1/* 2 * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/* 25 * sslTransport.c - SSL transport layer 26 */ 27 28#include "ssl.h" 29#include "sslMemory.h" 30#include "sslContext.h" 31#include "sslRecord.h" 32#include "sslAlertMessage.h" 33#include "sslSession.h" 34#include "sslDebug.h" 35#include "sslCipherSpecs.h" 36#include "sslUtils.h" 37 38#include <assert.h> 39#include <string.h> 40 41#include <utilities/SecIOFormat.h> 42 43#ifndef NDEBUG 44static inline void sslIoTrace( 45 const char *op, 46 size_t req, 47 size_t moved, 48 OSStatus stat) 49{ 50 sslLogRecordIo("===%s: req %4lu moved %4lu status %d", 51 op, req, moved, (int)stat); 52} 53#else 54#define sslIoTrace(op, req, moved, stat) 55#endif /* NDEBUG */ 56 57extern int kSplitDefaultValue; 58 59static OSStatus SSLProcessProtocolMessage(SSLRecord *rec, SSLContext *ctx); 60static OSStatus SSLHandshakeProceed(SSLContext *ctx); 61static OSStatus SSLInitConnection(SSLContext *ctx); 62 63static Boolean isFalseStartAllowed(SSLContext *ctx) 64{ 65 SSL_CipherAlgorithm c=sslCipherSuiteGetSymmetricCipherAlgorithm(ctx->selectedCipher); 66 KeyExchangeMethod kem=sslCipherSuiteGetKeyExchangeMethod(ctx->selectedCipher); 67 68 69 /* Whitelisting allowed ciphers, kem and client auth type */ 70 return 71 ( 72 (c==SSL_CipherAlgorithmAES_128_CBC) || 73 (c==SSL_CipherAlgorithmAES_128_GCM) || 74 (c==SSL_CipherAlgorithmAES_256_CBC) || 75 (c==SSL_CipherAlgorithmAES_256_GCM) || 76 (c==SSL_CipherAlgorithmRC4_128) 77 ) && ( 78 (kem==SSL_ECDHE_ECDSA) || 79 (kem==SSL_ECDHE_RSA) || 80 (kem==SSL_DHE_RSA) || 81 (kem==SSL_DHE_DSS) 82 ) && ( 83 (ctx->negAuthType==SSLClientAuthNone) || 84 (ctx->negAuthType==SSLClientAuth_DSSSign) || 85 (ctx->negAuthType==SSLClientAuth_RSASign) || 86 (ctx->negAuthType==SSLClientAuth_ECDSASign) 87 ); 88} 89 90 91OSStatus 92SSLWrite( 93 SSLContext *ctx, 94 const void * data, 95 size_t dataLength, 96 size_t *bytesWritten) /* RETURNED */ 97{ 98 OSStatus err; 99 SSLRecord rec; 100 size_t dataLen, processed; 101 Boolean split; 102 103 sslLogRecordIo("SSLWrite top"); 104 if((ctx == NULL) || (bytesWritten == NULL)) { 105 return errSecParam; 106 } 107 dataLen = dataLength; 108 processed = 0; /* Initialize in case we return with errSSLWouldBlock */ 109 *bytesWritten = 0; 110 111 switch(ctx->state) { 112 case SSL_HdskStateGracefulClose: 113 err = errSSLClosedGraceful; 114 goto abort; 115 case SSL_HdskStateErrorClose: 116 err = errSSLClosedAbort; 117 goto abort; 118 case SSL_HdskStateServerReady: 119 case SSL_HdskStateClientReady: 120 break; 121 default: 122 if(ctx->state < SSL_HdskStateServerHello) { 123 /* not ready for I/O, and handshake not in progress */ 124 sslIoTrace("SSLWrite", dataLength, 0, errSecBadReq); 125 return errSecBadReq; 126 } 127 /* handshake in progress; will call SSLHandshakeProceed below */ 128 break; 129 } 130 131 /* First, we have to wait until the session is ready to send data, 132 so the encryption keys and such have been established. */ 133 err = errSecSuccess; 134 while (!