerify (SSLContextRef ctx,
- Boolean *enableVerify)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *enableVerify = ctx->enableCertVerify;
- return noErr;
-}
-
-OSStatus
-SSLSetAllowsExpiredCerts(SSLContextRef ctx,
- Boolean allowExpired)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- sslCertDebug("SSLSetAllowsExpiredCerts %s",
- allowExpired ? "true" : "false");
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- ctx->allowExpiredCerts = allowExpired;
- return noErr;
-}
-
-OSStatus
-SSLGetAllowsExpiredCerts (SSLContextRef ctx,
- Boolean *allowExpired)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *allowExpired = ctx->allowExpiredCerts;
- return noErr;
-}
-
-OSStatus
-SSLSetAllowsExpiredRoots(SSLContextRef ctx,
- Boolean allowExpired)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- sslCertDebug("SSLSetAllowsExpiredRoots %s",
- allowExpired ? "true" : "false");
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- ctx->allowExpiredRoots = allowExpired;
- return noErr;
-}
-
-OSStatus
-SSLGetAllowsExpiredRoots (SSLContextRef ctx,
- Boolean *allowExpired)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *allowExpired = ctx->allowExpiredRoots;
- return noErr;
-}
-
-OSStatus SSLSetAllowsAnyRoot(
- SSLContextRef ctx,
- Boolean anyRoot)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- sslCertDebug("SSLSetAllowsAnyRoot %s", anyRoot ? "true" : "false");
- ctx->allowAnyRoot = anyRoot;
- return noErr;
-}
-
-OSStatus
-SSLGetAllowsAnyRoot(
- SSLContextRef ctx,
- Boolean *anyRoot)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *anyRoot = ctx->allowAnyRoot;
- return noErr;
-}
-
-OSStatus
-SSLSetTrustedRoots (SSLContextRef ctx,
- CFArrayRef trustedRoots,
- Boolean replaceExisting)
-{
- unsigned dex;
- unsigned outDex;
- unsigned numIncoming;
- uint32 numCerts;
- CSSM_DATA_PTR newRoots = NULL;
- const CSSM_DATA *existAnchors = NULL;
- uint32 numExistAnchors = 0;
- OSStatus ortn = noErr;
-
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- numCerts = numIncoming = CFArrayGetCount(trustedRoots);
- sslCertDebug("SSLSetTrustedRoot numCerts %d replaceExist %s",
- (int)numCerts, replaceExisting ? "true" : "false");
- if(!replaceExisting) {
- if(ctx->trustedCerts != NULL) {
- /* adding to existing store */
- existAnchors = ctx->trustedCerts;
- numExistAnchors = ctx->numTrustedCerts;
- }
- else {
- /* adding to system roots */
- ortn = SecTrustGetCSSMAnchorCertificates(&existAnchors,
- &numExistAnchors);
- if(ortn) {
- /* should never happen */
- return ortn;
- }
- }
- numCerts += numExistAnchors;
- }
- newRoots = (CSSM_DATA_PTR)sslMalloc(numCerts * sizeof(CSSM_DATA));
- memset(newRoots, 0, numCerts * sizeof(CSSM_DATA));
-
- /* Caller's certs first */
- for(dex=0, outDex=0; dex<numIncoming; dex++, outDex++) {
- CSSM_DATA certData;
- SecCertificateRef secCert = (SecCertificateRef)
- CFArrayGetValueAtIndex(trustedRoots, dex);
-
- if(CFGetTypeID(secCert) != SecCertificateGetTypeID()) {
- /* elements of trustedRoots must be SecCertificateRefs */
- ortn = paramErr;
- goto abort;
- }
- ortn = SecCertificateGetData(secCert, &certData);
- if(ortn) {
- goto abort;
- }
- stSetUpCssmData(&newRoots[outDex], certData.Length);
- memmove(newRoots[outDex].Data, certData.Data, certData.Length);
- }
-
- /* now existing roots - either ours, or the system's */
- for(dex=0; dex<numExistAnchors; dex++, outDex++) {
- stSetUpCssmData(&newRoots[outDex], existAnchors[dex].Length);
- memmove(newRoots[outDex].Data, existAnchors[dex].Data,
- existAnchors[dex].Length);
- }
-
- /* success - replace context values */
- sslFreeTrustedRoots(ctx);
- ctx->numTrustedCerts = numCerts;
- ctx->trustedCerts = newRoots;
- return noErr;
-
-abort:
- sslFree(newRoots);
- return ortn;
-}
-
-OSStatus
-SSLGetTrustedRoots (SSLContextRef ctx,
- CFArrayRef *trustedRoots) /* RETURNED */
-{
- uint32 numCerts;
- const CSSM_DATA *certs;
- CFMutableArrayRef certArray;
- unsigned dex;
- SecCertificateRef secCert;
- OSStatus ortn;
-
- if(ctx == NULL) {
- return paramErr;
- }
- if(ctx->trustedCerts != NULL) {
- /* use ours */
- certs = ctx->trustedCerts;
- numCerts = ctx->numTrustedCerts;
- }
- else {
- /* use default system roots */
- OSStatus ortn = SecTrustGetCSSMAnchorCertificates(&certs,
- &numCerts);
- if(ortn) {
- /* should never happen */
- return ortn;
- }
- }
-
- certArray = CFArrayCreateMutable(kCFAllocatorDefault,
- (CFIndex)numCerts, &kCFTypeArrayCallBacks);
- if(certArray == NULL) {
- return memFullErr;
- }
- for(dex=0; dex<numCerts; dex++) {
- ortn = SecCertificateCreateFromData(&certs[dex],
- CSSM_CERT_X_509v3,
- CSSM_CERT_ENCODING_DER,
- &secCert);
- if(ortn) {
- CFRelease(certArray);
- return ortn;
- }
- CFArrayAppendValue(certArray, secCert);
- }
- *trustedRoots = certArray;
- return noErr;
-}
-
-OSStatus
-SSLSetClientSideAuthenticate (SSLContext *ctx,
- SSLAuthenticate auth)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- ctx->clientAuth = auth;
- switch(auth) {
- case kNeverAuthenticate:
- ctx->tryClientAuth = false;
- break;
- case kAlwaysAuthenticate:
- case kTryAuthenticate:
- ctx->tryClientAuth = true;
- break;
- }
- return noErr;
-}
-
-OSStatus
-SSLGetClientCertificateState (SSLContextRef ctx,
- SSLClientCertificateState *clientState)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *clientState = ctx->clientCertState;
- return noErr;
-}
-
-OSStatus
-SSLSetCertificate (SSLContextRef ctx,
- CFArrayRef certRefs)
-{
- /*
- * -- free localCerts if we have any
- * -- Get raw cert data, convert to ctx->localCert
- * -- get pub, priv keys from certRef[0]
- * -- validate cert chain
- */
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- return parseIncomingCerts(ctx,
- certRefs,
- &ctx->localCert,
- &ctx->signingPubKey,
- &ctx->signingPrivKeyRef);
-}
-
-OSStatus
-SSLSetEncryptionCertificate (SSLContextRef ctx,
- CFArrayRef certRefs)
-{
- /*
- * -- free encryptCert if we have any
- * -- Get raw cert data, convert to ctx->encryptCert
- * -- get pub, priv keys from certRef[0]
- * -- validate cert chain
- */
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- return parseIncomingCerts(ctx,
- certRefs,
- &ctx->encryptCert,
- &ctx->encryptPubKey,
- &ctx->encryptPrivKeyRef);
-}
-
-OSStatus
-SSLSetPeerID (SSLContext *ctx,
- const void *peerID,
- size_t peerIDLen)
-{
- OSStatus serr;
-
- /* copy peerId to context->peerId */
- if((ctx == NULL) ||
- (peerID == NULL) ||
- (peerIDLen == 0)) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return badReqErr;
- }
- SSLFreeBuffer(ctx->peerID, ctx);
- serr = SSLAllocBuffer(ctx->peerID, peerIDLen, ctx);
- if(serr) {
- return serr;
- }
- memmove(ctx->peerID.data, peerID, peerIDLen);
- return noErr;
-}
-
-OSStatus
-SSLGetPeerID (SSLContextRef ctx,
- const void **peerID,
- size_t *peerIDLen)
-{
- *peerID = ctx->peerID.data; // may be NULL
- *peerIDLen = ctx->peerID.length;
- return noErr;
-}
-
-OSStatus
-SSLGetNegotiatedCipher (SSLContextRef ctx,
- SSLCipherSuite *cipherSuite)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(!sslIsSessionActive(ctx)) {
- return badReqErr;
- }
- *cipherSuite = (SSLCipherSuite)ctx->selectedCipher;
- return noErr;
-}
-
-/*
- * Add an acceptable distinguished name (client authentication only).