( 135 (ctx->state==SSL_HdskStateServerReady) || 136 (ctx->state==SSL_HdskStateClientReady) || 137 (ctx->writeCipher_ready && ctx->falseStartEnabled && isFalseStartAllowed(ctx)) 138 )) 139 { if ((err = SSLHandshakeProceed(ctx)) != 0) 140 goto exit; 141 } 142 143 /* Attempt to empty the write queue before queueing more data */ 144 if ((err = SSLServiceWriteQueue(ctx)) != 0) 145 goto abort; 146 147 /* Check if we should split the data into 1/n-1 to avoid known-IV issue */ 148 split = (ctx->oneByteRecordEnable && ctx->negProtocolVersion <= TLS_Version_1_0); 149 if (split) { 150 /* Only split if cipher algorithm uses CBC mode */ 151 SSL_CipherAlgorithm cipherAlg = sslCipherSuiteGetSymmetricCipherAlgorithm(ctx->selectedCipher); 152 split = (cipherAlg > SSL_CipherAlgorithmRC4_128 && 153 cipherAlg < SSL_CipherAlgorithmAES_128_GCM); 154 if (split) { 155 /* Determine whether we start splitting on second write */ 156 split = (kSplitDefaultValue == 2 && !ctx->wroteAppData) ? false : true; 157 } 158 } 159 processed = 0; 160 161 /* 162 * Fragment, package and encrypt the data and queue the resulting data 163 * for sending 164 */ 165 while (dataLen > 0) 166 { rec.contentType = SSL_RecordTypeAppData; 167 rec.protocolVersion = ctx->negProtocolVersion; 168 rec.contents.data = ((uint8_t *)data) + processed; 169 170 if (processed == 0 && split) 171 rec.contents.length = 1; 172 else if (dataLen < MAX_RECORD_LENGTH) 173 rec.contents.length = dataLen; 174 else 175 rec.contents.length = MAX_RECORD_LENGTH; 176 177 if ((err = SSLWriteRecord(rec, ctx)) != 0) 178 goto exit; 179 processed += rec.contents.length; 180 dataLen -= rec.contents.length; 181 ctx->wroteAppData = 1; 182 } 183 184 /* All the data has been advanced to the write queue */ 185 *bytesWritten = processed; 186 if ((err = SSLServiceWriteQueue(ctx)) == 0) { 187 err = errSecSuccess; 188 } 189exit: 190 switch(err) { 191 case errSecSuccess: 192 case errSSLWouldBlock: 193 case errSSLUnexpectedRecord: 194 case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */ 195 case errSSLClientCertRequested: 196 case errSSLClosedGraceful: 197 break; 198 default: 199 sslErrorLog("SSLWrite: going to state errorClose due to err %d\n", 200 (int)err); 201 SSLChangeHdskState(ctx, SSL_HdskStateErrorClose); 202 break; 203 } 204abort: 205 sslIoTrace("SSLWrite", dataLength, *bytesWritten, err); 206 return err; 207} 208 209OSStatus 210SSLRead ( 211 SSLContext *ctx, 212 void * data, 213 size_t dataLength, 214 size_t *processed) /* RETURNED */ 215{ 216 OSStatus err; 217 uint8_t *charPtr; 218 size_t bufSize, remaining, count; 219 SSLRecord rec; 220 221 sslLogRecordIo("SSLRead top"); 222 if((ctx == NULL) || (data == NULL) || (processed == NULL)) { 223 return errSecParam; 224 } 225 bufSize = dataLength; 226 *processed = 0; /* Initialize in case we return with errSSLWouldBlock */ 227 228readRetry: 229 /* first handle cases in which we know we're finished */ 230 switch(ctx->state) { 231 case SSL_HdskStateGracefulClose: 232 err = errSSLClosedGraceful; 233 goto abort; 234 case SSL_HdskStateErrorClose: 235 err = errSSLClosedAbort; 236 goto abort; 237 case SSL_HdskStateNoNotifyClose: 238 err = errSSLClosedNoNotify; 239 goto abort; 240 default: 241 break; 242 } 243 244 /* First, we have to wait until the session is ready to receive data, 245 so the encryption keys and such have been established. */ 246 err = errSecSuccess; 247 while (ctx->readCipher_ready == 0) { 248 if ((err = SSLHandshakeProceed(ctx)) != 0) { 249 goto exit; 250 } 251 } 252 253 /* Attempt to service the write queue */ 254 if ((err = SSLServiceWriteQueue(ctx)) != 0) { 255 if (err != errSSLWouldBlock) { 256 goto exit; 257 } 258 err = errSecSuccess; /* Write blocking shouldn't stop attempts to read */ 259 } 260 261 remaining = bufSize; 262 charPtr = (uint8_t *)data; 263 if (ctx->receivedDataBuffer.data) 264 { count = ctx->receivedDataBuffer.length - ctx->receivedDataPos; 265 if (count > bufSize) 266 count = bufSize; 267 memcpy(data, ctx->receivedDataBuffer.data + ctx->receivedDataPos, count); 268 remaining -= count; 269 charPtr += count; 270 *processed += count; 271 ctx->receivedDataPos += count; 272 } 273 274 assert(ctx->receivedDataPos <= ctx->receivedDataBuffer.length); 275 assert(*processed + remaining == bufSize); 276 assert(charPtr == ((uint8_t *)data) + *processed); 277 278 if (ctx->receivedDataBuffer.data != 0 && 279 ctx->receivedDataPos >= ctx->receivedDataBuffer.length) 280 { SSLFreeBuffer(&ctx->receivedDataBuffer); 281 ctx->receivedDataBuffer.data = 0; 282 ctx->receivedDataPos = 0; 283 } 284 285 /* 286 * This while statement causes a hang when using nonblocking low-level I/O! 287 while (remaining > 0 && ctx->state != SSL_HdskStateGracefulClose) 288 ..what we really have to do is just return as soon as we read one 289 record. A performance hit in the nonblocking case, but that is 290 the only way this code can work in both modes... 291 */ 292 if (remaining > 0 && ctx->state != SSL_HdskStateGracefulClose) 293 { assert(ctx->receivedDataBuffer.data == 0); 294 if ((err = SSLReadRecord(&rec, ctx)) != 0) { 295 goto exit; 296 } 297 if (rec.contentType == SSL_RecordTypeAppData || 298 rec.contentType == SSL_RecordTypeV2_0) 299 { if (rec.contents.length <= remaining) 300 { memcpy(charPtr, rec.contents.data, rec.contents.length); 301 remaining -= rec.contents.length; 302 charPtr += rec.contents.length; 303 *processed += rec.contents.length; 304 { 305 if ((err = SSLFreeRecord(rec, ctx))) { 306 goto exit; 307 } 308 } 309 } 310 else 311 { memcpy(charPtr, rec.contents.data, remaining); 312 charPtr += remaining; 313 *processed += remaining; 314 ctx->receivedDataBuffer = rec.contents; 315 ctx->receivedDataPos = remaining; 316 remaining = 0; 317 } 318 } 319 else { 320 if ((err = SSLProcessProtocolMessage(&rec, ctx)) != 0) { 321 goto exit; 322 } 323 if ((err = SSLFreeRecord(rec, ctx))) { 324 goto exit; 325 } 326 } 327 } 328 329 err = errSecSuccess; 330 331exit: 332 /* test for renegotiate: loop until something useful happens */ 333 if(((err == errSecSuccess) && (*processed == 0) && dataLength) || (err == errSSLUnexpectedRecord)) { 334 sslLogNegotiateDebug("SSLRead recursion"); 335 goto readRetry; 336 } 337 /* shut down on serious errors */ 338 switch(err) { 339 case errSecSuccess: 340 case errSSLWouldBlock: 341 case errSSLUnexpectedRecord: 342 case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */ 343 case errSSLClientCertRequested: 344 case errSSLClosedGraceful: 345 case errSSLClosedNoNotify: 346 break; 347 default: 348 sslErrorLog("SSLRead: going to state errorClose due to err %d\n", 349 (int)err); 350 SSLChangeHdskState(ctx, SSL_HdskStateErrorClose); 351 break; 352 } 353abort: 354 sslIoTrace("SSLRead ", dataLength, *processed, err); 355 return err; 356} 357 358#if SSL_DEBUG 359#include "sslCrypto.h" 