- */
-OSStatus
-SSLAddDistinguishedName(
- SSLContextRef ctx,
- const void *derDN,
- size_t derDNLen)
-{
- DNListElem *dn;
- OSStatus err;
-
- dn = (DNListElem *)sslMalloc(sizeof(DNListElem));
- if(dn == NULL) {
- return memFullErr;
- }
- if ((err = SSLAllocBuffer(dn->derDN, derDNLen, ctx)) != 0)
- return err;
- memcpy(dn->derDN.data, derDN, derDNLen);
- dn->next = ctx->acceptableDNList;
- ctx->acceptableDNList = dn;
- return noErr;
-}
-
-/*
- * Request peer certificates. Valid anytime, subsequent to
- * a handshake attempt.
- */
-OSStatus
-SSLGetPeerCertificates (SSLContextRef ctx,
- CFArrayRef *certs)
-{
- uint32 numCerts;
- CFMutableArrayRef ca;
- CFIndex i;
- SecCertificateRef cfd;
- OSStatus ortn;
- CSSM_DATA certData;
- SSLCertificate *scert;
-
- if(ctx == NULL) {
- return paramErr;
- }
- *certs = NULL;
-
- /*
- * Copy peerCert, a chain of SSLCertificates, to a CFArray of
- * CFDataRefs, each of which is one DER-encoded cert.
- */
- numCerts = SSLGetCertificateChainLength(ctx->peerCert);
- if(numCerts == 0) {
- return noErr;
- }
- ca = CFArrayCreateMutable(kCFAllocatorDefault,
- (CFIndex)numCerts, &kCFTypeArrayCallBacks);
- if(ca == NULL) {
- return memFullErr;
- }
-
- /*
- * Caller gets leaf cert first, the opposite of the way we store them.
- */
- scert = ctx->peerCert;
- for(i=0; (unsigned)i<numCerts; i++) {
- assert(scert != NULL); /* else SSLGetCertificateChainLength
- * broken */
- SSLBUF_TO_CSSM(&scert->derCert, &certData);
- ortn = SecCertificateCreateFromData(&certData,
- CSSM_CERT_X_509v3,
- CSSM_CERT_ENCODING_DER,
- &cfd);
- if(ortn) {
- CFRelease(ca);
- return ortn;
- }
- /* insert at head of array */
- CFArrayInsertValueAtIndex(ca, 0, cfd);
- scert = scert->next;
- }
- *certs = ca;
- return noErr;
-}
-
-/*
- * Specify Diffie-Hellman parameters. Optional; if we are configured to allow
- * for D-H ciphers and a D-H cipher is negotiated, and this function has not
- * been called, a set of process-wide parameters will be calculated. However
- * that can take a long time (30 seconds).
- */
-OSStatus SSLSetDiffieHellmanParams(
- SSLContextRef ctx,
- const void *dhParams,
- size_t dhParamsLen)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- if(sslIsSessionActive(ctx)) {
- return badReqErr;
- }
- SSLFreeBuffer(ctx->dhParamsPrime, ctx);
- SSLFreeBuffer(ctx->dhParamsGenerator, ctx);
- SSLFreeBuffer(ctx->dhParamsEncoded, ctx);
-
- OSStatus ortn;
- ortn = SSLCopyBufferFromData(dhParams, dhParamsLen,
- ctx->dhParamsEncoded);
- if(ortn) {
- return ortn;
- }
-
- /* decode for use by server over the wire */
- SSLBuffer sParams;
- sParams.data = (UInt8 *)dhParams;
- sParams.length = dhParamsLen;
- return sslDecodeDhParams(&sParams, &ctx->dhParamsPrime,
- &ctx->dhParamsGenerator);
-}
-
-/*
- * Return parameter block specified in SSLSetDiffieHellmanParams.