360#endif 361 362OSStatus 363SSLHandshake(SSLContext *ctx) 364{ 365 OSStatus err; 366 367 if(ctx == NULL) { 368 return errSecParam; 369 } 370 if (ctx->state == SSL_HdskStateGracefulClose) 371 return errSSLClosedGraceful; 372 if (ctx->state == SSL_HdskStateErrorClose) 373 return errSSLClosedAbort; 374 375 #if SSL_ECDSA_HACK 376 /* Because of Radar 6133465, we have to disable this to allow the sending 377 of client hello extensions for ECDSA... */ 378 ctx->versionSsl2Enable = false; 379 #endif 380 381 if(ctx->validCipherSuites == NULL) { 382 /* build list of legal cipherSpecs */ 383 err = sslBuildCipherSuiteArray(ctx); 384 if(err) { 385 return err; 386 } 387 } 388 err = errSecSuccess; 389 390 if(ctx->isDTLS) { 391 if (ctx->timeout_deadline<CFAbsoluteTimeGetCurrent()) { 392 DTLSRetransmit(ctx); 393 } 394 } 395 396 while (ctx->readCipher_ready == 0 || ctx->writeCipher_ready == 0) 397 { 398 err = SSLHandshakeProceed(ctx); 399 if((err != 0) && (err != errSSLUnexpectedRecord)) 400 return err; 401 } 402 403 /* one more flush at completion of successful handshake */ 404 if ((err = SSLServiceWriteQueue(ctx)) != 0) { 405 return err; 406 } 407 408 return errSecSuccess; 409} 410 411 412static OSStatus 413SSLHandshakeProceed(SSLContext *ctx) 414{ OSStatus err; 415 SSLRecord rec; 416 417 if (ctx->signalServerAuth) { 418 ctx->signalServerAuth = false; 419 return errSSLServerAuthCompleted; 420 } 421 if (ctx->signalCertRequest) { 422 ctx->signalCertRequest = false; 423 return errSSLClientCertRequested; 424 } 425 if (ctx->signalClientAuth) { 426 ctx->signalClientAuth = false; 427 return errSSLClientAuthCompleted; 428 } 429 430 if (ctx->state == SSL_HdskStateUninit) 431 if ((err = SSLInitConnection(ctx)) != 0) 432 return err; 433 434 /* This is our cue that we dropped out of the handshake 435 * to let the client pick an identity, move state back 436 * to server hello done and continue processing. 437 */ 438 if ((ctx->protocolSide == kSSLClientSide) && 439 (ctx->state == SSL_HdskStateClientCert)) 440 if ((err = SSLAdvanceHandshake(SSL_HdskServerHelloDone, ctx)) != 0) 441 return err; 442 443 if ((err = SSLServiceWriteQueue(ctx)) != 0) 444 return err; 445 446 assert(ctx->readCipher_ready == 0); 447 if ((err = SSLReadRecord(&rec, ctx)) != 0) 448 return err; 449 if ((err = SSLProcessProtocolMessage(&rec, ctx)) != 0) 450 { 451 SSLFreeRecord(rec, ctx); 452 return err; 453 } 454 if ((err = SSLFreeRecord(rec, ctx))) 455 return err; 456 457 return errSecSuccess; 458} 459 460static OSStatus 461SSLInitConnection(SSLContext *ctx) 462{ OSStatus err = errSecSuccess; 463 464 if (ctx->protocolSide == kSSLClientSide) { 465 SSLChangeHdskState(ctx, SSL_HdskStateClientUninit); 466 } 467 else 468 { assert(ctx->protocolSide == kSSLServerSide); 469 SSLChangeHdskState(ctx, SSL_HdskStateServerUninit); 470 } 471 472 if (ctx->peerID.data != 0) 473 { SSLGetSessionData(&ctx->resumableSession, ctx); 474 /* Ignore errors; just treat as uncached session */ 475 } 476 477 /* 478 * If we have a cached resumable session, blow it off if it's a version 479 * which is not currently enabled. 480 */ 481 Boolean cachedV3OrTls1 = ctx->isDTLS; 482 483 if (ctx->resumableSession.data != 0) { 484 SSLProtocolVersion savedVersion; 485 if ((err = SSLRetrieveSessionProtocolVersion(ctx->resumableSession, 486 &savedVersion, ctx)) != 0) 487 return err; 488 489 if (ctx->isDTLS 490 ? (savedVersion <= ctx->minProtocolVersion && 491 savedVersion >= ctx->maxProtocolVersion) 492 : (savedVersion >= ctx->minProtocolVersion && 493 savedVersion <= ctx->maxProtocolVersion)) { 494 cachedV3OrTls1 = savedVersion != SSL_Version_2_0; 495 sslLogResumSessDebug("===attempting to resume session"); 496 } else { 497 sslLogResumSessDebug("===Resumable session protocol mismatch"); 498 SSLFreeBuffer(&ctx->resumableSession); 499 } 500 } 501 502 /* 503 * If we're the client & handshake hasn't yet begun, start it by 504 * pretending we just received a hello request 505 */ 506 if (ctx->state == SSL_HdskStateClientUninit && ctx->writeCipher_ready == 0) 507 { 508 assert(ctx->negProtocolVersion == SSL_Version_Undetermined); 509#if ENABLE_SSLV2 510 if(!cachedV3OrTls1) { 511 /* SSL2 client hello with possible upgrade */ 512 err = SSL2AdvanceHandshake(SSL2_MsgKickstart, ctx); 513 } 514 else 515#endif 516 { 517 err = SSLAdvanceHandshake(SSL_HdskHelloRequest, ctx); 518 } 519 } 520 521 return err; 522} 523 524 525static OSStatus 526SSLProcessProtocolMessage(SSLRecord *rec, SSLContext *ctx) 527{ OSStatus err; 528 529 switch (rec->contentType) 530 { case SSL_RecordTypeHandshake: 531 sslLogRxProtocolDebug("Handshake"); 532 if(ctx->isDTLS) 533 err = DTLSProcessHandshakeRecord(*rec, ctx); 534 else 535 err = SSLProcessHandshakeRecord(*rec, ctx); 536 break; 537 case SSL_RecordTypeAlert: 538 sslLogRxProtocolDebug("Alert"); 539 err = SSLProcessAlert(*rec, ctx); 540 break; 541 case SSL_RecordTypeChangeCipher: 542 sslLogRxProtocolDebug("ChangeCipher"); 543 err = SSLProcessChangeCipherSpec(*rec, ctx); 544 break; 545#if ENABLE_SSLV2 546 case SSL_RecordTypeV2_0: 547 sslLogRxProtocolDebug("RecordTypeV2_0"); 548 err = SSL2ProcessMessage(rec, ctx); 549 break; 550#endif 551 default: 552 sslLogRxProtocolDebug("Bad msg"); 553 return errSSLProtocol; 554 } 555 556 return err; 557} 558 559OSStatus 560SSLClose(SSLContext *ctx) 561{ 562 OSStatus err = errSecSuccess; 563 564 sslHdskStateDebug("SSLClose"); 565 if(ctx == NULL) { 566 return errSecParam; 567 } 568 if (ctx->negProtocolVersion >= SSL_Version_3_0) 569 err = SSLSendAlert(SSL_AlertLevelWarning, SSL_AlertCloseNotify, ctx); 570 571 if (err == 0) 572 err = SSLServiceWriteQueue(ctx); 573 574 SSLChangeHdskState(ctx, SSL_HdskStateGracefulClose); 575 if (err == errSecIO) 576 err = errSecSuccess; /* Ignore errors related to closed streams */ 577 return err; 578} 579 580/* 581 * Determine how much data the client can be guaranteed to 582 * obtain via SSLRead() without blocking or causing any low-level 583 * read operations to occur. 584 * 585 * Implemented here because the relevant info in SSLContext (receivedDataBuffer 586 * and receivedDataPos) are only used in this file. 587 */ 588OSStatus 589SSLGetBufferedReadSize(SSLContextRef ctx, 590 size_t *bufSize) /* RETURNED */ 591{ 592 if(ctx == NULL) { 593 return errSecParam; 594 } 595 if(ctx->receivedDataBuffer.data == NULL) { 596 *bufSize = 0; 597 } 598 else { 599 assert(ctx->receivedDataBuffer.length >= ctx->receivedDataPos); 600 *bufSize = ctx->receivedDataBuffer.length - ctx->receivedDataPos; 601 } 602 return errSecSuccess; 603} 604