- * Returned data is not copied and belongs to the SSLContextRef.
- */
-OSStatus SSLGetDiffieHellmanParams(
- SSLContextRef ctx,
- const void **dhParams,
- size_t *dhParamsLen)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *dhParams = ctx->dhParamsEncoded.data;
- *dhParamsLen = ctx->dhParamsEncoded.length;
- return noErr;
-}
-
-OSStatus SSLSetRsaBlinding(
- SSLContextRef ctx,
- Boolean blinding)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- ctx->rsaBlindingEnable = blinding;
- return noErr;
-}
-
-OSStatus SSLGetRsaBlinding(
- SSLContextRef ctx,
- Boolean *blinding)
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *blinding = ctx->rsaBlindingEnable;
- return noErr;
-}
-
-OSStatus SSLGetPeerSecTrust(
- SSLContextRef ctx,
- SecTrustRef *secTrust) /* RETURNED */
-{
- if(ctx == NULL) {
- return paramErr;
- }
- *secTrust = ctx->peerSecTrust;
- return noErr;
-}
-
-OSStatus SSLInternalMasterSecret(
- SSLContextRef ctx,
- void *secret, // mallocd by caller, SSL_MASTER_SECRET_SIZE
- size_t *secretSize) // in/out
-{
- if((ctx == NULL) || (secret == NULL) || (secretSize == NULL)) {
- return paramErr;
- }
- if(*secretSize < SSL_MASTER_SECRET_SIZE) {
- return paramErr;
- }
- memmove(secret, ctx->masterSecret, SSL_MASTER_SECRET_SIZE);
- *secretSize = SSL_MASTER_SECRET_SIZE;
- return noErr;
-}
-
-OSStatus SSLInternalServerRandom(
- SSLContextRef ctx,
- void *rand, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE
- size_t *randSize) // in/out
-{
- if((ctx == NULL) || (rand == NULL) || (randSize == NULL)) {
- return paramErr;
- }
- if(*randSize < SSL_CLIENT_SRVR_RAND_SIZE) {
- return paramErr;
- }
- memmove(rand, ctx->serverRandom, SSL_CLIENT_SRVR_RAND_SIZE);
- *randSize = SSL_CLIENT_SRVR_RAND_SIZE;
- return noErr;
-}
-
-OSStatus SSLInternalClientRandom(
- SSLContextRef ctx,
- void *rand, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE
- size_t *randSize) // in/out
-{
- if((ctx == NULL) || (rand == NULL) || (randSize == NULL)) {
- return paramErr;
- }
- if(*randSize < SSL_CLIENT_SRVR_RAND_SIZE) {
- return paramErr;
- }
- memmove(rand, ctx->clientRandom, SSL_CLIENT_SRVR_RAND_SIZE);
- *randSize = SSL_CLIENT_SRVR_RAND_SIZE;
- return noErr;
-}
-
-OSStatus
-SSLGetResumableSessionInfo(
- SSLContextRef ctx,
- Boolean *sessionWasResumed, // RETURNED
- void *sessionID, // RETURNED, mallocd by caller
- size_t *sessionIDLength) // IN/OUT
-{
- if((ctx == NULL) || (sessionWasResumed == NULL) ||
- (sessionID == NULL) || (sessionIDLength == NULL) ||
- (*sessionIDLength < MAX_SESSION_ID_LENGTH)) {
- return paramErr;
- }
- if(ctx->sessionMatch) {
- assert(ctx->sessionID.data != NULL);
- *sessionWasResumed = true;
- if(ctx->sessionID.length > *sessionIDLength) {
- /* really should never happen - means ID > 32 */
- return paramErr;
- }
- memmove(sessionID, ctx->sessionID.data, ctx->sessionID.length);
- *sessionIDLength = ctx->sessionID.length;
- }
- else {
- *sessionWasResumed = false;
- *sessionIDLength = 0;
- }
- return noErr;
-}
-
-
projects / apple / security.git / blobdiff